If your business is preparing for Cyber Essentials or CE+, you’ve probably already looked at the questionnaire and thought:
“Is this just a formality or is someone going to check this?”
The truth is — it depends. With Cyber Essentials, it’s a self-assessment. With Cyber Essentials Plus, it’s a full hands-on audit. Either way, preparation makes all the difference.
At ALTO, we help SMEs navigate both routes — making sure you're not just compliant on paper, but actually protected in practice.
Here’s what to expect, and how to pass with confidence.
Quick Recap: CE vs CE+
If you missed it, we break this down in our August blog:
Cyber Essentials vs Cyber Essentials Plus: What’s Right for Your Business?
https://www.itsalto.com/blog/cyber-essentials-vs-cyber-essentials-plus-whats-right-for-your-business
|
Cyber Essentials |
Cyber Essentials Plus |
|
|
Self-assessed? |
✅ Yes |
✅ Yes (included) |
|
Independently tested? |
❌ No |
✅ Yes |
|
Devices tested? |
❌ No |
✅ Yes (sample audit) |
|
Risk insight? |
⚠️ Basic |
✅ In-depth |
Timeline: CE Before CE+
To gain Cyber Essentials Plus, your business must first pass Cyber Essentials (CE). This is the self-assessment stage where you confirm that key security controls are in place.
Once CE is passed, you have 90 days (3 months) to successfully complete the CE+ audit. If you miss this window, you’ll need to retake the CE assessment before attempting CE+ again.
ALTO tip: We recommend scheduling both certifications together — that way, you can prepare properly, fix any gaps early, and avoid unnecessary delays or repeat work.
So… What Actually Happens During a CE+ Audit?
Here’s how a typical CE+ assessment works for SMEs:
1. Scoping the Assessment
The auditor works with your provider (like ALTO) to understand your network and device estate — including remote workers, mobile devices, cloud use, etc.
ALTO tip: Many MSPs skip this or scope it too narrowly — meaning critical devices can be missed entirely.
2. Sampling Your Devices
The audit typically samples a subset of your company’s laptops, desktops, and mobile devices — often just 10% of the business.
This is a huge blind spot if you’re not managing your whole IT estate proactively:
“If only some machines are checked, how do you know the rest are compliant?”
At ALTO, we use:
- Real-time RMM monitoring
- ThreatLocker to control what software is allowed
- A compliance dashboard that keeps your secure score up to date
This ensures you're not just compliant during the audit — but all year round.
3. Security Control Testing
The auditor tests whether your devices meet the five CE security controls:
- Antivirus/anti-malware
- Operating system updates
- Multi-Factor Authentication (MFA)
- Admin account controls
- Secure configuration and firewalls
These are verified using tools — not just checklists.
4. Vulnerability Scan
Your network is scanned for known weaknesses like unpatched software, open ports, or misconfigured services.
If vulnerabilities are found, you’ll receive a remediation list and time to fix them.
5. Remediation Window
You typically get 30 days to resolve issues and resubmit.
ALTO difference: We fix the issues before the audit — not after. Our cybersecurity team carry out a pre-audit check so there are no surprises.
What Most People Don’t Realise About CE+
A pass doesn’t mean everything is secure. It means what was checked met the standard.
That’s why we treat CE+ as a starting point, not a destination.
With ALTO, you also get:
- A compliance scoring dashboard that updates monthly
- Monitoring across all devices, not just the sample
- Support for Cyber Essentials, ISO27001, and insurance-level controls
- Training and phishing simulations to address human risk
Should You Attempt This Alone?
If you don’t have internal IT — or your MSP has never managed a CE+ audit — it’s easy to fall short on:
- Device scoping
- Patch management
- Secure configurations
- Timely remediation
That’s why ALTO provides full preparation, remediation, and certification support — and we stick around afterwards.
Final Word from the ALTO Team
We see Cyber Essentials as more than a badge. It’s a framework to improve how your business handles risk, technology, and people.
If you’re ready to take the first step — or even recover from a failed attempt — we’re here to help.
Book a discovery call
Related Reading
