Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Cyber Essentials Plus: Assuring NHS Buyers

  • Published: January 14, 2026
  • Category: Cyber Security

Share this post

Avatar photo
Tawney Evans

Share this post

Cyber Essentials or Cyber Essentials+ ?

Robust cybersecurity is paramount. While Cyber Essentials has been a minimum certification in the NHS for many years, Cyber Essentials Plus is increasingly becoming the new benchmark for assurance, especially for technologies that use Artificial Intelligence (AI).  

This enhanced certification involves third-party verification, via an Audit, of an organisation’s ability to meet rigorous cybersecurity requirements, offering an essential additional layer of assurance for NHS buyers. In this blog, we’ll explain the crucial differences between Cyber Essentials and Cyber Essentials+  and the benefits for organisations that opt for an audited certification.

Need Help? Book a Call with our Expert Team
Shield icon with a medical cross symbol representing healthcare security

Why do we need Cyber Essentials Plus

In recent years, the NHS has experienced numerous cyber attacks, including only last year, when Synnovis experienced a ransomware attack in which severe disruptions occurred to 1,700 elective procedures and nearly 400GB of sensitive patient data was published on the dark web. 

The National Cyber Security Centre (NCSC) warns that major cyber attacks are a matter of “when, not if”, and Cyber Essentials Plus provides the NHS with the assurance that, as an organisation, you take your digital and online safety seriously.

What is Cyber Essentials?

Cyber Essentials is a government-backed certification scheme designed to safeguard your organisation’s and customers’ data against cyber attacks. The National Cyber Security Centre (NCSC) endorses it as the minimum standard for digital health security.

Cyber Essentials involves completing a self-assessment questionnaire covering five critical areas of safety and security. This evaluation prompts you to thoroughly review your current protective measures and identify any necessary updates to prevent cyber incidents. This vigilance is crucial, as the NCSC reports that close to half of all UK businesses (7.7 million) have experienced a form of cybercrime due to poor cyber hygiene.

Cyber Essentials Plus vs. Cyber Essentials -The Critical Difference

The fundamental difference between Cyber Essentials and Cyber Essentials Plus lies in the verification process. Cyber Essentials involves a self-assessment questionnaire to evaluate your cybersecurity controls. In contrast, Cyber Essentials Plus requires an additional, mandatory technical audit conducted by an external certification body. This audit is crucial for verifying that your controls function effectively in a real-world context, often including an internal vulnerability scan and a simulated phishing test. This verified proof offers greater assurance, particularly for organisations handling sensitive data, such as the NHS.

What are the 5 technical controls of CE+?

Upon achieving Cyber Essentials (CE) certification, you have a 90-day window to schedule your Cyber Essentials Plus (CE+) audit.

This audit evaluates your organisation against the following five core technical controls:

Step 1

Firewalls: Securing your network perimeter to prevent unauthorised access.

Circular icon with the number 2

Secure Configuration: Ensuring all systems are optimally secured (e.g. removing default passwords and disabling unnecessary functions).

Step 3

User Access Control: Managing user privileges and controlling who can access specific data.

Circular icon with the number 4

Malware Protection: Implementing anti-malware software for the detection and prevention of malicious code.

Step 5

Patch Management: Guaranteeing that all operating systems and software are updated promptly.

Where possible, CE+ is the preferred certification for an organisation, as it signifies a strategic business commitment rather than just a tick box exercise. The external audit is conducted on a percentage of your devices, eliminating the need to schedule downtime for every individual in the organisation.

Why is Cyber Essentials+ a business enabler?

While some companies may view Cyber Essentials Plus (CE+) as an unnecessary compliance task, it demonstrates a robust commitment to security, setting you apart from competitors. This rigorous security commitment is particularly appealing to organisations like the NHS, with many individual providers and Integrated Care Boards (ICBs) now explicitly requiring CE+ (​​https://www.supplychain.nhs.uk/news-article/cyber-security-expectations-of-suppliers/ ). ICB’s are especially focused on seeing Cyber Essentials Plus in place for any tools which have an Artificial Intelligence or Machine Learning component as part of efforts to enhance AI Governance between the NHS and its suppliers. 

Furthermore, achieving CE+ provides a strong foundation for organisations pursuing DTAC (Digital Technology Assessment Criteria) compliance. Knowing their systems surpass minimum requirements, they can approach the DTAC process with greater confidence.

Overlaps with other Compliance Requirements

For organisations with access to NHS patient data and systems, the Data Security and Protection Toolkit (DSPT) is a mandatory requirement for interacting with the NHS. The DSPT is a comprehensive information and data governance framework, significantly broader than the purely technical controls audited by Cyber Essentials Plus (CE+), covering areas such as mandatory staff training (ensuring all employees understand data handling rules), detailed information governance policies (governing how data is shared and retained) and protocols for incident response and reporting (mandatory procedures for notifying the NHS and ICO in the event of a breach). 

