Cyber Essentials Plus 2026: a UK SME implementer's guide

What Cyber Essentials Plus actually is

Cyber Essentials is the UK government-backed cyber-security baseline standard, administered by IASME under contract with the National Cyber Security Centre (NCSC). It comes in two flavours.

Cyber Essentials (sometimes called "the basic version") is a self-assessment. You answer about 60 yes/no questions, sign the declaration, pay the certification body fee, and receive the badge. It's a useful starting point and the right answer for businesses with five or fewer staff and no client data obligations.

Cyber Essentials Plus is the version that matters for serious buyers. An external assessor visits (or connects remotely), runs a series of vulnerability tests on a sample of your devices and accounts, and verifies that what you said in the basic CE questionnaire is actually true. If the test finds anything that contradicts the questionnaire, you fail. There is no in-between grade. You either pass or you don't.

The CE+ badge is now a hard requirement for nearly every UK government supplier framework, most NHS trust IT contracts, the majority of professional-services tenders above £50k, and an increasing share of business-insurance applications and renewals. Insurers in particular have moved from "we'd like to see this" to "we won't underwrite a cyber policy without it" in the last 18 months.

If you've been asked for CE+ by a prospect, a client, an insurer or a regulator, this post is what to do next.

The real cost

Most SMEs read the IASME website, see the certification body fee (£300 to £500 for an SME), and budget that. They then discover the rest.

The real CE+ cost has three layers.

Layer 1: the certification body fee. £300 to £500 for a typical 5-to-50 staff business. This is the smallest line item. Paid to the certification body that conducts the assessment (we use IASME directly; other approved certification bodies are listed on the NCSC website). Fixed price. Predictable.

Layer 2: the assessment day. £800 to £3,500 depending on scale and complexity. The assessor's time includes the on-site or remote review, the device sampling, the vulnerability scanning, and the report write-up. For a 10-user single-site business, expect the lower end. For a 100-user multi-site business with BYOD and a mix of Mac and Windows, expect the upper end.

Layer 3: remediation and the security project to actually pass. This is the layer that surprises everyone. For most SMEs we run through CE+ for the first time, the real bill is £1,000 to £8,000, of which the bulk is configuring controls that should already have been in place. The work splits roughly into: deploying conditional access and MFA properly across cloud services (most expensive single line item), patching everything to within 14 days, building an accurate asset inventory, separating admin accounts from daily-use accounts, and locking down BYOD and removable media. None of this is exotic. All of it takes time.

Most SMEs we work with arrive at the £1,000 to £8,000 figure because they want a partner to do the remediation work for them rather than free up an internal IT manager for 80+ hours. That's a defensible choice, but it should be in the budget from day one, not discovered at week 4.

Renewals are different. Once the baseline is in place, the annual recertification is materially cheaper because the controls are already running. Budget £500 to £1,500 a year for renewal, depending on whether scope (head count, locations, devices) has changed.

The real timeline

8 to 16 weeks for first-time certification. 2 to 4 weeks for the annual renewal. We have not seen a first-time SME pass faster than 8 weeks, and we have seen plenty take longer than 16 if remediation drags.

The first-time timeline breaks down roughly as follows:

• Weeks 1-2: scoping and gap analysis. Map every user, every device, every cloud service, every connection point to your network. Compare against the CE+ control set. Identify the gaps. Most SMEs find 20 to 40 individual gaps at this stage. This is normal and not a sign that anything is "wrong". CE+ is more granular than most SMEs have looked at their setup before.
• Weeks 3-8: remediation. Patching backlogs cleared, MFA deployed to every account that touches email or cloud (this is where most SMEs spend half their time), admin accounts separated, asset inventory completed, malware protection verified on every endpoint, conditional access policies tightened.
• Weeks 9-10: dry run. Internal vulnerability scan to surface anything the assessor will find. Address findings.
• Weeks 11-12: CE basic questionnaire submission and review. This goes first.
• Weeks 13-14: CE+ external audit.
• Weeks 15-16: pass certificate issued.

If you fail the external audit (about a third of first-time submissions do), the path back is another 4 to 8 weeks of remediation plus a re-audit fee.

The renewals are quicker because the heavy lifting is already done. The annual scope review, an internal scan, a fresh dry run, and the assessment all fit comfortably into a 2-to-4-week window.

The seven things assessors will hammer on

The five formal CE control families (firewalls, secure configuration, security update management, user access control, malware protection) decompose, in practice, into the following seven assessment hot-spots. These are the areas where SMEs we audit before their first CE+ attempt are most likely to fail.

1. Patching within 14 days for high or critical vulnerabilities. The assessor will look at the patch level of a sample of devices. If you have a Windows machine with a known critical CVE published more than 14 days ago and unpatched, you fail. Most SMEs underestimate how strict the timeline is and how broadly it applies (operating system, browsers, productivity suite, anti-virus, every third-party app on every endpoint).

2. Multi-factor authentication on every account that touches email or cloud services. Every account. Not just admins. Not "optional for senior staff". Every shared mailbox, every service account, every third-party SaaS that holds business data. The assessor will sample-check this and will fail you if a single user can sign in without MFA to a system that's in scope.

