Cyber Essentials Plus

United Kingdom

v2024

15 domains

20 controls

UK government-backed scheme to protect against common cyber attacks

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (15)

Audit

1 controls

Controls in the Audit domain of Cyber Essentials Plus — 1 controls
Code	Title	Description
CEP-AUD-01	Annual Hands On Audit and Recertification	CE Plus certification requires an annual hands on technical audit by a licensed IASME assessor, with sample sizes drawn...

Cloud Services

1 controls

Controls in the Cloud Services domain of Cyber Essentials Plus — 1 controls
Code	Title	Description
CEP-CLD-01	Cloud Services in Scope	All cloud services (IaaS, PaaS, SaaS) used to store or process organisational data fall within scope and must meet the s...

Cyber Essentials Plus: Access Control & Identity

0 controls

Managing access to information systems (Cyber Essentials Plus)

Cyber Essentials Plus: Audit & Accountability

0 controls

Audit logging and accountability measures (Cyber Essentials Plus)

Cyber Essentials Plus: Configuration Management

0 controls

Managing system configurations securely (Cyber Essentials Plus)

Cyber Essentials Plus: Incident Response

0 controls

Detecting and responding to security incidents (Cyber Essentials Plus)

Cyber Essentials Plus: Risk Assessment & Management

0 controls

Identifying and managing cybersecurity risks (Cyber Essentials Plus)

Cyber Essentials Plus: System & Communications Protection

0 controls

Protecting systems and communications (Cyber Essentials Plus)

Firewalls

2 controls

Controls in the Firewalls domain of Cyber Essentials Plus — 2 controls
Code	Title	Description
CEP-FW-01	Boundary Firewall Configuration	All internet connected devices must sit behind a correctly configured boundary firewall or equivalent, with unused servi...
CEP-FW-02	Host Based Firewall on Devices	End user devices and servers must have host based firewalls enabled and configured to block unsolicited inbound connecti...

Malware Protection

4 controls

Controls in the Malware Protection domain of Cyber Essentials Plus — 4 controls
Code	Title	Description
CEP-MA-01	Anti-Malware Deployment and Operation	All in scope devices must run anti malware software that is kept current, scans files on access and prevents execution o...
CEP-MA-02	Application Allow Listing or Sandboxing	As an alternative or supplement to signature anti malware, organisations may use application allow listing or sandboxing...
CEP-MA-03	Email Attachment Test	The CE Plus auditor sends test files including known malicious file types to in scope mailboxes to verify that malicious...
CEP-MA-04	Web Browsing Malware Test	The auditor attempts to download known malicious files from a test URL list via supported browsers to verify web filteri...

Mobile and Remote

1 controls

Controls in the Mobile and Remote domain of Cyber Essentials Plus — 1 controls
Code	Title	Description
CEP-MOB-01	Mobile Device Management and Encryption	Mobile devices used to access corporate data must be managed, encrypted at rest, require a screen lock and be capable of...

Scope

1 controls

Controls in the Scope domain of Cyber Essentials Plus — 1 controls
Code	Title	Description
CEP-SCP-01	Scope Definition and Whole Organisation Boundary	The certification scope must include the whole organisation or a clearly defined sub set with documented network and tru...

Secure Configuration

3 controls

Controls in the Secure Configuration domain of Cyber Essentials Plus — 3 controls
Code	Title	Description
CEP-SC-01	Secure Configuration of Devices	Devices must be configured to remove or disable unnecessary user accounts, software, services and default passwords befo...
CEP-SC-02	Auto-Run and Auto-Play Disabled	Auto run and auto play must be disabled on all devices to prevent execution of code from removable media without explici...
CEP-SC-03	Multi-Factor Authentication for Cloud Services	Multi factor authentication must be enforced on all administrator and standard user accounts accessing cloud services, i...

Security Update Management

4 controls

Controls in the Security Update Management domain of Cyber Essentials Plus — 4 controls
Code	Title	Description
CEP-PM-01	High and Critical Vulnerability Patching	Security updates rated high or critical must be applied within 14 days of release for operating systems and supported ap...
CEP-PM-02	Unsupported Software Removal	Software and operating systems that are no longer supported by the vendor must be removed from in scope devices or isola...
CEP-PM-03	Authenticated Vulnerability Scan of Sample Devices	An authenticated vulnerability scan of a representative sample of end user devices and servers must show no high or crit...
CEP-PM-04	External Vulnerability Scan of Internet Facing Services	An external vulnerability scan from the auditor against all internet facing IP addresses and services must show no explo...

User Access Control

3 controls

Controls in the User Access Control domain of Cyber Essentials Plus — 3 controls
Code	Title	Description
CEP-UA-01	Separation of Administrator Accounts	Administrative accounts must be separate from standard user accounts and must not be used for routine activity such as e...
CEP-UA-02	Account Provisioning and Deprovisioning	User accounts must be created through an approved process and disabled or removed promptly when no longer required, incl...
CEP-UA-03	Password Policy and Brute Force Protection	Authentication must be protected against brute force, including minimum password length, password deny lists or use of M...

Frequently Asked Questions

What is Cyber Essentials Plus?

Cyber Essentials Plus is a compliance framework from United Kingdom with 15 domains and 20 controls. UK government-backed scheme to protect against common cyber attacks It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Cyber Essentials Plus have?

Cyber Essentials Plus has 20 controls organised across 15 domains. The largest domains are Malware Protection (4 controls), Security Update Management (4 controls), Secure Configuration (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Cyber Essentials Plus map to?

Cyber Essentials Plus does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Cyber Essentials Plus compliance?

Start your Cyber Essentials Plus compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Cyber Essentials Plus requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 20 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required