Cyber Essentials Plus Second-Attempt Rules, In Plain English

Net Sec Group is an IASME and NCSC certification body. A Cyber Essentials Plus engagement that does not pass on the first attempt is not unusual and is not the end. The IASME rules on second attempts are precise, the timing is tight, and the planning matters. This article states the rules in plain English and walks the 30-day window the typical applicant has to remediate and re-test.

If you have just failed and are scoping the next 30 days, this is the diagnostic. If you are planning a CE Plus engagement and want to know the contingency before you commit, this is the contingency.

The headline rules

The IASME Cyber Essentials Plus test specification sets the formal rules. In plain English:

1. A failed first attempt opens a 30-day window for the applicant to remediate and re-test
2. The remediation must address the underlying control state across the in-scope estate, not just the device or account that failed
3. The re-test runs against a fresh sample of devices and a current external scan
4. If the re-test passes, the certificate issues from the date of the re-test
5. If the re-test fails, the certification body issues a final fail and the applicant has to re-engage from scratch

The 30-day window is calendar days, not working days. The clock starts on the date of the first-attempt fail report.

The 30-day window is what the IASME rules grant. The certification body running the engagement can shorten the window in practice if the applicant wants to remediate quickly; we routinely run re-tests at day 7, day 14, day 21 if the applicant is ready.

What carries forward and what does not

Not everything from the first attempt is re-tested on the second. The assessor's first-attempt notes preserve the controls that passed; only the controls that failed (plus any controls that depend on a failed control) get re-tested.

The IASME specification states the principle (the assessor scopes the re-test against what failed plus dependents). The table below is the assessor's working interpretation of how that principle plays out in practice:

| First attempt result | Second attempt scope | |---|---| | Passed control, no related fail | Carries forward, not re-tested | | Failed control on a single device, all-other-devices passing | Re-tested on a fresh sample including the previously-failed device class | | Failed control affecting multiple devices | Re-tested on a fresh sample across the in-scope estate | | Failed external scan | Re-tested via a fresh external scan; no internal sample re-test if internal passed first time | | Failed internal scan | Re-tested via a fresh internal sample; no external scan re-test if external passed first time | | Failed evidence (the format was wrong, the control was likely fine) | Re-tested via fresh evidence, possibly without a second device sample if the evidence is documentary |

The assessor records what was re-tested and what was carried forward in the second-attempt report. This is part of the IASME audit-record retention.

What kinds of fix can be evidenced via paper review

Not all remediations require a fresh device sample. Some failures are documentary:

• A standard build document was missing or out of date. The fix is the document. The assessor accepts an updated, dated, named, version-controlled document via paper review
• A joiner/mover/leaver process was undocumented. The fix is the process document plus a current leaver-removal audit. Paper review is acceptable
• A compensating-control statement for an unpatchable system was missing. The fix is the statement plus evidence the controls are in effect. Paper review may be acceptable depending on the control type

Other failures require a fresh device sample:

• Any control failure where the technical state on a device is the test (firewalls, secure configuration, anti-malware, patching, account-policy enforcement on a sampled device) requires a fresh sample
• An MFA configuration change requires a fresh tenant report covering the period after the change
• A patch-state change requires a fresh internal vulnerability scan

The assessor decides which path applies during the second-attempt scoping call. The applicant should not assume paper review is available for technical control changes.

The 30-day remediation roadmap

If you have just failed and are planning the next 30 days, the rough shape of the work falls into the structure below. We walk applicants through this routinely. The exact ordering depends on which controls failed; the time-boxing is roughly the same.

Days 1 to 3: read the report and triage

The assessor's first-attempt report lists what failed, why, and what remediation is needed. Read it carefully, ideally with the IT lead and someone from the operational team who owns the relevant controls.

Triage by:

1. Severity of the fail (a hard fail like end-of-life software is a longer remediation than a soft fail like an undated patch screenshot)
2. Scope of the fail (a single device requires a localised fix; a control affecting the estate requires a tenant-wide fix)
3. Whether the fix is documentary or technical (paper-review-eligible vs requires fresh sample)

The triage outcome is a remediation plan with named owners and target dates inside the 30-day window.

Days 3 to 14: technical remediation

The bulk of the work happens here. The remediation patterns vary by control:

• For User Access Control failures (per-user MFA only, leaver still active, shared admin accounts), see The CE Plus MFA failure cases for the pattern-by-pattern fix
• For Security Update Management failures, see The CE Plus patching failure cases
• For the broader cross-control failure set, see The most common CE Plus failures by control
• For evidence-format failures where the control was correct but the evidence did not show it, see The evidence the CE Plus assessor accepts

Push the technical fix through the firm's normal change process if you have one. Do not run remediation as a parallel side-track: the change has to land in the canonical configuration, not in a "fix-it-for-the-assessment" carve-out that gets reverted afterwards.

Days 14 to 21: evidence regathering

By day 14 the technical remediation should be closing out. Evidence regathering is parallel work but worth pacing:

• Fresh patch-management tooling exports covering the in-scope estate
• Fresh Conditional Access policy exports if MFA was the failure
• Fresh leaver-account audit if leaver removal was the failure
• Fresh anti-malware management-console export if malware protection was the failure
• Fresh local-admin-group exports if local admin separation was the failure

The assessor will use this evidence on the re-test day. Stage it ready to share at re-test scheduling time.

Days 21 to 28: pre-retest validation

Before booking the re-test, run a pre-retest dry run against the failed controls. We routinely do this for applicants:

• An external vulnerability scan against the in-scope internet-facing assets to confirm no high or critical findings remain
• An internal vulnerability sample to confirm patch state is current
• A live walk through the cloud admin consoles to confirm Conditional Access policies are correctly scoped

If the dry run finds remaining gaps, fix them in days 21 to 28. Do not present the re-test to the assessor as the dry run.

Day 28 to 30: the re-test

Book the re-test with the assessor inside the 30-day window. The re-test runs against the carry-forward scope plus the previously-failed controls. The assessor produces a second-attempt report; the certificate either issues from the re-test date or the engagement closes as a final fail.

NetSec Plus engagements include unlimited re-tests inside the 30-day window with no re-test fee. The applicant only pays for the original engagement.

What if 30 days is not enough?

The 30-day window is in the IASME rules. The certification body cannot extend it without IASME approval. If the underlying remediation requires longer than 30 days (an end-of-life operating system replacement programme, a multi-quarter MDM rollout), the practical options are:

1. Re-engage from scratch after the 30-day window expires. The applicant pays a fresh engagement fee. The previous report is not preserved as a starting point; the new engagement starts from the current scope and current state
2. Narrow the scope to exclude the unremediable systems before re-test. This requires a documented scope change agreed with the certification body. The certificate, if issued, applies to the narrowed scope only
3. Defer the engagement until the underlying remediation is complete, then re-engage with a known-good posture

Option 3 is what we recommend when the underlying remediation is genuinely long. Re-engaging at 30 days with the same gap is not useful.

Practical realities not stated in the IASME documentation

A few facts that are not in the published rules but matter to the applicant:

1. The certification body has discretion on minor variances. A 14-day patch that landed on day 16 because of a documented vendor-side issue is not the same as a 14-day patch that landed on day 60 because no one tracked it. The assessor can accept the day 16 case with the documentation; the day 60 case fails.

2. The re-test sample is a fresh sample, not the same devices. If your remediation only fixed the devices in the original sample but not the rest of the estate, the re-test will find the unfixed ones and the second attempt fails too. Remediate across the estate, not against the report's specific devices.

3. Procurement deadlines matter. If you are CE Plus-blocked on a procurement timeline, the 30-day window is not optional; you cannot ask the customer to wait. Talk to the customer at the same time you triage the report; the customer often accepts a documented remediation plan with a target date inside the 30 days as evidence of progress.

4. The complimentary IASME insurance attaches to the certificate, not to the engagement. If your second attempt produces a clean pass, the certificate issues with the insurance attached as for a first-attempt pass. There is no insurance penalty for a second attempt.

For deeper coverage of the recovery path including CE Basic recovery (which has slightly different reassessment dynamics), see Failed Cyber Essentials, What Next on netsecgroup.io. For the procedural reference covering the original engagement plus reassessment, see Cyber Essentials Plus Assessment Guide.

What changes for a third attempt

A third attempt is unusual. The IASME rules do not allow indefinite retries inside one engagement; after a final fail the applicant has to re-engage from scratch. In practice we see fewer than one second-attempt fail per quarter across the engagements we run, because the 30-day remediation roadmap is enough time when the failure is correctly diagnosed.

If a second attempt does fail, the underlying remediation was not enough. The pattern is usually:

• The fix addressed the control state on a sample but not across the estate (Pattern 2 in the practical realities above)
• A new failure surfaced during the re-test (a CVE published between the first attempt and the re-test, an account that became active during the gap)
• The evidence format was still not what the assessor expected

Re-engaging from scratch is straightforward. The applicant takes the lessons of the first engagement plus the second-attempt report into a new engagement, with a clearer view of the failure surface than the first time round.

Common questions

How long does the 30-day window actually run in working days?

30 calendar days is roughly 21 working days, depending on bank holidays. Plan for 21 if the engagement is in a normal month, fewer if a bank holiday falls inside the window.

Do we get to choose which controls are re-tested?

No. The assessor scopes the re-test based on what failed and what is dependent on the failures. Some applicants prefer to ask for a full re-test rather than a scoped re-test, which is allowed and useful when the firm wants the second-attempt certificate to read as a clean pass rather than a remediation pass. The assessor accommodates either approach within the IASME rules.

Does the second-attempt report show that we failed first time?

The IASME audit record shows the engagement journey, including the first-attempt result. The certificate that issues to the customer does not show the journey; it shows the issue date and validity period. UK enterprise procurement does not see the audit-record level of detail.

What if our scope changes between the first attempt and the re-test?

A scope change inside the 30-day window is allowed but requires a documented change agreed with the certification body. The re-test runs against the new scope, and the report records the change.

Can we use a different certification body for the re-test?

The IASME rules tie the engagement to the certification body that ran the first attempt. To switch certification bodies the applicant has to close the original engagement and re-engage from scratch with the new body. The 30-day reassessment window does not transfer.

Is there a financial penalty for a second attempt?

The IASME scheme does not levy a fee for a second attempt. The certification body's fee structure varies; NetSec Plus engagements include unlimited re-tests inside the 30-day window with no re-test fee.

Next steps

• For the per-control failure patterns and remediation, see The most common CE Plus failures by control
• For MFA-specific failure casebook, see The CE Plus MFA failure cases
• For patching-specific failure casebook, see The CE Plus patching failure cases
• For evidence-format failures, see The evidence the CE Plus assessor accepts

For the deeper netsecgroup.io references:

• Failed Cyber Essentials, What Next
• Cyber Essentials Plus Assessment Guide
• Cyber Essentials Common Failures Guide

When you are ready to plan the remediation or want help walking the 30-day roadmap against your own first-attempt report, contact Net Sec Group or book a Cyber Essentials Plus assessment directly.