← All frameworks
UK UK · 8 Policy & Process · UK

Cyber Essentials Plus

Cyber Essentials Plus

Willow (2025)

5 controls · 1 domain
Start assessment in platform →

About this framework

Cyber Essentials Plus covers the same five controls as Cyber Essentials but adds a hands-on technical audit by an independent assessor. That verification gives customers stronger assurance that the controls are actually in place.

Who needs this

For UK organisations needing independently verified proof of basic security controls.

Cross-framework coverage

Controls in Cyber Essentials Plus also cover:

CIS Controls 7 shared
Cyber Essentials 7 shared
NCA ECC-2 7 shared
Qatar NIA 7 shared
UAE IA 7 shared

See how Cyber Essentials Plus connects to the rest → the Security Universe

Control domains

technical · Five Technical Controls (audited) 5
CE.1
Firewalls
Boundary firewalls and internet gateways configured to control inbound and outbound network traffic; default-deny, no unnecessary open ports, admin interfaces not exposed to the internet. Verified by independent hands-on audit and authenticated vulnerability scan.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsNCA ECC-2Qatar NIAUAE IANCA OTCCADHICSNIS2DORANCA CCCSAMA CSF
CE.2
Secure Configuration
Devices and software configured to reduce inherent vulnerabilities: remove or disable unused accounts and software, change default passwords, and apply hardened settings. Verified by independent hands-on audit and authenticated vulnerability scan.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICSGDPR (EU)UK GDPR
CE.3
Security Update Management
Operating systems and applications kept in support and patched; high/critical updates applied within 14 days; auto-update enabled where possible. Verified by independent hands-on audit and authenticated vulnerability scan.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsNIS2DORANCA ECC-2NCA CCCQatar NIAUAE IASAMA CSFNCA OTCCADHICS
CE.4
User Access Control
Accounts provisioned least-privilege, unique per user, administrative privileges controlled and separated; access removed promptly when no longer required; MFA on cloud/admin where available. Verified by independent hands-on audit and authenticated vulnerability scan.
NIST CSFCIS ControlsPCI DSS 4.0.1Cyber EssentialsNIS2HIPAA Security RuleNCA ECC-2Qatar NIAUAE IANCA OTCCADHICSISO 27001GDPR (EU)UK GDPRNCA CCCSAMA CSFDORA
CE.5
Malware Protection
Anti-malware, application allow-listing, or sandboxing in place and kept up to date to prevent execution of malicious code. Verified by independent hands-on audit and authenticated vulnerability scan.
NIST CSFCIS ControlsPCI DSS 4.0.1ISO 27001Cyber EssentialsNCA ECC-2Qatar NIAUAE IANCA OTCCADHICSNIS2DORANCA CCCSAMA CSF

Ready to assess against Cyber Essentials Plus?

Start free trial →