Cyber Essentials Plus Technical Audit: What to Expect

Key Takeaways

Point	Summary
4 components	External vulnerability scan, internal assessment (if applicable), device sampling, evidence review
Vulnerability scan	All public IPs scanned for known vulnerabilities and exposed services
Device sampling	Assessor tests representative devices from each OS type
Remote or on-site	Most audits can be conducted remotely
Fix and retest	Minor issues can often be fixed during audit; major issues may require rescheduling

Quick Answer: Plus audit includes: external vulnerability scan, device sampling (testing representative devices), and evidence review. Most audits are remote. Minor issues can often be fixed during the audit; have IT support available on audit day.

Plus audit overview

The Plus audit verifies that what you declared in your Basic self-assessment is actually true. It consists of several components:

External vulnerability assessment:

• Scan of all public IP addresses
• Looking for known vulnerabilities
• Checking exposed services
• Verifying firewall configuration

Internal assessment (if applicable):

• Scan of internal networks
• Checking for internal vulnerabilities
• Verifying internal segmentation

Device sampling:

• Selection of representative devices
• Each OS type tested
• Configuration verification
• Security settings check

Evidence review:

• Documentation verification
• Policy confirmation
• Process validation

Prerequisites for Plus

Before scheduling a Plus audit:

Requirement	Details
Valid CE Basic	Must have a current Basic certificate
90-day window	Plus must be achieved within 90 days of Basic
Same scope	Plus scope must match Basic scope
Controls in place	All five controls must be fully implemented
Ready to test	All systems available for testing

The external vulnerability scan

What's scanned

Target	Details
All public IPs	Every internet-facing IP address
Web servers	HTTP/HTTPS services
Email servers	SMTP, IMAP services
VPN endpoints	Remote access points
Any public services	All externally accessible services

What assessors look for

Critical findings (will fail):

• Unpatched high/critical vulnerabilities
• Exposed management interfaces
• Default credentials on services
• Unencrypted sensitive services
• Known exploitable vulnerabilities

High findings (will fail):

• Vulnerable software versions
• Misconfigured services
• Unnecessary exposed services
• Weak encryption configurations

Medium/low findings:

• May not fail certification
• Will be noted in report
• Should be addressed
• Consider for remediation

Common external scan issues

Issue	Solution
Outdated SSL/TLS	Upgrade to TLS 1.2+
Exposed RDP	Disable or move behind VPN
Open database ports	Close or firewall
Missing patches	Apply updates
Default pages	Remove or customise
Directory listing	Disable

Device sampling process

How devices are selected

The assessor selects a representative sample covering:

Operating system coverage:

• One Windows desktop (each version)
• One Windows laptop (each version)
• One macOS device (if in scope)
• One Linux device (if in scope)
• One iOS device (if in scope)
• One Android device (if in scope)
• Servers accessible to internet users

Additional factors:

• Different device types
• Different locations (if applicable)
• Different user roles
• Mix of old and new devices
• Assessor discretion

What's tested on devices

Check	What's Verified
Patch level	OS and applications updated
Antivirus	Installed, running, updated
Firewall	Host firewall enabled
User accounts	Configured correctly
Screen lock	Enabled and timing
Auto-run	Disabled
Browser	Supported version, security settings
Password policy	Meets requirements

Testing process

Setup:

• Assessor logs in (or user demonstrates)
• Standard user account used
• May also test admin account configuration
• Remote or on-site testing

Checks performed:

• Run vulnerability scanner
• Check Windows Update/Software Update status
• Verify anti-malware status
• Check firewall settings
• Review user accounts
• Verify screen lock configuration
• Check browser settings
• Review installed software

Documentation:

• Screenshots captured
• Findings recorded
• Pass/fail for each check
• Evidence for report

Audit delivery options

Remote audit

Aspect	Details
Connection	Secure remote access to your network
Device testing	Screen share or remote control
Requirements	Stable internet, remote access tools
Duration	Similar to on-site
Cost	Often lower than on-site

On-site audit

Aspect	Details
Assessor location	At your premises
Device testing	Physical access to devices
Requirements	Workspace for assessor
Duration	Typically half to full day
Cost	May include travel expenses

Preparing for the audit

Pre-audit checklist

Step 1: Verify Basic compliance

• Confirm all SAQ answers are still accurate
• Address any changes since Basic
• Ensure scope hasn't changed

Step 2: Run your own scans

• External vulnerability scan
• Internal scan if applicable
• Remediate any findings
• Re-scan to verify fixes

Step 3: Check all devices

• Verify all devices updated
• Confirm anti-malware running
• Check firewall status
• Verify user configurations
• Test screen lock

Step 4: Prepare documentation

• Network diagram
• IP address list
• Device inventory
• User account list
• Policies (if requested)

Step 5: Schedule and coordinate

• Book audit date
• Notify relevant staff
• Ensure access available
• Prepare testing environment
• Have IT support available

Common pre-audit fixes

Issue	Fix Required
Pending updates	Install all updates
Outdated AV signatures	Update immediately
Disabled firewalls	Enable on all devices
Missing patches	Apply patches
Exposed services	Close or secure
Weak configurations	Harden settings

Audit day

What to expect

Morning:

• Assessor introduction
• Scope confirmation
• Network access setup
• External scanning begins
• Initial device testing

Midday:

• Review interim findings
• Continue device testing
• Address any questions
• Additional evidence if needed

Afternoon:

• Complete testing
• Preliminary results discussion
• Identify any remediation needed
• Discuss next steps

Your role during audit

Task	Your Responsibility
Access	Provide network and device access
Availability	IT staff available for questions
Information	Provide requested documentation
Decisions	Approve any testing requirements
Coordination	Manage internal communications

Audit results

Pass scenario

Outcome	Next Steps
All tests passed	Certificate issued
Minor observations	Note for improvement
Certificate validity	12 months
Directory listing	Added to NCSC website

If issues are found

Minor issues:

• Quick fixes often possible
• Assessor may allow remediation
• Rescan affected areas
• Can often resolve same day

Major issues:

• Significant remediation needed
• May require full re-audit
• Additional costs may apply
• May need new Basic first

Resolution options:

• Fix and rescan (if minor)
• Schedule remediation window
• New audit after fixes
• Consider scope adjustment

Common reasons for failure

Reason	Prevention
Unpatched vulnerabilities	Pre-audit scanning
Outdated software	Update before audit
Misconfigured firewalls	Verify configuration
Missing anti-malware	Install on all devices
Weak passwords	Enforce policy
End-of-life software	Remove or exclude

How Bastion can help

Plus certification requires thorough preparation to avoid surprises on audit day.

Challenge	How We Help
Pre-audit assessment	We run internal scans and checks
Remediation	We fix identified issues
Documentation	We prepare required information
Audit coordination	We support you during the audit
Failed audit recovery	We provide remediation assistance

Working with a managed service partner means your Plus audit is less likely to surface unexpected issues. We help ensure your environment is ready before the assessor arrives, which translates into a smoother audit day and faster certification.

---

Need help preparing for your Plus audit? Talk to our team