The Cyber Essentials Plus Assessment Day, Hour by Hour, From Inside the Assessor's Chair

Net Sec Group is an IASME and NCSC certification body. We run Cyber Essentials Plus assessment days as the routine day job. This article narrates one of those days from the inside, end to end, with the timing, the order of checks, the live decision points, and the things that pause the proceedings.

If you are about to go through CE Plus and want to know what the day actually feels like rather than what the test specification says, read on.

Before the day starts

The day usually begins about a working week before the screen-share kicks off. The applicant has confirmed scope, the lead assessor has the in-scope device list, and the firm has completed the Basic self-assessment first (CE Plus is layered on top of CE Basic, not run instead of it).

In the 48 hours before the day:

• The applicant nominates a primary contact (usually the IT lead) and a backup
• The assessor sends a calendar invite for the screen-share session
• The applicant runs the pre-assessment checklist if one was provided (we typically share one)
• The applicant ensures the sample devices the assessor has asked for are available, online, and able to be screen-shared

The technical assessment runs against a sample of devices. The sample is set by the IASME Cyber Essentials Plus test specification based on in-scope device count. If the applicant tries to substitute a different device on the morning of the day ("can we use this Windows 11 laptop instead, the Linux server is offline") the assessor pushes back. The sample represents the in-scope estate; trading it for convenience defeats the test.

For deeper coverage of how the sample is calculated, see The CE Plus sample-size rules explained on this site.

The morning, kickoff and consent

The day starts with a video call. The assessor and the applicant's primary contact join, screen-share is confirmed, and the assessor explicitly asks consent for the technical sampling that follows. This is not a formality. The applicant is about to share a screen of an in-scope production device, and the consent step is the documented start of the engagement.

Around the first 15 minutes:

• The assessor confirms the in-scope device list against what the applicant nominated
• The assessor walks through the order of the day, what tools the assessor will run, what evidence the assessor will need to see
• The applicant has a chance to flag any device that is offline, in maintenance, or otherwise unavailable
• If a flagged device cannot be replaced from the in-scope estate within scheme rules, the assessment is paused and re-scheduled, not "worked around"

The pause-and-reschedule point is real. It costs both sides time, and we would rather see it surfaced before the technical work starts than discovered halfway through.

Block 1, external boundary

The first technical block is external. The assessor runs an external vulnerability scan against the firm's internet-facing in-scope assets. This is a real scan, not a desk check.

What the assessor expects to see:

• A managed firewall or cloud security group fronting any internet-facing service
• No admin interfaces exposed to the public internet (no router admin port, no cloud console accessible without a private endpoint)
• No high or critical CVSS findings on internet-facing services that have been patched-released for more than 14 days
• Any open inbound port has a documented business justification

Common pause points in this block:

• The scan finds an unexpected open port that the IT lead did not know was open. The assessor stops, notes it, asks for an explanation, and either accepts the explanation as a documented justification or marks it for remediation
• The scan finds a CVE on a vendor product that the IT lead believes is patched. The assessor and the applicant compare versions live; if the firm is on a back-patched build, the assessor accepts it
• The scan times out on an over-aggressive firewall (rare but happens). The assessor and the IT lead allow-list the assessor's source IP for the duration of the day

Boundary block usually runs 30 to 60 minutes for a small or mid-sized firm.

Block 2, sampled internal scan

Block 2 is the internal vulnerability sample. The assessor runs an internal scan against the sample of devices nominated for the day. The sample includes representative end-user devices spanning the operating systems in use, plus any internal servers in scope.

What the assessor expects to see:

• Operating systems and applications patched within the 14-day rule for high and critical issues (per the IASME CE+ test specification)
• No end-of-life software in scope (out-of-support Windows, end-of-life Office, end-of-life browser)
• No unauthorised software the firm cannot account for

Common pause points in this block:

• A laptop in the sample is on a development snapshot of the OS. The assessor asks whether the build matches the firm's standard build; if not, why not, and is it documented
• A patch report from the firm's tooling and the assessor's live scan disagree. The assessor trusts the live scan and the firm has to chase
• The user of a sampled device is on holiday and cannot screen-share. The IT lead has to substitute or fetch the device from a managed lock-up

Internal block usually runs 60 to 120 minutes depending on sample size.

