Net Sec Group is an IASME and NCSC certification body. These answers come from more than 800 assessments delivered to UK firms.
Questions are organised by topic. The three pillar topics (assessment, sample rules, failure modes) link to deeper hub pages with worked examples and casebooks.
What an IASME-accredited assessor actually checks, how the assessment day runs, and how evidence is reviewed.
Deep dive: read the assessment process and the day hub
Five technical controls: boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management. Each control has specific sub-tests run on a sample of your devices. For the per-control walkthrough see our hub on what the assessor checks.
The technical assessment is 4 to 6 hours of work spread across one working day, sometimes split over two half-days for larger or more complex estates. End-to-end from kickoff to certificate is typically 3 to 5 working days for a small or mid-sized firm.
Almost every Net Sec Group engagement is remote over screen-share. The technical content is identical to on-site. We offer on-site when a firm prefers it.
Screenshots and configuration exports for each control, plus live demonstrations during screen-share. We provide a 15-item pre-assessment evidence checklist after booking. For the per-control accept and reject formats see our hub on the evidence the assessor accepts.
A 30-day reassessment window opens. NetSec Plus engagements include unlimited re-tests inside the window with no re-test fee. Some findings carry forward, others require a fresh sample. For the formal rules see our second-attempt rules article.
Thirty calendar days from the date of the first failed attempt. After the window closes, a fresh CE Plus engagement is required (a new payment, a new full assessment).
Yes for the documentary findings (firewall rule sets, account lists, MDM evidence). The internal vulnerability scan and the email and browser test must be re-run on the second attempt because they capture point-in-time state.
A representative sample of in-scope devices (sample size is calculated from the IASME formula), all in-scope servers and hypervisors, and a representative cross-section of administrator and standard user accounts. The assessor connects via screen-share, no remote agent installs.
How the assessor selects which devices to test, when a second sample triggers, and how Bring-Your-Own-Device fits.
Deep dive: read the sample rules and scoping hub
Per-build, per the IASME Cyber Essentials Plus test specification. One device for builds of 1, two for 2 to 5, three for 6 to 19, four for 20 to 60, and five for 61 and above. Servers tested in full with no sampling. Total sample is the sum across all builds plus servers and hypervisors.
It depends on how many distinct operating-system-and-edition builds you run, not just headcount. A 100-device estate on one build samples at five; the same estate spread across five builds samples at seventeen. Build standardisation reduces the sample. For worked examples see our sample-size rules article.
A build is a unique combination of operating system, edition, major version, and feature update level. Windows 11 23H2 Pro is a different build to Windows 11 24H2 Pro. macOS 14 Sonoma is a different build to macOS 15 Sequoia. Each build samples separately. Tightening builds before scoping reduces the assessment cost and time.
Unpatched vulnerabilities found in the first internal vulnerability scan. The assessor selects a fresh random sample from across the estate, runs the same internal scan against the new sample, and the results determine pass or fail. Other test failures (boundary firewalls, MFA, anti-malware) do not trigger second samples in the same way.
A personal device that handles in-scope data is in scope. The path the device takes (native Microsoft 365 app, browser only, MDM enrolment, app-protection policy) determines the sampling and evidence requirements. For four worked BYOD shapes see our BYOD sampling article.
No. Browser-only access through a managed conditional-access policy can scope BYOD out of the device sample (the device is then assessed by the conditional-access controls, not the device itself). Native-app access typically requires either MDM enrolment or an app-protection policy to bring the device in scope and demonstrate the controls.
The recurring failure shapes we see across more than 800 assessments, with technical causes and what passes on a second attempt.
Deep dive: read the common failure patterns hub
Per-user MFA in Microsoft 365 admin without a Conditional Access policy. The control state is correct in the firm's mind; the configuration does not enforce as the IASME test specification requires. Conditional Access targeting all administrative roles plus a sibling policy blocking legacy authentication closes the gap.
Not for CE Plus. The IASME specification requires that MFA enforces in all sign-in paths, including legacy authentication protocols. Per-user MFA does not block legacy auth on its own. A Conditional Access policy is the cleanest way to demonstrate full enforcement.
