For many UK SMBs bidding into the public sector, Cyber Essentials Plus (CE+) is treated as a frustrating compliance hurdle. You pay the certification body, an assessor scans your network, you fix the patch management issues they flag, and you get the certificate. Then, when the tender drops, you paste the certificate number into the Selection Questionnaire (SQ) and move on.
But treating CE+ purely as a pass/fail gateway leaves marks on the table. When public sector buyers evaluate the quality section of an IT services or data-heavy contract, they do not just want to know that you passed an audit six months ago. They want to see how the controls that earned you that certificate are embedded in your daily operations, how they protect the specific data in this contract, and how you manage the risks that CE+ does not cover.
This guide explains how to turn your CE+ certification from a basic compliance checkbox into a scoring asset. We will break down what evaluators are actually looking for when they score cyber security questions, how to map the five technical controls to your narrative, and the evidence you need to provide to score maximum marks.
What this guide covers
- The baseline requirements: When CE+ is mandatory under PPN 014 and DEFCON 658.
- The evaluator's perspective: Why a certificate number is not enough to score top marks.
- Mapping the five controls: How to write compelling narratives for firewalls, secure configuration, user access control, malware protection, and patch management.
- Beyond the certificate: Addressing incident response, supply chain risk, and governance.
- Worked example: A model response demonstrating strong evidence.
- Common mistakes: Where bidders lose marks in cyber security responses.
- Frequently asked questions: Common queries around CE+ in public procurement.
The baseline: when CE+ is mandatory
Since 2014, the UK government has required suppliers bidding for certain contracts to hold Cyber Essentials. Procurement Policy Note (PPN) 014 (updated February 2025) sets out the current mandate. If a contract involves handling personal information of citizens or government employees, or processing data at the OFFICIAL level, Cyber Essentials is the minimum standard.
However, for many IT services, cloud hosting, or defence contracts, basic Cyber Essentials is not enough. Procurement regulations dictate that the level of certification must be proportionate to the risk.
The difference between Basic and Plus
Basic Cyber Essentials is a self-assessment. You complete a questionnaire declaring that your IT infrastructure meets the required standards. A certification body reviews your answers, but they do not test your systems.
Cyber Essentials Plus (CE+) requires independent verification. A qualified assessor conducts a technical audit, including internal and external vulnerability scans, to verify that the five technical controls are actually in place and working. They will test your endpoints, servers, and mobile devices to ensure they are protected against basic hacking and phishing attacks.
For buyers, this independent verification is critical. When a contract involves higher risk—such as accessing Ministry of Defence networks under DEFCON 658, or handling sensitive DWP citizen data—CE+ is routinely mandated. Under DEFCON 658, for instance, contracts handling OFFICIAL information typically require CE+, and this requirement cascades down the entire supply chain.
The cost of non-compliance
Failing to hold the required certification at the time of bidding often means an automatic fail at the Selection Questionnaire stage. While some buyers may allow you to bid if you can prove you are in the process of obtaining certification, the certificate must be in place before the contract is awarded. Relying on a grace period is a high-risk strategy.
The deep dive: what evaluators actually look for in a CE+ response
If the SQ asks "Do you hold Cyber Essentials Plus?" and you answer "Yes, Certificate #12345", you pass the gateway. But when you reach the quality evaluation—often weighted between 10% and 20% for IT and cyber contracts—evaluators are scoring your methodology, not just your badges.
Evaluators want to see three things:
- Contextualised risk management: How do your security controls protect their specific data and service?
- Embedded culture: Is security a daily operational habit or an annual audit exercise?
- Supply chain assurance: How do you ensure your subcontractors are as secure as you are?
A common pitfall is copying and pasting your Information Security Policy into the response box. Evaluators do not want to read a generic policy document. They want a narrative that proves you understand the threat model for their specific contract.
Moving from policy to practice
Buyers are tired of reading that suppliers "take security seriously." They want proof. If your policy states that access is reviewed quarterly, your bid should provide the date of the last review and the name of the role responsible for it. If you claim to patch systems within 14 days, provide the metric showing your compliance rate over the last six months.
Deep mapping: translating the five controls into winning narratives
The CE+ assessment verifies five technical controls. To score highly, your bid narrative must explain how these controls are implemented in practice and how they directly benefit the buyer.
