Cyber Essentials Plus Auditing
back to our services...
Cyber Essentials Plus audit services for organisations that need independent technical verification of the five Cyber Essentials controls across their in-scope estate.
Cyber Essentials Plus is the audited route for organisations that need stronger assurance than standard Cyber Essentials alone. Punk Security provides the audit itself, independently testing the in-scope environment to verify that the scheme controls are really operating in practice.
What Cyber Essentials Plus is
Cyber Essentials Plus is the higher-assurance route built on top of Cyber Essentials. IASME describes it as a technical audit of your IT systems that verifies the Cyber Essentials controls are in place.
The verified Cyber Essentials self-assessment is a prerequisite to Cyber Essentials Plus. The Plus audit then tests the environment to provide greater confidence that the organisation is genuinely meeting the scheme requirements.
This page is for the audit
This service is for organisations that want to book the Cyber Essentials Plus audit itself.
It is not positioned as a readiness engagement. The focus is on:
- confirming the audit scope
- planning the audit activity
- performing the technical verification required by the scheme
- reporting the outcome of the audit
Who this is for
- You have been asked for Cyber Essentials Plus rather than standard Cyber Essentials.
- You need independent technical verification for customers, procurement, or supply-chain requirements.
- You want a stronger assurance statement than the verified self-assessment route alone.
- You already hold, or are completing, Cyber Essentials and want to progress to the audited route.
- You need an audit of the in-scope environment rather than advisory preparation work.
What the audit covers
Cyber Essentials Plus is still based on the same five technical control areas:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection
IASME states that the audit covers a representative set of user devices, all internet gateways, and all servers with services accessible to the internet.
What Punk Security does as part of the audit
- Confirm the scope and audit assumptions.
- Review the prerequisite Cyber Essentials position.
- Plan the technical audit activity against the in-scope estate.
- Perform the verification testing required by the scheme.
- Record findings and determine whether the audited environment meets the standard.
What you need before booking
- A completed or in-progress Cyber Essentials assessment.
- A clear scope for the estate being audited.
- Access to the in-scope devices, systems, gateways, and supporting contacts needed for the audit.
- Confidence that the environment presented for audit matches the environment declared in the Cyber Essentials submission.
What usually affects the audit
- Inconsistent patching across sampled devices.
- MFA that is partially deployed but not consistently enforced.
- Older devices or exceptions still sitting inside the audit scope.
- Shared platforms, third-party IT support, or unclear ownership of internet-facing services.
- Differences between the stated scope and the environment actually presented for testing.
Typical audit route
- Complete Cyber Essentials first.
- Confirm the Cyber Essentials Plus scope and logistics.
- Arrange the audit activity.
- Perform the technical verification testing.
- Record the outcome and complete the certification process where the standard is met.
Why Punk Security
- We provide the technical audit itself, not just generic scheme commentary.
- We understand how the scheme behaves in real estates with cloud services, endpoints, identity systems, and operational constraints.
- We keep the audit route clear for the customer team, including what is being tested and why.
- We can support wider assurance journeys afterwards, but the primary service here is the audit.
Common questions
Do we need Cyber Essentials before Cyber Essentials Plus?
Yes. IASME describes the verified Cyber Essentials self-assessment as a prerequisite to Cyber Essentials Plus.
Is Cyber Essentials Plus a fixed-price service?
Not usually. IASME positions Cyber Essentials Plus pricing around the size and complexity of the network being audited.
Does Cyber Essentials Plus test every device?
No. It uses representative technical testing, but it still relies on the organisation presenting an environment that is consistently managed across the in-scope estate.
What if we want help getting ready first?
That is a separate conversation from the audit itself. This page is specifically for the Cyber Essentials Plus audit route.
Useful references
Want to learn more?
WHAT OUR CLIENTS SAY
Our internal IT team were in need of expert consultancy to help us strengthen our cybersecurity measures and protect our sensitive data.
We engaged the services of Punk Security and were thoroughly impressed with the level of professionalism and knowledge they brought to the table.
The team was able to provide valuable insights and recommendations, and their guidance helped us implement effective security protocols that have greatly enhanced our overall security posture.
We originally sought Punk’s services to support us with a potential cyber-attack. The team responded immediately, out of hours, and calmly and professionally walked us through the necessary steps to determine that our environment hadn’t been compromised.
Since then, we have engaged Punk to carry out a third party audit of our cloud environment and a gap analysis against the Cyber Essentials and ISO270001 criteria. The team provided a thorough report with recommendations and are now working with us to improve our processes and systems.
I feel assured that we are walking towards best practice security operations.
Having attended a live hack demo held at C4DI we approached Punk Security to help sure-up our cyber security and DevOps processes. Punk not only completed this audit but passed on valuable gained knowledge to our team to broaden their skills and insight in this area.
We have since continued to work in partnership with Punk to implement a WAF and frequently consult their expertise in DevOps in relation to our application so we can all learn and grow in a collaborative way.
Punk are approachable, knowledgeable and also adept at explaining in layman’s terms for the less technical! We look forward to continuing our fruitful working relationship.
Our team at Illumio recently participated in a custom CTF event hosted by Punk Security, and it was a great experience! The CTF was not only challenging but also immensely educational, especially in the realm of cloud security principles.
The challenges presented during the CTF were designed to cover a broad spectrum of cloud security topics. This approach allowed our team to dive deep into practical scenarios that tested our skills and pushed us to explore new strategies and technologies. The balance between difficulty and learning outcomes was perfectly struck, ensuring that each team member, regardless of their prior level of expertise, found the event to be rewarding.
Punk Security were happy to perform external scans pro bono due to our status as an NGO.
The team also spent meeting time on two separate occasions to discuss our requirements and provide advice without any commitment or expectation. I’ll certainly be coming to Punk Security again in future should we need further security services
Punk Security provided exceptional DevSecOps training for our engineers here at Sage and delivered an outstanding talk at our Securing Sage Summit.
Their expertise and knowledge were evident throughout the sessions.
Not only were they efficient and great to work with, but their presentation was also the highest rated session of the entire event. We highly recommend Punk Security for any security-related needs.
We initially reached out to Punk Security to help us out with our hosting architecture and were impressed with their breadth of knowledge.
With their expertise we were able to implement additional controls into AWS and successfully scale our systems. When we needed to gain more performance insights, their engineers configured our datadog platform end to end.
We’ve found that they really take the time to understand our problem and then put forward a great solution.