Cyber Essentials Plus — 786 Cyber | Independent Technical Verification for UK Businesses

CE vs CE Plus

Same five control categories. Independent technical verification on top.

Cyber Essentials Plus covers exactly the same five control areas as Cyber Essentials — the difference is how compliance is verified. CE Plus requires an accredited assessor to technically test your controls, not just review your documentation.

Area	Cyber Essentials	Cyber Essentials Plus
Control categories	Same 5 categories	Same 5 categories
Verification method	Self-assessment questionnaire, verified by accredited assessor	Independent technical testing by accredited assessor
Documentation required	Policies, controls, evidence	Same documentation — must be complete before audit begins
Technical testing	Not required	Vulnerability scans, configuration checks, MFA verification
Recognised by	Most enterprise & public sector buyers	MOD, high-assurance government, defence supply chains
Cost	Lower — self-assessment	Higher — includes assessor fees for technical audit
Renewal	Annual	Annual
786 Cyber covers	Full documentation layer	Full documentation layer — you arrange the accredited assessor

"CE Plus documentation must be complete and evidenced before the technical audit begins. 786 Cyber handles this layer entirely — so when your assessor arrives, you're ready."

Why CE Plus matters

When standard CE isn't enough — CE Plus is the higher bar that unlocks higher-value opportunities.

Without CE Plus

✕Excluded from MOD and defence contracts: Ministry of Defence supply chain requirements mandate CE Plus for most contracts. CE alone is insufficient — independent technical verification is required.

✕Weaker position in high-assurance procurement: Where multiple suppliers hold CE, CE Plus differentiates you — demonstrating that your controls have been independently verified, not just self-declared.

✕Documentation gaps surface at audit: Many organisations discover during the CE Plus technical audit that their documentation wasn't as complete as they believed. Without preparation, this delays certification and increases assessor costs.

With CE Plus

✓MOD and defence supply chain access: CE Plus unlocks contracts across the defence sector and high-security government procurement — markets unavailable to CE-only certified businesses.

✓Independent verification as a differentiator: CE Plus tells buyers your controls have been technically tested by an accredited third party — a stronger signal of genuine security maturity than self-assessment alone.

✓Natural path to ISO 27001: CE Plus technical verification produces evidence and documentation that forms the foundation of an ISO 27001 programme — making the next step significantly easier.

✓Confident audit preparation: 786 Cyber completes the documentation layer before your assessor arrives — so the technical audit focuses on verifying your controls, not uncovering documentation gaps.

CE Plus preparation checklist

What must be complete before the technical audit.

786 Cyber generates and tracks all of these — your documentation is complete before the assessor arrives.

!
All CE documentation complete — every policy, control, and evidence item from Cyber Essentials must be in place before the CE Plus audit begins.
framework:cyber-essentialsdomain:governance
!
MFA technically configured and verifiable — MFA must be active and demonstrable across all admin and remote access accounts — the assessor will test this directly.
control:mfaframework:cyber-essentialsseverity:critical
!
Patch status verified across all in-scope devices — all OS and applications patched within 14 days. Assessor will run vulnerability scans — unpatched systems will fail.
control:patchingframework:cyber-essentialsdomain:vulnerability
!
Firewall configuration documented and tested — assessor will test inbound rules and verify that only necessary services are exposed. Configuration must match documented policy.
control:firewalldomain:networkframework:cyber-essentials
!
Anti-malware active and verifiable on all devices — assessor checks coverage across all in-scope endpoints. Gaps in coverage will be identified and will require remediation.
control:anti-malwaredomain:endpointframework:cyber-essentials
~
Complete asset inventory with OS and patch status — all in-scope devices catalogued with current OS version, last patch date, and owner. Required for scoping the technical audit.
domain:assetcontrol:asset-managementframework:cyber-essentials
~
Accredited assessor selected and booked — CE Plus requires an NCSC-approved certification body to conduct the technical audit. 786 Cyber handles the documentation; you arrange the assessor.
domain:governanceframework:cyber-essentials

How 786 Cyber helps

786 Cyber handles the documentation layer. You focus on passing the technical audit.

📝

Complete policy suite

All policies required for CE Plus — Acceptable Use, Password, Remote Working, BYOD — generated and ready to publish before the audit.

📋

Evidence vault

Every control implementation logged with timestamps. When the assessor asks for evidence that controls were in place, it's already compiled.

📊

Progress tracking per category

Visual progress across all 5 CE control categories — see exactly what's complete and what still needs attention before the audit date.

🗂️

Asset inventory

Catalogue all in-scope devices with OS version, patch status, and owner — the foundation of your CE Plus scope definition.

🔔

Renewal tracking

CE Plus is annual. 786 Cyber tracks your certification date and alerts you with enough time to prepare documentation before renewal.

🏷️

Cross-framework tagging

CE Plus controls tagged to ISO 27001, GDPR, and NIST CSF — every control satisfies multiple framework requirements simultaneously.

Cyber Essentials Plus — independent technical verification. The strongest signal you can send.