1. Firewalls and internet gateways
What CE+ checks: That boundary firewalls are configured to prevent unauthorised access, with default passwords changed and unnecessary ports closed.
How to write it: Do not just say "We use firewalls." Detail your architecture. Explain your approach to network segmentation. If you are hosting an application for the buyer, describe how the database tier is isolated from the web tier. Mention your review cycles for firewall rules.
Evaluators are looking for evidence of 'default deny' policies. Explain how you manage inbound and outbound traffic. Discuss how you handle remote access, such as the use of secure VPNs and how they are authenticated.
"Our network architecture employs strict segmentation. The proposed application environment sits behind dedicated Next-Generation Firewalls (NGFW). Firewall rules are configured on a default-deny basis and are subject to quarterly review by our Information Security Lead to ensure only ports required for this specific service remain open. All remote administrative access is routed through a secure, MFA-enforced VPN."
2. Secure configuration
What CE+ checks: That systems are configured securely, unnecessary software is removed, and auto-run features are disabled.
How to write it: Focus on your build standards and deployment processes. Evaluators want to know that new devices or servers added to the contract will be secure by default.
Discuss your use of standard builds (e.g., CIS Benchmarks). Explain your Mobile Device Management (MDM) policies for remote workers. If staff will access buyer data from home, detail how your configuration prevents data leakage. Mention how you handle default passwords and ensure that unnecessary services are disabled before deployment.
Furthermore, discuss how you manage configuration drift. How do you ensure that systems remain securely configured over time? Mention the use of configuration management tools that alert administrators to unauthorised changes.
3. User access control
What CE+ checks: That access to data and services is restricted to authorised individuals, with administrative privileges strictly controlled.
How to write it: This is often the most scrutinised section. Explain your Principle of Least Privilege (PoLP). Detail your Joiners, Movers, and Leavers (JML) process—how quickly is access revoked when someone leaves?
You must mention Multi-Factor Authentication (MFA). Since the April 2025 updates to the CE requirements, the focus on MFA and passwordless authentication (like FIDO2) has increased. Explain exactly where and how MFA is enforced, particularly for administrative accounts and remote access.
Detail how you manage administrative accounts. Are they used for daily tasks, or are they restricted to specific administrative duties? Explain your process for reviewing access rights regularly.
4. Malware protection
What CE+ checks: That virus and malware protection is installed, active, and updated.
How to write it: Move beyond "We have antivirus." Discuss Endpoint Detection and Response (EDR). Explain how your systems detect anomalous behaviour, not just known signatures. If you use application allow-listing, explain how it prevents unauthorised executables from running.
Detail your process for handling malware alerts. When an alert is triggered, who is notified? What is the containment procedure? Providing a brief overview of your triage process demonstrates operational maturity. Mention how often malware definitions are updated and how you ensure that all endpoints are protected.
5. Security update management (Patching)
What CE+ checks: That software is licensed, supported, and updated within 14 days for critical or high-risk vulnerabilities.
How to write it: Evaluators know that patching is where most organisations fail. You need to prove you have a robust, automated process.
State your SLAs for patching. "All critical and high-severity vulnerabilities (CVSS 7.0+) are patched within 14 days, in strict adherence to CE+ requirements. Standard updates are deployed within 30 days." Mention the tools you use for automated vulnerability scanning and patch deployment. Discuss how you handle legacy systems or situations where a patch cannot be applied immediately (e.g., virtual patching or network isolation).
Provide evidence of your patching efficacy. A statement like "In the past 12 months, 99.5% of critical patches were deployed within our 14-day SLA" provides concrete reassurance to the evaluator.
The comprehensive view: what CE+ does not cover
A major differentiator between an average bid and a winning bid is acknowledging the limits of CE+. The scheme is designed to defend against common, low-skill commodity attacks. It does not cover everything. Evaluators award the highest marks to suppliers who demonstrate controls beyond the CE+ baseline.
Incident response and reporting
CE+ proves you can prevent basic attacks, but evaluators want to know what happens when a sophisticated attack succeeds.
