Author: Ann Barron, Lead Cyber Essentials Assessor and Cyber Essentials Plus Assessor
Avoid the common pitfalls that can derail your Cyber Essentials Plus journey
You’ve passed Cyber Essentials. Congratulations!
Now there’s just one more hurdle before Cyber Essentials Plus can begin: Verification Testing.
Introduced by IASME just over a year ago, Verification Testing is designed to confirm that the devices and operating systems declared in your Cyber Essentials submission genuinely reflect your estate. For subset scopes, it also verifies that network segmentation is configured and working as intended.
When everything lines up, the process is straightforward.
When it doesn’t… well, that’s when the snakes appear.
So, here are a few of the biggest snakes to avoid and the ladders that will help you reach Cyber Essentials Plus.
Snake 1: Changing your scope after Cyber Essentials
One of the most common reasons organisations fail Verification Testing isn’t because they’ve become less secure – it’s because they’ve continued making significant changes to their IT estate after achieving Cyber Essentials.
Cyber Essentials Plus is an audit of your original Cyber Essentials submission, so the scope needs to remain the same throughout the process. If you’re planning major changes, it’s worth either completing them before submitting your VSA or waiting until the CE+ assessment has finished. A little planning can save a lot of unnecessary headaches.
If substantial changes are made during the process, Verification Testing may fail. In some cases, IASME may even revoke the original Cyber Essentials certificate, meaning the whole journey has to begin again.
In the game of Snakes and Ladders, landing on a snake sends you all the way back down the board. In Cyber Essentials Plus, poor timing can have exactly the same effect.
A little patience can be the difference between reaching the finish line… or finding yourself back at square one.
Ladder 1: Let your asset management system do the talking
Don’t estimate.
Don’t rely on memory.
And definitely don’t rely on spreadsheets that someone updated three weeks ago.
Instead, complete Section 2 of the Cyber Essentials questionnaire using information taken directly from your asset management platform – whether that’s Microsoft Intune, Entra ID, Jamf or another management solution. About asset management – Cyber Essentials Knowledge Hub – Cyber Essentials Knowledge Hub
When the Verification Test begins, these same system exports become the evidence that supports your Cyber Essentials submission.
If the two match, you’re already climbing the ladder.
Snake 2: Recording tomorrow’s estate instead of today’s
This is an easy mistake to make.
Imagine your organisation currently has:
- 200 devices running macOS Sequoia
- 300 devices running macOS Tahoe
You know a mass upgrade is underway, so you decide to save time and simply record all 500 devices as running Tahoe.
Unfortunately, by the time Verification Testing takes place, only half the upgrades have actually completed.
The export now shows:
- 100 Sequoia
- 400 Tahoe
Because Sequoia wasn’t declared at all, your Cyber Essentials submission no longer matches reality – and Verification Testing becomes much more difficult.
Cyber Essentials is a snapshot in time. Record what exists today, not what you hope will exist next week.
Ladder 2: Natural upgrades are perfectly normal
Fortunately, IASME understands that operating systems evolve.
If your original submission correctly recorded both Sequoia and Tahoe, and later some Sequoia devices have naturally upgraded to Tahoe, that’s usually no problem at all.
The operating systems are still the same ones you declared. Only the numbers have changed.
That’s exactly the sort of movement Verification Testing expects to see.
Snake 3: Creating your own evidence
It’s tempting to tidy everything into a nice spreadsheet.
Unfortunately, that’s exactly what Verification Testing isn’t looking for.
Assessors need system-generated exports from your management platforms. A manually created spreadsheet can’t demonstrate that the information genuinely reflects the live estate.
Without those exports, Verification Testing can become tricky and Cyber Essentials Plus might not be able to proceed.
Snake 4: Mixing up iOS and iPadOS
This one catches people out surprisingly often.
Although many organisations think of Apple mobile devices as one group, IASME treats iOS and iPadOS as two separate operating systems.
For example, you may declare:
150 devices running iOS 26
During Verification Testing the export actually reveals:
- 100 iPhones running iOS 26
- 50 iPads running iPadOS 26
Depending on the circumstances, this may need to be referred to IASME for a decision.
It’s a small detail – but one that can create unnecessary delays.
Ladder 3: Appoint a project owner
The smoothest Cyber Essentials Plus assessments almost always have one thing in common.
Someone owns the process.
Whether that’s one person or a small team, they understand:
- the asset management systems;
- the organisation’s device estate;
- network segmentation (where applicable); and
- the Cyber Essentials process itself.
They’re also the people most likely to attend training courses and Drop-In Clinics, ask questions early, and spot potential issues before they become problems.
That preparation pays dividends.
One Final Ladder…
Perhaps the biggest piece of advice is also the simplest.
Give yourself enough time.
Verification Testing isn’t simply about uploading a few screenshots.
For subset scopes in particular, evidence may include system exports, VLAN information, firewall rules, ACLs, traceroutes and other technical information demonstrating that segmentation is working correctly.
Trying to gather all of this at the last minute rarely ends well.
A little preparation before Verification Testing begins can save hours of work – and might just stop you landing on one of those snakes.
After all, everyone would rather reach the finish than start the game all over again.