Cyber Essentials
Cyber Essentials v3.3 went live on 27 April 2026. Most coverage focused on multi-factor authentication becoming a pass-or-fail control. The parallel changes to the Cyber Essentials Plus assessment process matter just as much for any organisation buying a Cyber Essentials Plus certificate from a supplier, and they are sitting underneath the news cycle. Jonathan Krause walks through what changed and what buyers should now ask their certification body before booking.
By Jonathan Krause | Founder, Forensic Control | 5 May 2026
Coverage of the v3.3 cutover has been about multi-factor authentication (MFA) becoming auto-fail and about two new patching questions on the verified self-assessment (VSA). Those changes do matter and they matter to buyers who hold a Cyber Essentials certificate themselves. But for organisations that read a supplier’s certificate as evidence of how that supplier has been audited, the more consequential changes are sitting on the Cyber Essentials Plus side of the scheme, where the technical audit happens.
Cyber Essentials Plus (CE Plus) is the level that includes hands-on technical verification on top of the verified self-assessment. Where base Cyber Essentials relies on the supplier answering a question set, CE Plus includes external and internal vulnerability scanning, sample device testing, and verification of MFA on cloud services. Plus is what a public-sector procurement officer asks for when “trust me, we have Cyber Essentials” is not enough. The scheme is run on behalf of the National Cyber Security Centre (NCSC) by the Information Assurance for Small and Medium Enterprises consortium (IASME), which licenses certification bodies like Forensic Control to deliver assessments.
In our caseload this year, three out of every four buyer-side queries about supplier certificates assume base Cyber Essentials and CE Plus deliver the same level of scrutiny. They do not, and v3.3 widens the gap further.
The biggest operational change is to how update management is verified. Until v3.3, an applicant who failed the initial sample test for security updates could remediate and the assessor would retest the same sample of devices. The pattern in audits was clear enough that IASME called it out in their February 2026 update: a small number of organisations were applying patches only to the sampled devices and passing on the retest while leaving the rest of the estate unpatched.
Under v3.3, the retest now covers the original sample plus a new random sample of different devices from the same scope. The sampling pool widens on retest rather than narrowing.
The second-sample scan in CE+ under Danzell (the v3.3 question set IASME has been rolling out) is a targeted re-check, not a full re-scan. It is designed to catch the classic post-primary-scan tidy-up: an organisation gets its first vulnerability scan results, patches just enough to pass, and then expects the assessor to move on. The second sample is the answer to that. In practice, what it catches is selective patching, where an organisation has patched the specific hosts or IP ranges they expected the assessor to focus on, but left equivalent vulnerabilities elsewhere on the estate.
It is difficult to know empirically how many applicants this would now catch out, because until Danzell came in last week we only worked on one sample. However, as we cannot recall a single instance since 2017, when we first became an IASME Certification Body, of no vulnerabilities being found in the initial scan, I think it is safe to say the change will affect every applicant.
The second change matters more, and most buyers have not registered it yet. A second failure in CE Plus testing now revokes the VSA certificate as well. Under v3.2 a supplier who failed CE Plus retained their base Cyber Essentials certificate and could attempt CE Plus again. Under v3.3 a second CE Plus failure costs them both certificates in one event. A supplier who held base Cyber Essentials plus a lapsed CE Plus is in a different position from a supplier who held nothing at all, and v3.3 collapses that difference at the point of a second retest failure.
A change that sounds procedural and is not. Under previous versions, suppliers could amend their VSA answers if the CE Plus audit surfaced something the self-assessment had described differently. The Plus assessment effectively functioned as a final read-through.
Under v3.3, IASME has made the VSA immutable from the point CE Plus testing begins. The VSA must be completed, finalised and locked before the first device is scanned or the first sample tested. If the audit surfaces a discrepancy between what the VSA says and what the assessor finds, the discrepancy is recorded as a finding, not edited away.
For a buyer reading a v3.3 CE Plus certificate, the inference is that the certificate now reflects what the supplier said and was independently verified to be true at the same point in time. For a buyer reading a pre-v3.3 certificate, that inference is weaker because the VSA could move during the audit. This is the kind of change that matters in procurement diligence even though no buyer-facing communication will mention it.
