Skip to content
secruna
Get a Demo
Cyber Essentials Plus — annual renewal, IASME-registered assessor visit
Cyber Essentials Plus (NCSC / IASME)

UK government supplier certification — continuously audit-ready.

Cyber Essentials Plus opens UK government supplier contracts. An annual assessor visit checks every claim against your live setup. Secruna gives you a continuous audit trail across the five control families — Firewalls + internet gateways, Secure configuration, User access control, Malware protection, Security update management — so you walk into the assessor visit with a current evidence pack, not a scramble. 18 IGPs with per-row evidence, gap surface, and a 90-day audit trail.

Book a 30-min Cyber Essentials Plus scope call
Why Cyber Essentials Plus is the certification that pays back

Three reasons UK buyers reach for Cyber Essentials Plus — in this order.

Cyber Essentials Plus is one of the few UK cyber baselines that actually unlocks revenue. Whether the buyer is a Cabinet Office framework, an NHS trust, a UK bank or a defence prime, the certificate sits in the supplier questionnaire and the assessor visit is the proof.

UK government supplier contracts

Cyber Essentials Plus is mandatory for many UK government supplier contracts — especially those handling personal data or sensitive information. PPN 09/14 and the wider Cabinet Office supplier-assurance framework reference it directly; framework call-offs cite it as a prerequisite.

Private-sector RFP table-stakes

UK financial services, NHS supply chain and defence prime supplier questionnaires reference Cyber Essentials Plus as a procurement gate. Showing a current Plus certificate clears the cyber-baseline question on first read so the technical evaluation moves on.

Independent verification — not self-assessment

The Plus tier adds an independent IASME-registered assessor visit on top of the basic Cyber Essentials self-assessment. The assessor runs technical verification against your live setup — random-sample workstation checks, vulnerability scan, MFA enforcement test — so the evidence pack has to match reality.

The five-step path

What you have to do at assessor-visit time, in order.

The same five gates apply to every framework Secruna covers, including Cyber Essentials Plus. Start at step one — the rest only make sense once the organisation knows which estate is in scope.

  1. 1

    Scope

    Confirm the boundary of the Cyber Essentials Plus certificate — the whole organisation, a defined subsidiary, or a specific environment. Document the scope statement; the assessor reads it first.

  2. 2

    Discover

    Connect cloud accounts, identity provider, GitHub, M365 and the endpoint-management console. Secruna’s discovery worker collects the cyber-posture signal once and reuses it across every cyber framework you subscribe to. The first scan typically surfaces MFA gaps on cloud admin roles, patching SLA breaches and EOL-software pockets.

  3. 3

    Map to Cyber Essentials Plus

    The rule-book matcher evaluates each of the 18 Cyber Essentials Plus IGPs against the latest posture artefact and assigns a verdict — pass, fail, partial pass or not applicable. Verdicts cite the connector signal that drove them so the assessor can trace the evidence back to source.

  4. 4

    Close the gaps

    The §3 Gaps surface lists every failed / partial-pass IGP with the connector field that drove the verdict. Remediate at your own cadence; verdicts re-evaluate on every discovery run. The gap list is the same list the IASME-registered assessor will work through at the visit.

  5. 5

    Generate + hand over

    One click produces the evidence pack PDF and CSV. The audit trail captures the last 90 days of platform activity. Filename: secruna-cyber-essentials-plus-evidence-{tenant}-{date}.pdf. Hand to the assessor at the start of the visit so the technical verification runs against a known baseline.

Family 1 — Firewalls and internet gateways

Boundary control — the perimeter seam.

What Cyber Essentials Plus asks. Every device that connects to the internet — directly or via a shared network — must sit behind a properly configured firewall (or an equivalent network device). Default-deny inbound is the baseline; every approved inbound rule has a documented business need and a named owner. Administrative access to firewalls is restricted to named accounts with MFA, logged centrally.

What counts as compliant. A documented firewall inventory; default-deny inbound enforced with a reviewable exception list; MFA on every firewall admin account; default vendor admin accounts disabled or rotated.

What Secruna ships for Family 1. Three rules covering boundary firewalls, default-deny inbound and firewall administrative access. The cyber posture artefact surfaces the firewall state per device class. Evidence pack cites the connector signal that drove each verdict.

See this in your dashboard at: /inventory?framework=cyber_essentials_plus&family=FW with the boundary-firewall state surfaced per tenant.

Family 2 — Secure configuration

Hardening + default credentials — the build seam.

What Cyber Essentials Plus asks. Every category of in-scope device has a documented baseline configuration. New builds derive from the baseline; drift is detected and remediated. Hardening removes unnecessary services, accounts and software. Default vendor passwords are rotated before go-live. Unused software and services are audited at least annually.

What counts as compliant. Golden-image AMIs / VM templates / MDM profiles for every device class; configuration-management tooling enforcing the baseline; secrets-manager evidence of default-password rotation; an annual unused-software audit cycle with documented removals.

