Cyber Essentials Plus (CE+) is the audited tier of the Cyber Essentials scheme, a UK Government-backed certification managed by IASME on behalf of the National Cyber Security Centre (NCSC). For NHS suppliers, it's increasingly the expected standard, but it isn't universally mandatory. Whether CE+ is required will depend on what you supply, who you supply it to, and which procurement frameworks you operate within. This article explains what the certification process looks like in practice, including how we work with digital health organisations through each stage.
Cyber Essentials is a self-assessment. You answer a questionnaire, a certification body reviews your answers, and you receive a certificate based on what you've declared about your systems.
CE+ takes that further. An auditor technically verifies that the controls you've described are actually in place and working. For NHS buyers, particularly ICBs procuring tools with patient data access or AI components, that verification is increasingly what they're looking for.
CE demonstrates intent. CE+ demonstrates evidence. While CE+ is not a blanket requirement across all NHS procurement, the direction of travel is clear: NHS Supply Chain's PPN 014, the NHS Cyber Security Charter, and individual ICB requirements are all moving towards audited, evidence-based assurance rather than self-declaration.
The first step is completing our short scoping form. This gives us the information we need to understand your organisation's size, the infrastructure, and what you're looking to achieve, so we can provide a tailored proposal.
From there, the path depends on the level of certification you need. For Cyber Essentials, we onboard you directly onto the IASME portal and support you through the self-assessment process. For CE+, one of our Cyber Essentials assessors will work with you to define your scope before the audit begins.
Scoping is one of the most important parts of the process. It determines what systems, devices, and users your certification will cover. For most digital health SMEs, the cleanest approach is a whole-organisation scope covering all devices and users involved in delivering your services. A narrowly defined scope is possible, but it must be technically isolated from the rest of your infrastructure to be accepted.
Not sure where to start? Book a call with our team, and we'll help you define the right scope for your organisation.
The onboarding stage is where preparation happens. You're connected to our assessment team via our service desk, and we work through the five technical control areas with you before the formal assessment begins.
The five controls are firewalls, secure configuration, user access control, malware protection, and patch management. Common gaps we identify at this stage include out-of-date software, admin accounts being used for day-to-day tasks, and firewall rules that haven't been reviewed since initial setup.
For CE+, our team also supports you through the technical elements of the audit, including the vulnerability scans, so you're not navigating that process alone. The onboarding stage exists specifically to surface issues before the assessment, not during it. Identifying a gap here means you can fix it on your own timeline, rather than having it affect your result.
This is the self-assessment and audit stage. You work through the questionnaire with support from our team available throughout via the service desk. For CE+, the technical audit follows an auditor who will run an external vulnerability scan of your internet-facing systems, test a sample of internal user devices for patch status and configuration, attempt to deliver dummy malware files to check your protection is active, and verify that your configuration settings match what you declared.
The audit is conducted on a sample basis, not every device, so it doesn't require organisation-wide downtime.
The most common reasons for failure are missing patches (critical updates not applied within the required 14-day window) and over-privileged accounts (staff with admin rights they don't need for their day-to-day role). Both are straightforward to fix with the right preparation in place.
Once the assessment is complete, our team provides a full review of the answers and audit findings. Where controls aren't fully compliant, we work through bespoke remediation with you. The goal is to get to certification, not just flag what's missing.
If issues are identified that require a retest, this is conducted on the specific areas that failed rather than the full audit. Once all requirements are met, certification is awarded. The certificate is valid for 12 months and must be renewed annually.
A valid CE+ certificate supports and strengthens your NHS DSPT submission, particularly across the technical security sections, though it does not replace the DSPT as a standalone requirement. It also supports DTAC compliance, where the audited security standard gives NHS buyers the assurance they need to progress digital technology through the assessment process.
For organisations with AI or machine learning in their products, CE+ is now frequently specified as a requirement by ICBs, not as an optional enhancement, but as a condition of procurement. Getting certified ahead of that requirement, rather than in response to it, puts your organisation in a stronger position when NHS contracts come up for renewal or tender.
Ready to get started? Book a call with our team or find out more about Cyber Essentials at Periculo.