The VSA is signed off by a board member or director. Under v3.3 the wording of that declaration changes. Where the previous form attested to the controls being in place at the date of submission, the v3.3 declaration commits the organisation to maintaining those controls throughout the certification period, which is the year the certificate is valid for.
The text shift is small. The legal and contractual posture is not. A director who has signed the v3.3 declaration has personally committed to ongoing compliance, not to a point-in-time pass. In supplier contracts that already include a representation about the supplier’s Cyber Essentials status, the v3.3 form gives the buyer cleaner ground to ask for evidence partway through the year, not just at renewal. I would expect to see this surface in supplier audits before the end of 2026.
A subtler implication: the certifying body has independently tested the controls only on assessment day. Everything afterwards is the supplier’s representation. Buyers who care about the difference will want a process for periodic check-ins, not a year of silence between certificate dates.
The v3.3 changes raise their own questions for buyers, which are covered in the FAQ below. These three are the ones I would put to any certification body before booking a CE Plus engagement under Danzell, drawn from what buyers calling Forensic Control most often wish they had asked their previous body.
Cyber Essentials Plus is hands-on technical work, and the quality depends entirely on the person doing it. Ask whether it is carried out by an in-house assessor or subcontracted out, and what their background is. Penetration testing or network security experience matters, it is the difference between someone who knows what an attacker would look for and someone working through a checklist. You have every right to ask, and a good body will be happy to tell you.
Scope is where CE Plus engagements most often go wrong. Buyers regularly call us after being told by another body that their cloud services or remote-worker laptops were out of scope, only to find IASME’s definition says otherwise. Before you book, get the scope boundaries in writing, and ask directly: if something additional turns out to be in scope mid-assessment, what happens to the timeline and the price?
Almost nobody asks this upfront, and almost everybody wishes they had. CE Plus rarely goes through in a single visit. Ask whether retests are included in the price or charged separately, how many cycles are covered, and what the turnaround time is. The headline price varies significantly between certification bodies, and the gap is usually explained by what is, and is not, included in the remediation process.
Cyber Essentials is a UK government-backed scheme run by the National Cyber Security Centre (NCSC) and delivered by IASME. Base Cyber Essentials is a verified self-assessment: the organisation answers a question set and a certifying body reviews the answers. Cyber Essentials Plus (CE Plus) adds an independent technical audit on top of that, including external and internal vulnerability scanning, sample device testing, and verification of multi-factor authentication on cloud services. CE Plus gives a procurement officer or buyer evidence that the controls have been independently tested, not just declared.
Cyber Essentials v3.3 went live for new assessment accounts on 27 April 2026. Any active assessment account created before that date can complete the assessment under the previous v3.2 requirements within a six-month window. From late October 2026 onwards, all assessments are running against v3.3.
Four changes affect the CE Plus audit specifically. Sampling on retest now covers the original sample plus a new random sample of different devices, designed to catch selective patching. A second failure in CE Plus now revokes the verified self-assessment certificate as well, so the supplier loses both certificates at once. The verified self-assessment is locked once CE Plus testing begins and cannot be amended in response to findings. The director’s declaration now commits to maintaining controls throughout the certification period, not just at the date of submission.
Yes. Certificates already issued under v3.2 are valid for their full 12-month term. Buyers reading a CE Plus certificate dated before 27 April 2026 should know it was assessed against the v3.2 requirements, which had narrower retest sampling and allowed verified self-assessment amendments during the audit. From 27 April 2026 onwards, new assessments run under v3.3 and the version a certificate was awarded under is reasonable to ask about.
Five questions specific to the v3.3 changes. Ask which version of the requirements document the certificate was awarded against (v3.2 or v3.3). Ask which devices were in the original CE Plus sample, since under v3.3 the retest sample is wider and the answer to “what was tested” is more meaningful. Ask whether the supplier’s verified self-assessment was finalised before CE Plus testing began (under v3.3 the answer is now always yes). Ask whether the director who signed the v3.3 declaration has a process for confirming the controls have remained in place since signing. Each of these takes minutes to ask.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
