Cyber threats don’t stand still. Neither do the standards designed to stop them. If your organisation holds Cyber Essentials a Cyber Essentials Plus (CE+) certification, or has been thinking about this certification, there’s something important you need to know: the standard has been updated, and the bar has been raised.
This isn’t a minor tweak. The refreshed Cyber Essentials Plus framework reflects the reality of how businesses operate today, cloud-first environments, remote workforces, mobile devices, and an attack surface that looks nothing like it did when the original standard was written.
The good news? If you act now, you can get ahead of it. Here’s everything you need to know.
Why Cyber Essentials Plus Matters More Than Ever
Let’s start with the basics. Cyber Essentials is the UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber-attacks – phishing, malware, ransomware, and unauthorised access. Cyber Essentials Plus takes that a step further: rather than a self-assessed questionnaire, it involves independent technical verification. An assessor actually tests your systems to confirm your controls work in practice, not just on paper.
For your customers, that distinction matters enormously.
In a landscape where supply chain attacks are increasingly common, your clients, partners, and procurement teams aren’t just asking whether you have a security policy, they’re asking whether you can prove it. CE+ is that proof. It tells the world that your defences have been independently tested and verified, not self-declared. For organisations bidding on government contracts, working in regulated sectors, or handling sensitive customer data, CE+ isn’t a nice-to-have. It’s increasingly a commercial prerequisite.
Beyond the contractual angle, there’s the practical one. Cyber Essentials Plus certification gives your leadership team confidence that the five core technical controls – firewalls, secure configuration, user access control, malware protection, and patch management are genuinely in place and functioning. That confidence has real value when a board is assessing risk, when an insurer is pricing a cyber policy, or when a customer is deciding whether to trust you with their data.
The updated standard makes that assurance even more meaningful, because it’s been designed for the way businesses actually work in 2026 and beyond.
What’s Changed: Old Standard vs New
The original Cyber Essentials framework was built for a world of on-premise infrastructure, desktop computers, and relatively contained network perimeters. That world has largely gone. The updated standard acknowledges this and closes the gaps that the old version left open.
Cloud services are now firmly in scope – Under the previous standard, cloud-hosted services occupied a grey area. Many organisations assumed that if a service was managed by a third-party provider, it fell outside the scope of their assessment. The updated framework makes clear that cloud services including Software as a Service (SaaS) platforms are in scope where your organisation controls the configuration. If your staff are using Microsoft 365, Google Workspace, or any other cloud platform, the way those environments are configured now counts. That’s a significant shift for organisations that have migrated heavily to the cloud and assumed their provider was handling security on their behalf.
Home and hybrid working environments are addressed directly – The old standard was written before remote working became the norm for millions of UK employees. The updated version explicitly addresses devices used outside the corporate network – including home broadband routers and personal devices used for work. If your staff are connecting from home, those endpoints and the networks they sit on are now part of the picture. For many organisations, this will require a fresh look at device management, VPN policies, and the controls applied to personally-owned devices used for work purposes.
Thin clients and virtual desktops are included – As more organisations move to virtual desktop infrastructure (VDI) and thin-client environments, the updated standard provides clearer guidance on how these are assessed. The previous version left room for ambiguity; the new one closes it.
Firmware and router security – The updated standard tightens requirements around routers and firewalls, including the firmware running on them. Default credentials, unpatched firmware, and misconfigured boundary devices have been a consistent entry point for attackers, the revised standard makes it harder to overlook these.
Stronger password and authentication requirements – The bar on credential security has been raised. The updated standard aligns more closely with current NCSC guidance on password policies, multi-factor authentication, and account management. If your organisation is still relying on password complexity rules alone, without MFA on internet-facing services, you’ll need to address that before you can certify.
Malware protection scope expanded – The updated framework takes a broader view of malware protection, including application allow-listing as an accepted control and providing clearer guidance on what’s required for different device types. Organisations that have relied on traditional antivirus alone may find they need to review their approach.