3. Asset list completeness. You need a single source of truth that lists every device that can access company data. Including the personal laptop your CFO uses on Sundays. Including the printer with the embedded web server. Including the Mac your designer brought back from the last role. Most SMEs walk in with a list that's 60-70% accurate and discover the rest during scoping.

4. Removable media policy and enforcement. USB sticks, SD cards, external drives. Policy is one thing. Enforcement, via group policy or an MDM, is another. The assessor expects to see the latter, not just the former.

5. Admin account separation. Domain admin, global admin, tenant admin: these accounts should be used for admin tasks only. Not for daily email. Not for browsing. Not for the same person's personal-use device. A surprising number of SME IT managers still use a single account that does both, and that's a fail.

6. Boundary firewalls and secure configuration of internet-facing services. Public-facing services (email, VPN, RDP gateways, web admin portals) must require authentication, must not expose default credentials, and must not allow connection from untrusted networks where not strictly necessary. The assessor will run an external scan and find anything we haven't.

7. Malware protection on every endpoint, sampled and verified. Every device in scope must have a malware solution running, configured to update at least daily, and configured to block downloads from untrusted sources. The assessor will sample-check and will pull device telemetry to verify.

A simple test before you book the assessment: walk to a random user's machine, ask them to show you a piece of cloud data on their phone, see whether MFA gets prompted. If it doesn't, you fail control 2 and there's no point booking the audit yet.

What changed recently

The current CE specification was refreshed under the Montpellier update (April 2025) and remains the standard against which assessments are conducted in 2026. The changes most relevant to SMEs:

• MFA scope expanded to explicitly include all cloud services that hold organisational data, not just primary email. Microsoft 365, Google Workspace, SharePoint, OneDrive, the lot.
• BYOD scope tightened. Personal devices used for work email or work files are in scope by default. To exclude them, you need a documented and enforced policy that personal devices cannot access work data, and the enforcement must be technical, not just verbal.
• Cloud service classification clarified. SaaS that holds organisational data is in scope. SaaS that only holds personal data (e.g. a personal LinkedIn account) is not. Most SME audit failures we see here are around grey-area apps that the IT team didn't realise had organisational data flowing through them (think file-sharing extensions, browser plug-ins, AI assistants).
• Software versioning requirements explicit on unsupported software. If a piece of software is past its end-of-life support date, it must be removed from in-scope devices or you fail. This caught a lot of businesses still running Windows Server 2012 R2 in 2025.

IASME publishes the current specification and the change history on the iasme.co.uk website. Worth a 30-minute read for any SME owner before the gap analysis.

What we run for clients

We hold Cyber Essentials Plus ourselves and run the certification annually for dozens of UK SME clients. Our standard CE+ project for a new client is:

• Week 1-2: gap analysis against the current CE+ specification. Output: a written report with every gap, the work to close it, and the cost.
• Week 3-10: remediation. We do the technical work; the client gives us access and signs off on policy changes. Our ISO 27001 controls cover most of the CE+ requirements as a baseline, so the gap-closing tends to focus on the SME's specific environment (asset list, BYOD policy, third-party app inventory).
• Week 11-12: dry run with our own scanner before booking the assessor.
• Week 13-14: book + attend the audit.
• Week 15-16: pass certificate to the client.

After year one, we keep the controls live continuously, run quarterly dry runs as part of our managed-IT service, and re-certify annually with a 2-to-4-week window. Most clients hand it off entirely and don't think about it again until renewal.

Bottom line

If your business handles client data, sells to the UK public sector, or sits in a regulated supply chain, Cyber Essentials Plus is not optional. The question is whether you pass first time or burn six months getting there.

A serious gap analysis costs less than failing the audit. If you've been asked for CE+ by a prospect, an insurer or a regulator, the next move is to book a 30-minute call with a partner who's run the cert for businesses like yours.

About this article

Sources:

• NCSC: Cyber Essentials overview
• IASME: Cyber Essentials Plus assessment specification
• NCSC: Cyber Essentials evolving requirements (Montpellier update, April 2025)
• ICO enforcement actions database (current quarter)

Statistics in this article reflect Cyber Essentials Plus specification and pricing current as of June 2026.

About Inflection Point

Inflection Point is a UK managed-IT and cyber-security firm. 200+ active clients across the UK, 16+ years EOS-run, founder-led with 25 years industry experience. [ISO 27001 certified](/cyber-security/), Cyber Essentials Plus, Microsoft Solutions Partner, rated 4.9/5 across 150+ Trustpilot reviews. We help UK SMEs achieve and maintain Cyber Essentials Plus, with under-15-minute remote response and a 1-hour on-site SLA. From £39 per user per month for managed IT.

If you've been asked for CE+ by a client, insurer or regulator and want a partner who runs the cert annually for dozens of UK SMEs, book a 30-minute discovery call. We will tell you what's in scope, what to fix first, what it will cost and how long it will take. No sales pitch.

Iain Godding is the founder of Inflection Point. He has 25 years of UK IT and cyber-security industry experience.