Block 3, account and access controls

Block 3 is account-by-account verification. The assessor walks the IT lead through the cloud admin consoles in scope (Microsoft 365, Google Workspace, AWS, Azure, GCP, GitHub, etc.) and the on-prem directory if any.

What the assessor expects to see live, on screen:

• Multi-factor authentication enforced on every administrative account, including break-glass accounts (with a documented vault rotation process)
• No shared administrative accounts ("admin", "root", "support" accessed by multiple humans)
• Day-to-day work accounts have no local admin rights on their devices, with the exception list documented per role
• Leaver accounts have been removed within 1 working day of the leaver leaving (we do not accept "we got round to it last month")
• Password policy enforced via group policy, MDM, or the cloud provider's policy engine, meeting the IASME Cyber Essentials Plus test specification thresholds

Common pause points:

• The IT lead opens the cloud admin console and a leaver is still active because their email was kept open for handover. The assessor asks for the documented retention process; if there is one, fine, if not, marked for remediation
• A break-glass cloud admin account is in plaintext in a password manager that is not the firm's vault. Marked for remediation
• A contractor on Bring-Your-Own-Device has admin rights on the firm's tenant. The assessor asks for the documented contractor scope; if absent, marked
• An MFA exception for a specific user "because they are travelling". Marked

Account block usually runs 45 to 90 minutes.

Block 4, malware and application controls

Block 4 verifies anti-malware and application controls on each sampled device. Microsoft Defender, CrowdStrike, SentinelOne, Defender for Cloud agents, macOS Gatekeeper, mobile OS sandboxing, and any application allow-listing the firm has put in place.

What the assessor expects to see:

• The anti-malware mechanism is enabled, signatures are current (typically within 24 hours of the latest release), real-time protection is on, tamper protection is on where the platform supports it
• The agent is reporting to its management console (orphan agents fail)
• Application sandboxing on macOS (Gatekeeper) is enabled, with the developer-ID and notarisation requirement on
• Mobile OS sandbox is in effect, with side-loading restricted via MDM where the firm uses MDM

The classic pause point in this block is a device where the user has disabled the anti-malware service to "fix a slow system". The IT lead has to re-enable it, and the assessor verifies tamper protection or group policy will prevent it being disabled again.

Linux servers and developer machines get the live debate noted in What the assessor checks: documented technical justification with compensating controls is acceptable, "smart users do not need AV" is not.

Malware block usually runs 30 to 60 minutes.

Block 5, the email and browser test

Block 5 is the email-based attack-vector test. The assessor sends a test email containing the IASME-defined test artefacts (a benign macro-bearing file, an executable archive, etc.) to a sampled mailbox. The assessor watches what happens at the perimeter, in the mail security layer, and on the endpoint when the user opens the message.

What the assessor expects:

• The malicious test attachments are blocked at the perimeter, or at the mail security layer, or on the endpoint, before they execute
• The endpoint anti-malware blocks the test executable if it gets through email filtering
• The browser-based test artefacts (a known-malicious URL, a drive-by download URL) are blocked by the browser's safe-browsing layer or the endpoint anti-malware

Common pause points:

• An office productivity suite is configured to allow macros without warning. Marked
• The endpoint blocks the executable but with a generic "this file may be harmful" prompt that lets the user override. Marked
• The browser allows the drive-by download URL because safe-browsing is off. Marked

Email and browser block usually runs 30 to 45 minutes.

Block 6, evidence wrap-up

By this point the assessor has run the technical work. Block 6 is the evidence wrap-up: the assessor walks the IT lead through anything noted as a soft fail (which the firm can fix on the day if it is small) and anything noted as a hard fail (which has to be remediated and re-tested).

