Working within the IT sector and as an established IT support company, it is vital that we not only secure and protect our clients’ data but also provide them with expert guidance on best practices and security protocols.
For several years, QLine IT has successfully renewed its Cyber Essentials accreditation to ensure we remain up to date with the latest requirements and recommended procedures. However, as many of our clients increasingly require enhanced protection against cyber-attacks and greater assistance with GDPR compliance, we decided to progress to the higher-level certification of Cyber Essentials Plus (CE+).
Cyber Essentials vs Cyber Essentials Plus
The key differences between Cyber Essentials and Cyber Essentials Plus are the cost, the level of auditing, and the depth of verification.
For small businesses with up to nine staff, the cost of Cyber Essentials is around £300 + VAT, and certification can be purchased through a range of IASME-approved certification bodies.
Cyber Essentials is managed by IASME Consortium, a government-backed accreditation body responsible for overseeing the scheme. IASME works alongside the National Cyber Security Centre (NCSC) to help organisations protect themselves against common online threats.
Cyber Essentials (CE) is a self-assessment process. The organisation must answer approximately 100 detailed questions covering:
- IT infrastructure
- Network security
- Staff access and permissions
- Data handling and storage
- Patch management and software updates
These answers are submitted via an online portal to an IASME-approved assessor, who reviews the responses against the Cyber Essentials technical requirements. If clarification or additional evidence is needed, the assessor will request it, giving the applicant the opportunity to correct or expand their submission before a final decision is made.
Cyber Essentials Plus (CE+) involves all of the above, but with independent verification through a rigorous technical audit. This includes:
- External and internal vulnerability scans
- Checks on antivirus, firewalls, and system configurations
- Simulated phishing tests
- Device security reviews
- Patch management validation
- Verification of user account controls
Costs start around £2,500.00
Our Journey to Cyber Essentials Plus
1. Preparation
Before booking the CE+ assessment, we carried out our own preparation to identify any areas where our systems or processes might fall short of the CE+ technical requirements. This included:
Reviewing and updating endpoint protection across all company devices
Ensuring all operating systems and applications were fully patched
Validating that Multi-Factor Authentication (MFA) was enforced on all external-facing accounts
Auditing user permissions to ensure the principle of least privilege was applied
Conducting internal phishing awareness training for staff
We also carried out our vulnerability scans to detect and resolve any security weaknesses before the formal audit.
2. Booking and Pre-Audit Checks
We selected an IASME-approved certification body with experience in supporting IT service providers. Prior to the audit, we provided them with:
Network diagrams
Asset registers
Details of our patch management and update policies
Our incident response procedure
Proof of endpoint encryption on all portable devices
They reviewed this documentation and gave us a short pre-audit checklist to ensure we were fully prepared for testing day.
3. The Audit Day
On the day of the CE+ audit, an independent assessor visited our offices to perform hands-on checks. The process included:
Device inspection – verifying antivirus, encryption, secure configurations, and account permissions
Simulated attack scenarios – testing how our systems detect and respond to common cyber threats
Phishing simulation – sending controlled phishing emails to evaluate staff awareness
Patch management verification – confirming all critical security updates were installed within the required timeframes
Vulnerability scanning – both externally and internally, to identify any exploitable weaknesses
They reviewed this documentation and gave us a short pre-audit checklist to ensure we were fully prepared for testing day.
Protecting Company Data
QLine IT helps businesses protect client data, meet GDPR requirements, and maintain Cyber Essentials compliance across the UK.
User Access Control
Secure business data with role-based access controls. QLine IT ensures GDPR and Cyber Essentials compliance for UK companies.
Hardware Security
QLine IT protects business devices with 2FA, strong passwords, and physical safeguards, meeting GDPR and Cyber Essentials standards.
Data Classification
Classify business data by sensitivity to meet GDPR and Cyber Essentials. QLine IT provides secure data management solutions in the UK.
Network Configuration
Prevent cyber threats with secure network setup. QLine IT delivers VLANs, Wi-Fi segregation, and Cyber Essentials-compliant solutions.
Company Procedures
QLine IT creates clear company procedures to improve security, ensure GDPR compliance, and support Cyber Essentials certification.
The Outcome and Benefits for Our Clients
We passed the CE+ assessment without any remediation period required, a testament to the ongoing security practices we maintain year-round.
For our clients, this means:
Independent validation that our own IT systems meet the highest recognised UK cybersecurity standard
Increased assurance that any IT solutions we provide are built on secure, GDPR-compliant foundations
A partner that not only advises on security best practices but also actively implements and proves them in-house
By achieving Cyber Essentials Plus, QLine IT demonstrates the same commitment to security we recommend to our Clients, proving that cybersecurity is not just something we talk about, but something we live by.
If you’re considering Cyber Essentials or Cyber Essentials Plus for your business and would like to know what’s involved, speak to our team; we’ve been through the process many times and can guide you every step of the way.
