Cyber Essentials Plus Assessment Protocol, the Hub

Net Sec Group is an IASME and NCSC certification body. We have run more than 800 Cyber Essentials and Cyber Essentials Plus assessments. The assessor-authority pillar of this site is the lived rhythm of those engagements: what the assessor checks, how the day actually runs, what evidence passes and what fails, and what happens when the day does not end in a clean pass.

This hub indexes the deep-dive articles for the assessment protocol. Each article is written from inside the assessor's chair, drawing on real assessment-day decisions across our 800+ history. The IASME Cyber Essentials Plus test specification sets the rules; these articles narrate how those rules play out on the day.

Articles in this hub

What an IASME-accredited Cyber Essentials Plus Assessor Actually Checks

The anchor article. Per-control walkthrough of the five Cyber Essentials Plus controls (Firewalls and Internet Gateways, Secure Configuration, User Access Control, Malware Protection, Security Update Management). For each control: what the assessor checks, what passes, what fails, where the debate happens. The level of resolution that does not appear in the public scheme documentation.

The Cyber Essentials Plus Assessment Day, Hour by Hour

A staged narration of the assessment day, from kickoff to sign-off, in seven blocks: pre-day prep, kickoff and consent, external boundary scan, internal vulnerability sample, account and access controls, malware and application controls, email and browser test, evidence wrap-up, sign-off and certificate. Includes the practical pause points: when the assessor stops and waits, what triggers a re-test, what gets debated in real time.

The Evidence a Cyber Essentials Plus Assessor Accepts (and What Fails on the Day)

Per-control accept and reject pairings for evidence formats. For each sub-test: what the assessor accepts (with worked examples), what the assessor rejects, why. Includes the 15-item pre-assessment evidence checklist.

Cyber Essentials Plus Second-Attempt Rules, In Plain English

What happens when an engagement does not pass on the first attempt. The 30-day reassessment window, what carries forward and what does not, paper review versus fresh sample, the day-by-day remediation roadmap, what changes for a third attempt.

When to read which article

The four articles map to four moments in a typical Cyber Essentials Plus engagement:

| Where you are | Read this | |---|---| | Considering CE Plus, want to know what's involved | What the assessor actually checks | | Booked, 48 hours from the day, gathering evidence | The evidence the assessor accepts | | Booked, the day is tomorrow, want a clear picture of the rhythm | The assessment day, hour by hour | | Just failed, planning the next 30 days | The second-attempt rules |

All four articles cross-link to each other for the cases where the reading order breaks down (the day-of-the-day visit when the firm has not gathered evidence yet, or the second-attempt visit when the firm wants to understand why the first attempt failed).

How this pillar relates to the other two

The assessor-authority pillar is one of three on this site. The other two:

• Sample rules: how the assessor selects which devices to test, what triggers a second sample, and how Bring-Your-Own-Device fits. See the sample-rules hub.
• Failure modes: the recurring patterns we see across 800+ engagements, with technical causes and fixes. See the failure-modes hub.

The three pillars are designed to read in any order. An applicant deep in remediation reads the failure-modes pillar; an applicant scoping reads the sample-rules pillar; an applicant preparing reads the assessment-protocol pillar.

What you will not find in this pillar

This pillar deliberately does not duplicate the broader netsecgroup.io content programme. The end-to-end procedural reference is the Cyber Essentials Plus Assessment Guide on netsecgroup.io. The per-control technical reference is the Cyber Essentials Five Controls Technical Guide. The first-person applicant account of a clean pass is Cyber Essentials Plus, First-Time Pass.

This pillar adds the assessor's voice on top of those references. The articles here describe what happens in the room, not what the rules say or what the controls do.

Common questions

How long is a typical CE Plus engagement?

End-to-end from kickoff to certificate is 3 to 5 working days for a small or mid-sized firm with the pre-assessment work in place. The technical assessment day itself is 4 to 6 hours of work spread across one working day, sometimes split over two half-days. For deeper coverage of timelines, see the assessment day walkthrough.

What is the most common reason CE Plus engagements fail on the first attempt?

The single highest-volume failure pattern is per-user MFA in Microsoft 365 admin without a Conditional Access policy. The control state is correct in the firm's mind; the configuration does not enforce as the test specification requires. For the full diagnostic, see the most common CE Plus failures by control.

Is the day always remote?

Yes for almost every engagement we run. The technical content is identical to on-site. On-site is offered when a firm prefers it.

Do we need to read all four articles before booking?

No. Read whichever matches where you are. The four are designed to cover the touchpoints; you can start anywhere and follow the cross-links.

Where do we book?

Book a Cyber Essentials Plus assessment with Net Sec Group, or contact us if you want to scope or ask a question first.