Case Study: How We Achieved Cyber Essentials Plus in 30 Days

Achieving Cyber Essentials Plus certification can seem like a daunting task—especially within a tight timeline. In this case study, we’ll walk you through exactly how our organization successfully achieved Cyber Essentials Plus certification in just 30 days. Our journey highlights practical steps, key decisions, and lessons learned that can help other businesses fast-track their own Cyber Essentials journey.

Week 1: Laying the Foundation

Our goal was to achieve Cyber Essentials Plus within one month to meet a contract deadline with a government agency. We already had basic Cyber Essentials certification, but we knew Cyber Essentials Plus would require a more thorough technical assessment.

We began by assembling a cross-functional team including IT, compliance, and operations. From day one, we clearly defined the project scope, identified all in-scope devices, users, and cloud services, and reviewed the five key control areas of Cyber Essentials:

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Patch management

We also selected a certification body from IASME’s approved list and scheduled our Cyber Essentials Plus audit for Day 28—giving us a hard deadline to work toward.

Week 2: System Audit and Gap Analysis

Next, we performed a detailed gap analysis. Our internal IT team ran vulnerability scans on all in-scope devices and networks. We found several areas needing immediate attention:

• A few staff laptops had out-of-date antivirus definitions.
• Some user accounts had unnecessary administrative privileges.
• Patches for third-party applications like Java and Adobe Reader were outdated.

We documented all findings and created an action plan. The biggest takeaway from this week was that while our systems seemed secure, Cyber Essentials Plus required strict compliance—no grey areas.

Week 3: Remediation and Hardening

With the gaps identified, we moved quickly to fix them. We applied all missing security patches and automated our patch management system to ensure ongoing compliance. Our IT team reconfigured firewalls, disabled unused services, and removed outdated software from endpoints.

We also enforced multi-factor authentication (MFA) for remote access and reviewed every user account, ensuring least privilege access. Our antivirus software was audited across all devices to verify it was up to date and correctly configured. Additionally, we updated internal cybersecurity policies to reflect these changes—critical documentation that would support our audit.

By the end of the week, we felt confident that all Cyber Essentials controls were in place and functioning correctly.

Week 4: Internal Testing and Final Preparation

Before the official assessment, we conducted a mock audit. Using the same tools used by assessors—such as internal and external vulnerability scanners—we tested our systems one final time. These internal tests mirrored the Cyber Essentials Plus audit procedures:

• Simulated malware execution on devices to verify defenses
• Checked firewall configurations and port controls
• Confirmed secure configuration settings
• Ran internal vulnerability scans for outdated software or misconfigurations

We documented all our work, including screenshots, policies, patch logs, and access control lists. This audit readiness package ensured we could answer any question the assessor might have.

Day 28: The Official Cyber Essentials Plus Audit

On the scheduled day, our assessor arrived and spent several hours testing a random sample of our devices and reviewing our network setup. Thanks to our preparation, the audit went smoothly. The assessor confirmed our systems met all five Cyber Essentials Plus controls, and no critical or high-risk vulnerabilities were found.

Two days later, we received our official Cyber Essentials Plus certificate—on Day 30.

Lessons Learned

1. Preparation is everything. Rushing into the audit without a thorough internal review would have resulted in failure.
2. Documentation matters. Keeping clear records of configurations, updates, and access controls made the audit far easier.
3. Team effort wins. Involving leadership, IT, and operations ensured full organizational support.
4. Cloud services are in scope. Make sure services like Microsoft 365 are configured securely and meet all control requirements.
5. Stay updated. Vulnerabilities must be patched within 14 days to pass the test.

In conclusion, our 30-day journey to Cyber Essentials Plus certification proved that with focused effort, teamwork, and a clear plan, it’s entirely possible to meet tight security deadlines. Not only did we meet a key contractual requirement, but we also significantly improved our cybersecurity posture. For any organization aiming to strengthen its defences and demonstrate real-world protection, Cyber Essentials Plus is a clear and achievable benchmark.