However, holding a CE+ certification offers a substantial advantage. The security controls verified during a CE+ audit directly align with, and greatly simplify, the evidence gathering needed for the core technical sections of the DSPT submission. Since CE+ is formally recognised within the DSPT, it allows organisations to automatically declare compliance against several DSPT assertions, which dramatically reduces the administrative burden of the annual submission.

Summary

When debating whether it is beneficial to obtain your CE+ moving forward, remember that what sets this certification apart is its external audit. Where it intertwines so frequently with other compliance regulations, such as DTAC and DSPT, it elevates your compliance in the direction of NHS compatibility and makes it a much simpler process to approach.

Frequently Asked Questions.

What is Cyber Essentials (CE)?

Cyber Essentials is a certification scheme backed by the UK Government to ensure businesses protect themselves against the most common cyber threats. Businesses are required to fill out a self-assessment questionnaire and meet a minimum threshold to secure a ‘Pass’.

What is the difference between Cyber Essentials (CE) and Cyber Essentials Plus (CE+)?

Cyber Essentials is the self-assessment stage, and once complete, you have 90 days to undertake an external audit to verify your cybersecurity controls to achieve Cyber Essentials Plus. They test this in a real-world context, so they will include a vulnerability scan of your devices and a simulated phishing test.

Do I need Cyber Essentials before applying for Cyber Essentials Plus?

Yes, you need to complete Cyber Essentials first, and then you have 90 days to complete your Cyber Essentials Plus audit.

How long is the certification valid for?

Both Cyber Essentials and Cyber Essentials Plus must be renewed annually.

What are the five key security controls covered?

  1. Firewalls: This is like the digital gatekeeper for your network—it stops unauthorised users from accessing your systems and data.
  2. Secure Configuration: It means getting rid of all the easy-access points on your devices, like changing default passwords and turning off things you don’t actually use.
  3. User Access Control: This is about who gets to see what—making sure only the right people have permission to view or change sensitive files.
  4. Malware Protection: This is your computer’s antivirus; it uses software to find and block software viruses and other malicious code that could corrupt or prevent access to your data.
  5. Patch Management: Just like updating your phone, this is making sure all your software and operating systems are always kept up-to-date to fix security holes quickly.

What does the Cyber Essentials Plus audit involve?

The Cyber Essentials Plus is a hands-on security test that is completed by an external company that is approved by the certification scheme owners, IASME. It consists of:

  • External vulnerability scan: The Auditor will check your outside-facing systems (like your website and firewalls) to see if there are any obvious security holes a hacker could get through. 
  • Internal system test: They take a sample of your team’s devices and check that security settings are correct, and software/operating systems are fully up-to-date.
  • Malware Protection Check: They try to send you some safe, dummy virus files to see if your antimalware software catches them.
  • Configuration Check: This verifies that your crucial settings, like screen locking or password rules, are set up properly, validating the controls claimed in the initial questionnaire.

How is the scope determined?

You decide the scope for your Cyber Essentials, and it must stay the same for the Cyber Essentials audit. The most popular or default scope is for the whole organisation to ensure the security standards are up to date. 

However, for large MedTech companies, they can choose the scope they want to assess, e.g. the specific network segment that handles the NHS product/contract. Although this is only accepted if it is proven to be securely and technically isolated.

How many devices will be tested in a Cyber Essentials Plus Audit?

The assessment will only be on a representative sample of your user devices that fall within scope of the test. So the bigger the organisation, the larger the sample size required.

What are the rules for fixing vulnerabilities during the audit?

If any high-risk vulnerabilities are identified and an update is required, you have 14 days from the update release to fix the vulnerability. Once the fix is made, a re-audit can take place to complete your certification.

What is the most common reason for failure?

Most of the time, people fail because of two simple things:

  1. Missing Updates: Staff haven’t installed those critical security updates (patches) before the audit happens.
  2. Too Much Access: People are using high-level admin accounts for basic, everyday stuff—like checking their emails or browsing the web—when they don’t really need that kind of access for their day job.

What happens if I fail the Cyber Essentials Plus audit?

If you fail the Cyber Essentials Plus audit, you do get the opportunity to do a retest. Usually, this is in the areas that failed the original audit.

We’re the experts that have your back.

Speak to a Member of our Expert Team about how you can adopt Cyber Essentials + into your business

Book a Call with our Expert Team

Other Articles​

Loading...
Blog post: How I learnt to keep worrying, but embrace Google Gemini anyway

How I learnt to keep worrying, but embrace Google Gemini anyway

Read More →

July 15, 2026
Cybersecurity: The Vanguard of Patient Safety in Healthcare

Cybersecurity: The Vanguard of Patient Safety in Healthcare

Read More →

May 18, 2026
Compliance with the NHS Cyber Security Charter Explained

The Evidence Era: Compliance with the NHS Cyber Security Charter

Read More →

April 1, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept