Cyber Essentials Plus Sample Rules, the Hub

Net Sec Group is an IASME and NCSC certification body. The sampling methodology is the part of Cyber Essentials Plus that catches the most applicants out at scoping time. Firms with 50 devices expect a sample of "a few"; the formula returns 9. Firms with personal-phone BYOD populations discover that an unmanaged phone with a mailbox is in scope. Firms whose first scan finds a single missed patch discover that a second sample is being scheduled for next week.

This hub indexes the deep-dive articles on sampling. Each article is written from inside the assessor's chair, applying the IASME Cyber Essentials Plus test specification to the fleet shapes we see across our 800+ assessment history.

Articles in this hub

Cyber Essentials Plus Sample-Size Rules, Explained from the Assessor's Side

The IASME sample-size table per build, with worked examples for typical UK fleet shapes (10, 25, 50, 100, 250 devices), broken down by build type. Includes the rules that change the count in ways applicants do not anticipate (feature updates count as builds, editions count as builds, servers tested in full). Pre-engagement sample prediction calculation.

The Cyber Essentials Plus Second-Sample Rule

When a first internal vulnerability scan finds unpatched vulnerabilities, the assessor triggers a second random sample from across the estate. The trigger, the timing, the size, the failure consequences, with a contrast pair from real assessment days showing what does and does not trigger a second sample. The Danzell-era rule.

Bring-Your-Own-Device Sampling on Cyber Essentials Plus

How an IASME-accredited assessor scopes BYOD devices in or out, samples them when in scope, and accepts evidence for personally-owned hardware. Four worked BYOD shapes (personal phone with corporate Office 365 mailbox, MDM-enrolled personal laptop, browser-only personal phone, contractor laptop on a corporate VPN), with the scoping outcome and evidence formats for each.

When to read which article

| Where you are | Read this | |---|---| | Scoping CE Plus, want to predict the sample before booking | Sample-Size Rules | | Have a BYOD population and unsure how it scopes in | BYOD Sampling | | Mid-engagement, the assessor has called for a second sample | Second-Sample Rule | | Pre-engagement, want to defuse the second-sample risk | Second-Sample Rule and Patching Failure Cases |

The three articles cross-link. The sample-size formula is the foundation; the second-sample rule and BYOD sampling are extensions that change the count on top of the base formula.

The shape of CE Plus sampling in one paragraph

The IASME formula samples each operating-system-and-edition build separately, with sample size scaling from 1 device for very small builds to 5 devices for builds of 61 or more. Servers are tested in full with no sampling. BYOD devices in scope are sampled like corporate-owned devices. If the first internal vulnerability scan finds unpatched vulnerabilities, a second random sample is triggered from across the estate. There is no third sample.

The applicant's lever is build standardisation. A 100-device estate on one build samples at 5; the same estate spread across five builds samples at 17. Tightening feature updates and OS versions before scoping reduces the sample, which reduces the engagement cost and time.

How this pillar relates to the other two

The sample-rules pillar is one of three on this site. The other two:

• Assessment protocol: what the assessor checks, how the day runs, what evidence passes, what to do if the engagement fails. See the assessment-protocol hub.
• Failure modes: the recurring patterns we see across 800+ engagements. See the failure-modes hub.

The pillars are designed to read independently. An applicant deep in remediation reads failure-modes; an applicant scoping reads sample-rules; an applicant preparing reads assessment-protocol.

Reference material

For the broader netsecgroup.io reference covering the IASME methodology and the Danzell-era changes:

• Cyber Essentials Plus Sample Sizes
• Cyber Essentials Plus Second Sample Rule
• BYOD Cyber Essentials Policy Implementation Guide
• Cyber Essentials BYOD Device Classification

Common questions

How is the sample size calculated?

Per-build, per the IASME table. 1 device for builds of 1, 2 for 2 to 5, 3 for 6 to 19, 4 for 20 to 60, and 5 for 61 and above. Servers tested in full. Total sample is the sum across all builds plus all servers and hypervisors. For worked examples see Sample-Size Rules.

Are personal devices in scope?

A personal device that handles in-scope data is in scope. The path the device takes (native app, browser only, MDM enrolment, app-protection) determines the sampling and evidence requirements. See BYOD Sampling for the four worked shapes.

What triggers a second sample?

Unpatched vulnerabilities found in the first internal vulnerability scan. Other test failures (boundary firewalls, MFA, anti-malware) do not trigger second samples in the same way. See Second-Sample Rule.

Can the assessor sample more than the table requires?

Yes if the assessor has reason to believe the sample is unrepresentative. The IASME table is a minimum, not a maximum.

Where do we book?

Book a Cyber Essentials Plus assessment with Net Sec Group, or contact us for a sample-prediction pass against your own inventory before booking.