What is Cyber Essentials Plus?

Cyber Essentials Plus is the UK government's higher tier of the Cyber Essentials scheme, requiring a hands-on technical audit by a certified assessor. It tests five control categories: firewalls, secure configuration, user access control, malware protection, and security update management. Certification is valid for 12 months and is increasingly required to bid on UK public sector contracts.

How long does Cyber Essentials Plus take to achieve?

For organisations with reasonable baseline hygiene, CE+ typically takes 4–8 weeks from engaging an assessor to certification. The timeline depends heavily on pre-audit remediation. SocSage's 330+ compliance checks map directly to CE+ controls and can cut pre-audit prep from 3 weeks to 3 days by surfacing configuration gaps immediately.

Does Cyber Essentials Plus cover Microsoft 365?

Yes. Cyber Essentials Plus explicitly covers cloud services used by the organisation, including Microsoft 365 and Google Workspace. Auditors will test MFA enforcement, administrative account separation, Conditional Access, privileged role assignment, and legacy authentication blocking — all areas where SocSage's compliance engine provides continuous evidence.

Cyber Essentials Plus for Microsoft 365: 2026 Controls Checklist

Cyber Essentials Plus is no longer a nice-to-have. UK Crown Commercial Service has tightened framework requirements, NHS trusts are asking for it from suppliers, and Ministry of Defence contracts at almost every tier now stipulate it. For a UK MSP's SME clients, CE+ has quietly become the price of entry.

The good news: for a mid-sized SME running Microsoft 365 with modest hygiene, CE+ is achievable in weeks, not months. The bad news: auditors in 2026 are testing things they weren't testing in 2023, and the old "we've got MFA, we're fine" response will not pass.

This is the checklist — organised by CE+ control category, mapped to specific M365 settings, with notes on what the 2026 auditor will actually check.

Control 1: Firewalls

In a cloud-first organisation, "firewalls" means network boundary enforcement — which increasingly means Conditional Access policies rather than physical appliances.

1.1 — Conditional Access policy blocking legacy authentication (AuthenticationProtocols = LegacyAuth, Exchange Active Sync basic auth). Auditors test by attempting an IMAP/POP connection with valid credentials.
1.2 — Defender for Cloud Apps (or equivalent) visibility on sanctioned vs unsanctioned cloud services. CE+ doesn't require full CASB, but does require awareness.
1.3 — For hybrid environments: documented firewall ruleset with a justified exception list, reviewed within the last 12 months.
1.4 — Guest-access policies on Teams and SharePoint: external sharing limited or documented exceptions.

2026 change: auditors now ask to see the Conditional Access policy report from Entra ID with the "report-only" vs "on" state clearly documented. "Report-only" policies that were never enabled will fail this control.

Control 2: Secure configuration

The largest control category, and where most M365 tenants fail. "Secure configuration" means services hardened from defaults and unused services disabled.

2.1 — Legacy authentication protocols disabled (SMTP AUTH for users, IMAP, POP, basic auth for Exchange, Active Sync where not required).
2.2 — Unified audit log enabled and retention set to minimum 12 months (historically 90 days — CE+ 2026 effectively requires 12).
2.3 — Security defaults enabled OR equivalent Conditional Access in place. Tenants with neither fail automatically.
2.4 — External forwarding blocked at transport rule level (common BEC exfiltration vector).
2.5 — Anti-phishing policy with impersonation protection for the 20 most-impersonated internal mailboxes (CEO, CFO, HR, Finance, etc.).
2.6 — Safe Attachments and Safe Links enabled, with dynamic delivery configured.
2.7 — Exchange Online mail-flow rules reviewed: no forwarding to external addresses, no redirection to non-corporate domains.
2.8 — SharePoint and OneDrive external sharing restricted to "existing guests" or stricter, unless business-justified exceptions are documented.
2.9 — DLP policies active for financial data, PII, and card data at minimum.

Control 3: User access control

Identity is the new perimeter, and this control category is where CE+ auditors spend the most time in 2026.

3.1 — MFA enforced on 100% of user accounts. Auditors will sample 10 accounts and attempt sign-in; any account with MFA bypass fails the control.
3.2 — MFA enforced on 100% of administrative accounts with phishing-resistant methods (authenticator app with number match, FIDO2, or certificate-based). SMS and voice no longer pass as primary MFA for admins.
3.3 — Administrative accounts separated from day-to-day user accounts. Cloud admin should not be able to read email as the admin identity.
3.4 — Privileged roles reviewed within the last 90 days, with evidence (PIM activity reports, role-assignment history).
3.5 — Guest accounts reviewed within the last 90 days, with stale guests removed.
3.6 — Password policy: minimum 12 characters, banned password list in use, no periodic expiry for passwords (aligned with NCSC 2024+ guidance).
3.7 — Conditional Access policy requiring compliant devices for sensitive roles (Finance, HR, Legal).
3.8 — Leaver process documented and evidenced: an account disabled within the last 30 days, with audit log proving same-day action.

2026 change: CE+ now explicitly tests the leaver process. Auditors ask: "show me the most recent leaver." If the account was disabled more than 24 hours after their last working day, that's a finding.

Control 4: Malware protection

4.1 — Microsoft Defender (or equivalent EDR) deployed on 100% of endpoints. Auditor will sample 5 devices and verify agent status.
4.2 — Defender for Office 365 enabled with the Standard preset policy minimum.
4.3 — Safe Attachments and Safe Links policies applied to 100% of mailboxes.
4.4 — Quarantine review process documented, with evidence that quarantined items are reviewed within 72 hours.
4.5 — Mobile device management: corporate mailbox access restricted to enrolled (Intune) devices for 2026 CE+.

Control 5: Security update management

5.1 — All devices receiving updates within 14 days of release for high-severity vulnerabilities (historically 30 days).
5.2 — Windows Update for Business policies or equivalent configured via Intune.
5.3 — Third-party application patching documented (Chrome, Zoom, Teams, Office apps).
5.4 — Out-of-support software inventoried and either replaced or risk-accepted with compensating controls.

2026 change: the 14-day window for high-severity patching is the single biggest change from prior CE+ cycles. Many MSPs built their patching cadence around a 30-day SLA and are now non-compliant without realising it.

How SocSage maps to CE+ controls

SocSage's compliance engine runs 330+ Microsoft 365 and Google Workspace checks continuously against the connected tenant. Of those, 207 map directly to Cyber Essentials Plus technical controls. The remaining 123 are adjacent hygiene checks that improve posture without being explicitly required.

Pre-audit gap analysis: we run the full check suite against the tenant and produce a CE+ gap report in minutes, not weeks.
Evidence capture: every check produces a machine-readable evidence artefact (timestamped, source-attributed) that becomes auditor-ready documentation.
Continuous monitoring: CE+ is a point-in-time certification, but the controls need to hold for 12 months. SocSage alerts if a control drifts out of compliance at any point in the certification window.
Delta tracking: the 2026 controls differ from 2025 in specific ways (14-day patching, phishing-resistant admin MFA, 12-month audit retention). SocSage flags these deltas so you know exactly what changed.

See SocSage investigate your first alert — in 3 minutes.

Run 330+ compliance checks on your Microsoft 365 or Google Workspace tenant. No credit card, no agents. See a real AI-triaged alert before lunch.

Start free scan →