Taken together, these changes mean that organisations which previously held CE+ certification cannot assume they’ll pass under the new standard without a fresh assessment of their controls. The scope is wider, the requirements are more precise, and the technical verification is more thorough.
Why you need to ‘Act Now’ and how Cyberfort can help
At Cyberfort, we’ve been working with the Cyber Essentials framework since its inception. We’re an IASME-accredited Certification Body, which means we can take you through the full CE+ process, from readiness assessment through to certification, with a team that understands both the technical requirements and the commercial pressures you’re working under.
Our approach to CE+ is built around three things: preparation, verification, and remediation.
Preparation – Before we put your organisation through the formal assessment, we work with you to understand your current environment, your devices, your cloud services, your remote working setup, your boundary controls. We identify the gaps against the new standard and give you a clear, prioritised action plan. No surprises on assessment day.
Verification – Our technical assessors carry out the hands-on testing that CE+ requires including scanning your external-facing systems, testing your internal controls, and verifying that what you’ve documented is what’s actually in place. This is where CE+ earns its credibility, and it’s where our experience makes a real difference. We’ve assessed organisations who have different IT estate sizes and complexity, and we know what the assessors look for.
Remediation support – If gaps are found and in our experience, they usually are, particularly under the updated standard, we don’t just flag them and walk away. Our technical team can help you close them, whether that’s configuring MFA across your cloud platforms, tightening your patch management process, or reviewing your device management policies. We see the assessment and the remediation as part of the same engagement, not two separate conversations.
The reason to act now is straightforward: the updated standard is in effect, and the window to prepare is shorter than most organisations realise. If your current certification is due for renewal, you’ll be assessed against the new requirements. If you’re pursuing CE+ for the first time, you’re starting under the new standard from day one. Either way, the organisations that begin their preparation earliest are the ones that certify fastest and the ones that avoid the costly scramble of last-minute remediation.
Why Cyberfort for CE+?
There’s no shortage of organisations offering Cyber Essentials assessments. So why does it matter who you choose?
Because certification is only part of the story. What matters is what happens before the assessment and what you’re left with afterwards.
Cyberfort brings together accredited certification, deep technical expertise, and a genuine understanding of the threat landscape. Our assessors aren’t ticking boxes; they’re experienced security professionals who understand how attackers think and where defences typically fail. That means our pre-assessment work is sharper, our gap analysis is more accurate, and our remediation guidance is practical rather than theoretical.
We also bring continuity. Many of our customers come to us for CE+ and stay with us for broader security services including penetration testing, managed detection and response, and security awareness training. That’s not a sales pitch; it’s a reflection of how security works in practice. Cyber Essentials Plus is a foundation, not a finish line, and having a partner who can support you beyond certification means you’re building on solid ground rather than starting from scratch every year.
Next Steps
Getting started on your CE+ journey with Cyberfort is straightforward. Here’s how the process works:
Step 1 — Scoping conversation. We start with a no-obligation call to understand your environment, your timeline, and your current state of readiness. This takes around 30 minutes and gives us everything we need to scope the engagement accurately.
Step 2 — Readiness assessment. Before the formal CE+ assessment begins, we review your current controls against the new standard and produce a gap report. This is where we identify anything that needs to be addressed before assessment day, giving you time to fix it rather than fail on it.
Step 3 — Remediation (where needed). If gaps exist, our technical team works with you to close them. We provide hands-on support, not just a list of recommendations.
Step 4 — CE+ assessment. Our accredited assessors carry out the technical verification required for CE+ certification. We manage the process end to end, including submission to IASME.
Step 5 — Certification and beyond. Once certified, we’ll work with you to maintain your posture through to renewal and support you with any broader security needs that CE+ has surfaced.
The new standard is here. The question isn’t whether your organisation needs to respond to it, it’s whether you respond now, on your terms, or later, under pressure.
Get in touch with the Cyberfort team today at [email protected] and let’s get your organisation CE+ certified.