Critical and high-severity patches must be applied within 14 days of vendor release for in-scope operating systems, applications, and firmware. The window is measured from vendor publication date, not from when the patch lands on a device. For the casebook see our patching failure cases article.
The assessor reviews the CVSS score, the patch availability date, and the firm's documented patch cycle. A high-severity CVE published more than 14 days before the assessment day, with a patch available, fails the control unless mitigating evidence is in place. For the patch decision tree see our patching failure cases article.
A deferred Windows feature update accumulates security patches that the device is not eligible to receive until the feature update is applied. The internal vulnerability scan finds CVEs the firm believed were patched. The fix is to keep feature updates current within the IASME-defined window.
What CE Plus costs, how long it takes end-to-end, and what is included.
Three to five working days from kickoff to certificate for a small or mid-sized firm with the pre-assessment work in place. Larger or more complex estates run longer, mostly because pre-assessment evidence gathering and remediation take longer. The assessment day itself is 4 to 6 hours of work.
Pricing scales with company size and chosen tier. See the pricing page for current Net Sec Group prices. There is no separate re-test fee on NetSec Plus engagements, so a first-attempt fail does not increase your cost.
No. NetSec Plus engagements include unlimited re-tests inside the 30-day reassessment window with no re-test fee.
No. The NetSec Plus tier price is the engagement price, all five controls assessed, all evidence reviewed, internal vulnerability scan included, certificate issued on pass. The only additional spend is on remediation work the firm chooses to outsource (patch management tooling, MDM licensing, identity provider tier upgrades).
Net Sec Group typically books CE Plus engagements within 5 to 10 working days of the booking enquiry, depending on assessor availability and the firm's pre-assessment readiness.
Who can do CE Plus, what scope means, and how the IASME insurance benefit fits.
Yes. The CE basic certificate is a prerequisite. CE Plus is the technical verification on top. You can do CE and CE Plus as a single combined engagement (same firm, back-to-back) or stage them separately.
Three months from the CE basic certificate issue date. After that, the CE basic certificate must be renewed before the CE Plus assessment can run.
Any size, from sole trader to enterprise. The IASME sample formula scales accordingly. There is no minimum or maximum company size for CE Plus.
IASME's scheme includes a complimentary cyber insurance benefit (currently up to £25,000 of cover) for certificates issued to UK entities with turnover under £20 million, subject to IASME's underwriter terms. Net Sec Group does not sell or broker this insurance. The cover is provided directly by IASME's underwriter under the IASME scheme.
How long the certificate lasts and what ongoing support covers.
Twelve months from the certificate issue date. After twelve months the certification lapses unless renewed.
A fresh CE basic self-assessment plus a fresh CE Plus technical assessment are required. The renewal engagement is identical in scope to the first-time engagement; the IASME scheme does not have a reduced-scope renewal track.
Yes. Net Sec Group offers ongoing patch management, MDM management, and quarterly readiness reviews to keep the estate inside the CE Plus rules between renewals. See the netsecgroup.io managed services page for current options.
How to book and who delivers the assessment.
Contact Net Sec Group via the booking link below or the contact page. We respond within one working day with a scoping question set; you receive a formal quote and engagement timeline within two working days.
Net Sec Group is an IASME and NCSC certification body. We have run more than 800 Cyber Essentials and Cyber Essentials Plus assessments across UK firms in retail, professional services, manufacturing, healthcare, and the public sector.
Yes. The NetSec Plus engagement includes pre-assessment readiness work, the formal assessment day, remediation guidance for any findings, unlimited re-tests inside the 30-day window, and post-certification evidence retention for your records.
Each pillar gathers the deep-dive articles in one place.
What the assessor checks, how the day runs, what evidence passes, and what happens after a fail.
Read the hub →The IASME formula, second-sample triggers, and how Bring-Your-Own-Device fits.
Read the hub →Sixteen recurring failure patterns, plus deep-dive casebooks for MFA and patching.
Read the hub →Net Sec Group, IASME and NCSC certification body. 800+ assessments delivered. Pre-assessment scoping is free.