Cyber Essentials Plus is no longer optional for sub-contractors

Cyber Essentials covers five technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management. It's deliberately practical and avoids exotic requirements. Most modern Microsoft 365 setups can meet it with a few weeks of focused work.

Cyber Essentials Plus adds a hands-on technical audit by an external assessor. They scan your endpoints, test your patching, verify your MFA, and check that what you said in the self-assessment is actually true. It's harder, but it's also the version tier-ones increasingly want to see.

Unmanaged personal devices. The site engineer's laptop they bought themselves. The director's iPad that's been used for board papers without enrolment. Cyber Essentials Plus will catch these, and the conversation isn't fun.

Unsupported operating systems. The odd Windows 10 machine that wasn't upgraded, the Mac running an old macOS, the Android device still on a major version that stopped getting updates two years ago. All of these will trigger findings.

Local admin rights. Standard users running with administrator privileges, often because someone configured it three years ago and nobody changed it. Removing local admin is achievable but takes a couple of weeks of pain.

Patching cadence. Cyber Essentials requires high and critical patches to be applied within fourteen days. A manual patching process tends to fail this. Intune, Windows Update for Business or a managed service usually passes it.

The worst time to start a Cyber Essentials Plus programme is the week you find out a tier-one bid requires it within thirty days. The remediation work usually takes longer than that, the assessment itself needs scheduling, and the auditors are busy.

Construction firms that lose bids over this tend to be the ones who treated it as a tick-box too late. The ones who treat it as a calendar item, with annual renewals scheduled and gap remediation done quietly through the year, never have the conversation.

It helps to reframe Cyber Essentials Plus as a sales enabler rather than a compliance cost. The contracts you become eligible for as a CE+ certified sub-contractor are worth materially more than the cost of getting and keeping the certification.

A typical CE+ assessment costs a few thousand pounds. The remediation work, if you start from a reasonable baseline, is a few thousand more in consultancy time. A single tier-one contract win pays for many years of certification.

Days one to thirty: gap assessment. A construction-aware IT partner runs through the CE+ control set against your current Microsoft 365 and endpoint estate. The output is a remediation plan ranked by effort and impact.

Days thirty to seventy-five: remediation. MFA enforced, local admin removed, patching tightened, unsupported devices retired or fenced off, conditional access policies tidied up. Most of this work is invisible to users if it's done well.

Days seventy-five to ninety: pre-assessment and audit. A friendly internal scan first to catch anything the partner missed, then the formal CE+ audit. Allow time for one round of follow-ups; it's normal to have a couple of small findings on the first pass.

A construction firm that's run CE+ for a couple of cycles tends to look quietly different. Patching is automated and reported. Joiner-leaver is tidy. Devices are all managed. The PQQ responses are written once and reused, with the certificate attached.

When the next tier-one asks the question, the answer is in a folder. That's what 'ready' actually means, and it pays for itself the first time it matters.

Once you have Cyber Essentials Plus, the work shifts from getting it to keeping it. Each annual renewal asks the same questions, and the firms that struggle are usually the ones who let things drift between assessments.

Treat it as a calendar item. Monthly patching reports, quarterly account reviews, an annual policy refresh, and a friendly pre-assessment scan a month before the formal audit. The cost stays modest. The certificate stays current. The next tier-one PQQ is straightforward.