A soft fail is something where the live state can be corrected during the call. Examples:

• Tamper protection is off on Defender. The IT lead enables it via the MDM console and the assessor re-verifies. Soft fail closed
• A leaver is still active. The IT lead removes the account and the assessor verifies. Soft fail closed
• A laptop is missing a critical patch. The IT lead initiates the patch, the assessor verifies the patch installs and reboots. Soft fail closed if the install completes during the day

A hard fail is something the firm cannot reasonably correct on the day. Examples:

• An end-of-life Windows version is in scope. The fix is a re-image or a hardware refresh
• A vendor-provided password is still on a router that the firm does not have admin access to. The fix is a vendor support ticket
• The firm's standard build cannot be produced because no documented standard exists. The fix is documenting the build and re-sampling

Hard fails do not stop the day. They are documented, the firm gets the report, and the firm has a defined window to remediate and re-test. Net Sec Group includes unlimited retries until certification is achieved on Plus engagements; the re-test does not incur a re-test fee.

For the per-control evidence formats we accept, see The evidence the CE Plus assessor accepts on this site.

Block 7, sign-off and certificate

Once all blocks are complete and any soft fails have been closed during the call, the assessor signs off the day. The applicant gets:

• A summary of what was tested and what passed
• A list of any hard fails and the remediation window
• A quote on the certificate issuance timeline (typically 1 to 3 working days from a clean pass)

If the day is a clean pass, the certificate is issued by the IASME Certification Body shortly afterwards (NetSec is the issuing CB on Plus engagements we run, so there is no handover delay). The certificate is valid 12 months. The complimentary £25k cyber liability insurance from IASME is automatically attached to qualifying UK entities (turnover under £20M).

For the end-to-end procedural reference covering scoping, day, and post-day, see the Cyber Essentials Plus Assessment Guide on netsecgroup.io.

Total duration

For a small or mid-sized firm with the pre-assessment checklist done, the day typically runs 4 to 6 hours of technical work spread across a single working day or split over two half-days. End-to-end, from kickoff to certificate, is typically 3 to 5 working days. We have run engagements end-to-end inside a single working week where the firm was prepared. For deeper coverage, see Cyber Essentials Plus Assessment Duration.

Common questions

Is the day always remote?

Yes for almost every engagement we run. The technical content is identical to on-site. On-site is offered when a firm prefers it.

What if the day ends in a hard fail?

The applicant gets the report, fixes the underlying control across the scope (not just the failed device), and the assessor re-tests on a fresh sample. NetSec Plus engagements include unlimited retries with no re-test fee. For the formal re-attempt rules, see The CE Plus second-attempt rules. For the patterns of failure that show up in the day most often, see The most common CE Plus failures by control.

Who owns the evidence the assessor produces during the day?

The assessor's report and findings belong to the certification engagement. The firm receives a summary, the assessor retains the underlying records per the IASME audit-record retention requirements.

Can our IT supplier sit in the call?

Yes. We routinely run Plus assessments where the applicant's MSP joins. The assessor still asks the in-scope firm's nominated contact for consent and direction; the MSP is a participant, not the controller of the engagement.

Does the assessor see real production data?

The assessor sees configuration, scan output, account listings, and patch state. The assessor does not request, view, or extract customer or business data. Screen-shares are limited to what the assessor needs to verify the controls, and the assessor will pause and ask the IT lead to switch screens if anything sensitive appears.

Next steps

If you are inside the 48-hour pre-assessment window, the article you want is the per-control checklist embedded in What the CE Plus assessor checks. The 10-item pre-assessment checklist at the end of that article maps directly to the day described above.

For a first-person account of a clean pass on the day, written from the applicant's side, see Cyber Essentials Plus, First-Time Pass on netsecgroup.io.

When you are ready to book, contact Net Sec Group or book a Cyber Essentials Plus assessment directly.