Cyber Essentials is a self-assessment questionnaire. Cyber Essentials Plus is the same five controls, except an assessor turns up and checks. That’s the whole difference — and it’s why firms that breeze through the basic certificate sometimes trip on Plus a few months later.
The good news: nearly every failure we see comes from the same short list. None of it is exotic. Get these eight things straight before the assessor connects, and you pass first time — without the re-test fee and the four weeks of remediation that usually come with a fail.
What the assessor actually does.
For Plus, an assessor runs a vulnerability scan against your internet-facing IP addresses, then takes a sample of your actual devices — laptops, desktops, the odd server, a couple of phones — and tests them hands-on. They’ll send a few harmless test files to a mailbox, open a dodgy-looking file in a browser, and check that your machine blocks what it should. They verify the controls are real, not just claimed.
So the failures below aren’t paperwork problems. They’re things the assessor will see on the day.
1. Software that’s gone end-of-life.
This is the number-one killer. Windows 10 reached end of support in October 2025; an unsupported OS is an automatic fail. The same goes for an old Server 2012 box humming away in a cupboard, a copy of Office 2016, or — very common — a line-of-business app that pins you to an ancient version of something.
The fix: inventory everything now, not the week before. Anything past its vendor end-of-life date either gets upgraded, replaced, or formally segregated off the network. There’s no negotiating with an EOL date.
2. Patches that aren’t applied within 14 days.
The standard is blunt: high-risk and critical security updates must be installed within 14 days of release. For operating systems and for the applications on them — browsers, Office, PDF readers, Zoom, the lot. Assessors check the patch level on the sampled machines.
The fix: turn on automatic updates and actually verify they’re landing. The laptop that’s been in someone’s bottom drawer for three weeks is the one that fails — so you need a way to see patch status across the fleet, not just hope.
3. Default and weak passwords still in place.
Routers, firewalls, NAS boxes, the wifi access point someone plugged in two years ago. If admin/admin still works, that’s a fail. Plus also expects either a minimum password length with a deny-list of common passwords, or accounts protected by MFA.
The fix: change every default credential and write down where they all live. Then move accounts to MFA wherever the service supports it — which leads to the next one.
4. MFA missing on cloud services.
Multi-factor authentication is mandatory on all cloud services — Microsoft 365, Google Workspace, your accounting platform, anything administrators log into. “We’ve got it on most accounts” doesn’t pass; the assessor checks that it’s actually enforced, including on admin accounts.
The fix: enforce MFA across the tenant with a conditional-access policy, not user-by-user. If you want this to land without a week of helpdesk pain, we wrote a separate piece on rolling MFA out without the friction.
5. The firewall lets in things it shouldn’t.
The vulnerability scan finds open ports you forgot about — Remote Desktop exposed straight to the internet is the classic, and it’s both an instant fail and one of the most common ways firms actually get breached. Old port-forwarding rules for a service that’s long gone are nearly as common.
The fix: close everything inbound by default and only open what’s genuinely needed, with a documented business reason. Remote access goes through a VPN or a Zero Trust broker, never a raw RDP port.
6. Users running as local administrators.
If everyday accounts can install software, the malware-protection control falls over — because anything the user clicks runs with admin rights too. Assessors check whether the sampled user can do administrative things they shouldn’t.
The fix: separate accounts. People do their day job as a standard user; admin rights live on a separate account used only when needed. It’s the single highest-leverage change for limiting blast radius when something does get clicked.
7. Auto-run, macros, and browser settings left wide open.
The “secure configuration” control catches the defaults vendors ship that nobody changes. Office macros allowed to run from email attachments. Auto-run on USB sticks. Browser settings that let unsigned downloads execute. The browser and email tests on the day are designed to surface exactly this.
The fix: disable Office macros from the internet by policy, turn off auto-run, and standardise browser configuration across machines. Set it once at the policy level so a new laptop is born compliant rather than fixed later.
8. Mobiles and BYOD quietly out of scope — wrongly.
If a phone or personal laptop can reach corporate email or data, it’s in scope. People forget this constantly. An unpatched personal device pulling work email is a gap whether you’ve thought about it or not.
The fix: decide the rule and enforce it. Either company-managed devices only, or BYOD that’s enrolled, PIN-locked, encrypted and kept patched. “We trust people to keep their own phones updated” is not a control.
The firms that pass on the first try aren’t the ones with the biggest budgets. They’re the ones who treated the eight points above as everyday hygiene months before the assessor was booked.
Don’t certify the day before you fix everything.
The mistake underneath all of these is timing — booking the assessment, then scrambling to remediate in the fortnight before. Plus rewards firms that already run tidily. Sort the eight items, let them bed in for a few weeks so patches and policies have actually propagated, then book the assessor.
That’s how we run it for clients: get the estate genuinely clean, prove it with our own scan, and only book the real assessment once we know what it’ll find. The certificate is the easy part once the underlying hygiene is real.
