A tender, an insurer, or a customer just asked for CE+. Now what?
You found out about Cyber Essentials Plus the same way most owners do — a procurement form, a renewal letter, or an email from your biggest customer. The deadline is short, the technical detail is foreign, and Googling it returns thirty MSPs who all sound the same. You need someone to tell you, plainly, whether you are weeks away or months away — and then get you there.
That's what this page is for.
Written and reviewed by
Brett Casterton — Founder & Managing Director, Inology IT. Ex-UK Armed Forces. 24 years running IT and cyber security for Manchester small businesses. ISO 27001 lead. Last reviewed: June 2026.
Cyber Essentials is a questionnaire. Plus is a hands-on audit on your real devices.
What Plus verifies that the self-assessment cannot.
Both certifications cover the same five technical controls. The difference is in how each one is checked. Plus is what a serious buyer or insurer asks for when they want assurance, not assertion.
Source: NCSC Cyber Essentials overview and IASME, official Cyber Essentials delivery partner. The Plus audit covers a representative set of user devices, all internet gateways, and all servers with services accessible to the internet.
1. The buyer asking for it is increasingly senior
It used to be MoD and central government. Now it is NHS trusts, large law firms, accountancy networks, financial services and major manufacturers — anyone with a procurement team that has had a supply-chain incident in the last three years. Plus is what they ask for when "Cyber Essentials" isn't enough on the spreadsheet.
2. Cyber insurance is shifting the same way
More UK insurers are listing Cyber Essentials Plus on the form — sometimes as a discount, sometimes as a requirement at certain coverage limits. The questionnaires have sharpened; the cheapest way to get through them clean is to already hold Plus.
3. Plus is a real exam — and IT estates fail it routinely
Common failure points we see on first-time audits: unpatched applications (especially Adobe and Java), unsupported browsers, missing screen lock policies, admin accounts used for everyday work, and BYOD devices that nobody actually configured. Every one of these is fixable. None are visible from a questionnaire alone.
Manchester since 2002. Veteran-founded. ISO 27001 certified.
We have walked dozens of Manchester small businesses through Cyber Essentials Plus — first-time certifications, panicked renewals two weeks out, and supply-chain ultimatums from larger customers. Brett Casterton is an ex-UK Armed Forces ISO 27001 lead. The same controls we deploy on your network run on ours: if we don't trust it, we don't sell it.
Our credentials
ISO 9001 · ISO 27001 · Cyber Essentials · Microsoft Solutions Partner — Modern Work
Track record
45+ Manchester businesses · 350+ users · 7 industries · 24 years in Manchester
Founder
Brett Casterton — ex-UK Armed Forces. 24 years running IT and cyber for Manchester firms.
Gap analysis. Remediation. Audit. Certificate. Then we keep it that way.
Free gap analysis — week one
We map your environment against all five Cyber Essentials controls plus the additional things the Plus audit will physically test. You get a written report with a pass-fail-fix list and a fixed price for what's needed to get certified. No commitment to proceed.
Cyber Essentials self-assessment first
CE is the prerequisite. We complete the IASME questionnaire with you, evidence each answer, and submit. Most clients pass first time. The certificate is usually issued within 72 hours of submission, and from that moment you have 90 days to sit the Plus audit.
Remediation — the technical fixes
Patch baselines, browser and email lockdown, account separation, admin removal from daily-use accounts, MFA enforcement, device encryption, screen-lock policies, mobile management. We do the work; you sign it off. Where remediation overlaps with your managed IT, it's already included.
The assessor audit — we sit it with you
An IASME-licensed assessor runs vulnerability scans against your internet gateways, authenticated scans on a representative set of user devices, malware-handling tests on email and web browsers, and account-separation checks. We're on the call. We answer the technical questions. You confirm the business side.
Renewal — 12 months, every year
We diary your renewal date. Ninety days before expiry we run a pre-audit scan, fix anything that has drifted, and book the new assessor slot. You never go uncertified mid-tender. The renewal is a smaller engagement, not a re-start.
A 30-minute call. We tell you if you're weeks away or months away.
Bring your last IT audit, the tender or insurer requirement that triggered this, and one technical person if you have one. We'll come back with a written plan and a fixed price.
The cost of a failed audit isn't the audit. It's the contract.