What Secruna ships for Family 2. Four rules covering baseline configuration, hardening application, default credentials and unused software / services. The rule book wires connector signals from the cloud and identity providers; on-prem endpoint hardening evidence is tenant-attested until the on-prem agent ships (scaffolded as Plan 139).

See this in your dashboard at: /inventory?framework=cyber_essentials_plus&family=SC with the per-device-class baseline state.

Family 3 — User access control

Least privilege, MFA, admin separation, JML — the identity seam.

What Cyber Essentials Plus asks. Every account has only the access it needs for the role. MFA is enforced on every administrative account and every cloud-service account; phishing-resistant factors are required for the highest-risk roles. Admin accounts are separated from day-to-day user accounts. The Joiner / Mover / Leaver process deactivates leaver accounts by the final working day.

What counts as compliant. Role-based access control with documented role definitions; Conditional Access enforcing MFA on every cloud admin role and every external SaaS; tiered admin model for top-tier admins; identity-governance + HRIS-driven JML automation.

What Secruna ships for Family 3. Four rules covering least privilege, MFA enforcement, admin-account separation and the JML cycle. MFA evidence flows from the identity provider; least-privilege evidence flows from RBAC inventory; JML evidence flows from the identity-governance feed.

See this in your dashboard at: /inventory?framework=cyber_essentials_plus&family=UAC with MFA + JML state per tenant.

Family 4 — Malware protection

EDR on endpoints + servers + allow-listing — the runtime seam.

What Cyber Essentials Plus asks. Every user endpoint runs anti-malware or EDR with current definitions; coverage is evidenced from a central console. Servers and cloud workloads carry the same protection. High-risk devices (privileged-user workstations, devices handling sensitive data) require either application allow-listing or strong sandboxing.

What counts as compliant. Enterprise EDR (Defender / CrowdStrike / SentinelOne) console export showing fleet coverage; cloud-native runtime protection on servers (AWS GuardDuty / Defender for Cloud / GCP SCC); WDAC / AppLocker / browser isolation on privileged-user workstations.

What Secruna ships for Family 4. Three rules covering endpoint anti-malware, server + cloud-workload coverage and application allow-listing / sandboxing for high-risk devices. Application allow-listing (MP.03) is tenant-attested in v1 — Secruna does not inspect endpoint policies.

See this in your dashboard at: /inventory?framework=cyber_essentials_plus&family=MP with EDR coverage per device class.

Family 5 — Security update management

14-day critical patching SLA + no EOL software — the patching seam.

What Cyber Essentials Plus asks. Critical and high-severity vulnerabilities (CVSS ≥ 7.0 with a vendor fix) must be patched within 14 days. Other vulnerabilities with a vendor fix must be patched within 30 days. No end-of-life software is in production. Periodic vulnerability scanning runs on the in-scope estate. Patches applied + outstanding are auditable.

What counts as compliant. Patch-management tool SLA dashboard showing 14-day / 30-day attainment per device class; continuous EOL inventory feeding the patch backlog; authenticated vulnerability scanning with remediation tickets tracked through to closure; per-CVE remediation log answering “when was this patched on this class?” on demand.

What Secruna ships for Family 5. Four rules covering the patching SLA, EOL software tracking, vulnerability scanning cadence and update tracking. Patching SLA evidence flows from the patch-management tool; vulnerability findings flow from the vulnerability scanner.

See this in your dashboard at: /inventory?framework=cyber_essentials_plus&family=SU with the patching SLA + EOL state per tenant.

UK Cyber Pack

Four frameworks. One platform.

Cyber Essentials Plus is the procurement-gate baseline for UK government suppliers and private-sector RFPs. NCSC CAF is the UK gov + CNI gateway above it. NIS2 + DORA cover EU regulated sectors and financial entities. Because every cyber signal Secruna collects is shared across the four frameworks, the marginal cost of adding another to a tenant subscription is close to zero.

Cyber Essentials Plus (this page)

UK government supplier + private-sector RFP baseline. 18 IGPs across the five control families. Independent IASME-registered assessor visit at annual renewal.

NCSC CAF + GovAssure

UK government departments + Critical National Infrastructure operators. 31 IGPs across four objectives. GovAssure-mandated since 2023. See NCSC CAF detail →

NIS2

EU essential + important entities across regulated sectors. 22 IGPs. Penalties up to EUR 10M or 2% of turnover. See NIS2 detail →

DORA

Every EU financial entity since 17 January 2025. 33 IGPs across five pillars. See DORA detail →

See where your Cyber Essentials Plus posture stands.
In 30 minutes.

A 30-minute scope call confirms the certificate boundary, maps the in-scope estate to the 18 Cyber Essentials Plus IGPs, and identifies which controls you can evidence from existing connector signals today and which need a tenant-supplied attestation. You leave the call with a concrete gap list and a path to an assessor-ready evidence pack.

Book a 30-min Cyber Essentials Plus scope callSee the NCSC CAF page

Or call our UK lead — we’re on +44 20 0000 0000. (Placeholder — see TODO at the top of this file; the real number lands once the founder confirms it.)