Cyber Essentials
Plus Preparation
Cyber Essentials Plus is the higher-assurance tier — independently verified by an IASME-licensed assessor rather than self-assessed. This engagement prepares your environment and coordinates the technical audit within the three-month IASME window.
Cyber Essentials and Cyber Essentials Plus are the same controls — assessed differently.
Both certifications test the same five technical controls. The difference is how the assessment is conducted. Standard Cyber Essentials is a verified self-assessment — you answer a questionnaire, an assessor reviews your answers, and a certificate is issued if they are satisfied. Cyber Essentials Plus requires an independent technical audit — an IASME-licensed assessor visits or connects remotely to test your environment directly, using vulnerability scanning and hands-on verification.
This matters because Plus cannot be passed by documentation alone. Your environment must actually be in the state your questionnaire describes, and the assessor will verify it. A firm that certified at standard level with minor gaps that slipped through will not pass a Plus audit without closing them first. This engagement identifies and closes those gaps before the assessor arrives.
The three-month window is an IASME requirement
IASME requires that the Cyber Essentials Plus audit is completed within three months of the standard Cyber Essentials certificate being issued. If that window expires, you must recertify at standard level before proceeding to Plus. This engagement should be initiated immediately following standard certification.
Three workstreams — review, prepare, coordinate.
The engagement is designed to take you from a standard Cyber Essentials certificate to a Plus audit — with every gap closed before the assessor arrives and every logistical element coordinated by Konve IT.
Pre-Audit Environment Review
A targeted review of your IT environment against the Cyber Essentials Plus assessment methodology — stricter than the standard questionnaire assessment. Specific attention to: patch currency across all in-scope devices against the 14-day requirement; MFA enforcement across all cloud services; endpoint protection configuration and signature currency; and firewall configuration as it will appear under active technical testing. Any gaps identified are remediated before the audit date, within the scope of this engagement.
Audit Preparation and Coordination
Selection and coordination of an IASME-licensed certification body to conduct the Plus audit, based on your timeline and budget. Preparation of the environment inventory and technical documentation required by the certification body before the audit. Briefing your technical contact on what to expect during the audit — which devices and systems the assessor will test, the methods used, and how to respond to assessor queries. Liaison with the certification body assessor during the audit.
Post-Audit Support
Where the audit identifies residual gaps that prevent certification, Konve IT will advise on the remediation required and support a single resubmission within thirty days of the initial audit result at no additional charge. This covers assessor queries, additional evidence requests, and resubmission coordination. More than one resubmission requires a separate engagement.
One preparation report. One audit. One certificate.
The Plus certificate is issued directly by the IASME-licensed certification body. Konve IT's role is to ensure the environment is ready and the process is coordinated.
Plus Preparation Report
Delivered in PDF before the audit date. Confirms the pre-audit environment review findings, any remediation actions taken, the audit scope agreed with the certification body, and Konve IT's assessment of your readiness for the Plus audit.
Coordinated Audit
Certification body selected and booked. Environment inventory and pre-audit documentation submitted. Your team briefed and ready. Konve IT present during the audit for technical liaison. The audit runs without you having to manage the logistics.
Cyber Essentials Plus Certificate
Issued directly by the IASME-licensed certification body to your organisation on successful completion of the audit. The certification body fee is payable directly by you and is not included in the Konve IT preparation fee.
Organisations where Cyber Essentials Plus is required or strategically important.
This engagement is specifically for organisations that hold a valid standard Cyber Essentials certificate and need to proceed to Plus within the three-month IASME window.
Your contract requires Cyber Essentials Plus specifically — not just the standard certification.
NHS Digital supplier requirements, MOD supply chain contracts, and some central government framework agreements specify Cyber Essentials Plus rather than the standard certification. If your contract specifies Plus, standard certification alone will not satisfy it. This engagement delivers Plus within the required timeframe.
You want to demonstrate a higher standard of cybersecurity assurance to clients or partners.
For professional services firms where client trust is commercially significant — law firms handling sensitive matters, accountancy practices with high-value clients, consultancies working on regulated transactions — Cyber Essentials Plus provides independently verified evidence of security posture that a self-assessed standard certificate does not.
You have just completed the Full Programme and want to proceed to Plus within the three-month window.
The most efficient path to Cyber Essentials Plus is to complete the standard certification and immediately initiate the Plus preparation. The environment is already in a good state from the Full Programme remediation. This engagement takes that state through independent verification before any configuration drift occurs.
You hold an existing Plus certificate and need to renew it.
Cyber Essentials Plus certificates expire annually and require a fresh independent audit each year. For organisations already holding Plus, this engagement manages the annual renewal process — environment review, certification body coordination, and audit support — in the same way as the initial Plus engagement.
The preparation fee covers Konve IT's work. The certification body conducts the audit and issues the certificate independently.
- The CE Plus certification body audit fee — payable directly by you to the certification body
- Standard Cyber Essentials certification — a prerequisite, covered under the Full Programme
- More than one resubmission following a failed Plus audit
- Remediation of significant new gaps discovered during the audit that were not present at pre-audit review
- Procurement of security software or hardware required to meet Plus controls
- Any work outside the scope of preparing for and coordinating the Plus audit
One flat fee for Konve IT's preparation work. Certification body fee separate.
The £800 + VAT fee covers everything Konve IT does — the pre-audit review, remediation within scope, audit coordination, and single resubmission support. It does not include the certification body's fee for conducting the Plus audit, which is payable directly by you and typically ranges from £1,499 to £2,500 for organisations of this size.
Cyber Essentials Plus Preparation
- Pre-audit environment review against the Cyber Essentials Plus assessment methodology — stricter than the standard questionnaire assessment
- Targeted remediation of any gaps identified at pre-audit review, within the scope of this engagement
- Certification body selection and coordination — audit booked within your three-month IASME window
- Pre-audit documentation preparation and submission to the certification body
- Plus Preparation Report in PDF confirming readiness for the audit
- Technical liaison during the audit and single resubmission support within 30 days of the initial result
Don't have standard Cyber Essentials yet?
Cyber Essentials Plus requires a valid standard Cyber Essentials certificate as a prerequisite. IASME requires the Plus audit to be completed within three months of the standard certificate being issued. If you are starting from scratch, the Cyber Essentials Full Programme delivers the standard certificate — after which this preparation engagement can begin immediately.
Act immediately after your standard certificate is issued.
The three-month IASME window starts on the date your standard Cyber Essentials certificate is issued. The preparation engagement, audit coordination, and audit itself all need to fit within that window. Contact Konve IT as soon as your standard certificate is received.
Complete the onboarding form
Download and complete the Konve IT Client Onboarding Form. If already submitted for a previous engagement, you do not need to complete it again.
Complete the service questionnaire
Download and complete the Cyber Essentials Questionnaire, selecting the Plus Preparation. Provides your standard certificate reference, issue date, and the IASME window deadline — so Konve IT can immediately assess whether the timeline is achievable.
Review and sign the Statement of Work
Konve IT issues a Statement of Work within two working days. Given the three-month window constraint, the engagement begins immediately on signature and receipt of the first instalment.