A Plus audit fail is recoverable — you fix the gaps and re-sit. The audit fee gets eaten, the timeline slips by a few weeks, and life moves on. What doesn't recover as cleanly is the tender you missed the deadline on, the insurance renewal that went up because you couldn't tick the box, or the customer who quietly moved their work to a competitor who already held the certificate. Plus is the ticket to a different shortlist. Showing up with the wrong ticket — or no ticket — costs more than the audit ever will.
You hold the certificate. Your buyer ticks the box. Your renewal is diary-managed.
In tender responses
You attach the current Plus certificate, point to the IASME-listed entry, and move on. No more last-minute scrambles to produce evidence you couldn't see was missing.
On the insurance form
"Do you hold Cyber Essentials Plus?" — yes, certificate number, date. The questions after that get easier, and so does the premium.
In your own management
You know the controls are actually in place because someone independent tested them on the devices. The cyber score on your SecureState™ dashboard goes up. The board update writes itself.
Built into managed IT — not bolted on the side.
SecureState™ is included with every Inology managed IT client by default — the controls Plus tests are the same controls SecureState scores and re-scores every 90 days. Cyber Essentials and CE+ certifications are fixed-price productised projects on top. ISO 27001, DSPT and PCI DSS readiness are scoped consulting engagements, quoted separately.
We hold ISO 9001 and ISO 27001 at organisation level, Cyber Essentials certification, and Microsoft Solutions Partner status for Modern Work. The same controls we deploy on your network run on ours — if we don't trust it, we don't sell it.
Cyber Essentials Plus — frequently asked.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment against five technical controls (firewalls, secure configuration, user access control, malware protection, security update management). Cyber Essentials Plus covers the same controls but adds an independent, hands-on technical audit by an IASME-licensed assessor — vulnerability scans, sample-device tests, and verification that the controls are actually in place. Source: NCSC and IASME.
How much does Cyber Essentials Plus cost in the UK?
The Plus audit is priced by the assessor according to the size and complexity of your network — IASME does not publish fixed bands. Cyber Essentials itself starts at £320 + VAT for 0–9 employees, £440 + VAT for 10–49, £500 + VAT for 50–249 and £600 + VAT for 250+ (source: IASME). For a 10–50 staff Manchester business, total Plus cost — assessor fee plus our preparation and remediation work — typically lands between £1,800 and £3,500. We quote fixed-price after the free gap analysis.
How long does Cyber Essentials Plus take?
Four to eight weeks end-to-end for a 10–50 staff business. CE self-assessment is usually passed in week one. Remediation runs alongside in weeks two and three. The Plus audit is booked in weeks four to six. The certificate is valid for 12 months from the audit date.
Do I need Cyber Essentials Plus for MoD or public sector contracts?
Yes for many. Cyber Essentials Plus is required for UK Ministry of Defence contracts that involve sensitive information, and is increasingly mandated by central government, NHS supply chains and large enterprise procurement teams. Cyber Essentials alone covers most lighter public-sector framework requirements. Send us your tender or supplier-onboarding document and we'll tell you which one applies before you commit.
Is Cyber Essentials Plus renewed annually?
Yes. CE and CE+ certificates are valid for 12 months and must be renewed annually (source: IASME). We track your renewal window, run a re-assessment scan 90 days in advance, and book the audit before the certificate lapses — so you never go uncertified mid-tender.
What are the five technical controls?
Firewalls, secure configuration, user access control, malware protection, and security update management. Source: NCSC. Cyber Essentials Plus tests every one of these on real devices and gateways in your environment, not just on paper.
Are you certified yourselves?
Yes. Inology IT is ISO 9001 and ISO 27001 certified at organisation level, Cyber Essentials certified, and a Microsoft Solutions Partner for Modern Work. We run the same controls on our own network that we deploy on yours. If we can't trust it, we won't sell it.
What if we're already mid-tender and the deadline is short?
Call 0161 503 3535 first. We have run compressed CE+ engagements in as little as three weeks when the environment was already strong. We'll tell you honestly on the first call whether the deadline is realistic — and what conditional language to put in the tender response if it isn't.
Trusted IT. Built-in cyber resilience. Manchester since 2002.
If a tender, an insurer or a customer has just asked for Cyber Essentials Plus, we'll walk you through what it actually involves, how long it'll take, and what it'll cost — before you commit to anything.