Your narrative must detail your Incident Response Plan (IRP). Who is on the response team? What are your containment procedures? Crucially, what are your communication SLAs? Public sector buyers need to know exactly when and how you will notify them (and the ICO) of a breach.
Detail your testing procedures. Do you run annual tabletop exercises? Mentioning that your incident response plan was last tested in a simulated ransomware scenario provides concrete evidence of readiness. Explain how lessons learned from these exercises are incorporated back into your security posture.
Supply chain security
Under the NCSC's supply chain security principles, buyers are acutely aware of third-party risk. Your CE+ certificate only covers your infrastructure.
You must explain how you manage risk down the chain. Do you mandate CE+ for your subcontractors? How do you audit their compliance? Explain your vendor onboarding process and how you ensure that third parties handling buyer data adhere to the same security standards you do. If a subcontractor is breached, how does that impact your service delivery, and how will you manage the fallout?
Governance and culture
Security is a board-level issue. Detail your governance structure. Name the person responsible for security (e.g., the CISO or Security Director). Mention mandatory staff training, phishing simulations, and how security performance is reported to the board.
Explain how security is integrated into your software development lifecycle (if applicable) and project management methodologies. Buyers want to see that security is a core component of your service delivery, not an afterthought. Discuss your approach to 'security by design' and how threat modelling is incorporated into new projects.
Physical security and personnel vetting
While CE+ is focused on technical controls, evaluators also care about physical and personnel security. Briefly mention your physical access controls (e.g., secure data centres, office access logs) and your personnel vetting procedures (e.g., BPSS or SC clearance for staff handling sensitive data). This demonstrates a comprehensive approach to risk management.
Worked example
Here is an illustrative example of how to elevate a basic response into a high-scoring narrative.
The Question: Detail your approach to ensuring the security of the data processed under this contract.
Weak Response: "We take data security very seriously. We hold Cyber Essentials Plus (Certificate #98765) and ISO 27001. All our staff undergo security training. We use firewalls and antivirus software to protect our network, and we patch our systems regularly. Access to the system will be restricted using passwords."
Strong Response: "Our security posture for this contract is built on our independently audited Cyber Essentials Plus and ISO 27001 frameworks, tailored to protect the sensitive citizen data required for this service.
Access Control & Configuration: Access to the proposed environment is governed by the Principle of Least Privilege. All user and administrative access requires Multi-Factor Authentication (MFA). Our endpoints are secured via our Mobile Device Management (MDM) platform, enforcing encrypted storage and CIS Benchmark configurations.
Vulnerability Management: We exceed the CE+ requirement for patch management. Automated vulnerability scans run weekly. Any critical vulnerabilities (CVSS 7+) affecting the proposed infrastructure are patched within 48 hours of release, well within the 14-day CE+ mandate.
Incident Response & Governance: Our Information Security Lead oversees all project delivery. In the event of a security anomaly, our Endpoint Detection and Response (EDR) system automatically isolates the affected host. Our Incident Response Plan guarantees notification to the Authority within 4 hours of any confirmed data breach, ensuring full compliance with UK GDPR obligations."
Common mistakes
- Treating the response as a technical manual.
Write for the evaluator, who may be a procurement professional, not a network engineer. Explain the business impact of your technical controls instead of just listing software names.
- Focusing only on your corporate network.
Specifically address the environment where the buyer's data will reside. If you are using a public cloud provider, explain the shared responsibility model instead of assuming the buyer knows how it works.
- Stating compliance without evidence.
Replace "We train our staff" with "Staff complete mandatory NCSC-aligned security training annually, with an audited 98% completion rate in 2025." Concrete numbers score points.
- Ignoring the supply chain.
Explicitly state how you flow security requirements down to any subcontractors involved in the delivery of the IT Services. Do not leave evaluators guessing about third-party risk.
- Using generic incident response times.
Align your incident response and notification SLAs precisely with the requirements set out in the tender specification. If the buyer asks for a 2-hour notification window, do not copy-paste a standard response offering 24 hours.
Frequently asked questions
Does CE+ replace the need for ISO 27001?
No. CE+ focuses on five specific technical controls to prevent commodity cyber attacks. ISO 27001 is a broader Information Security Management System (ISMS) that covers governance, risk management, and physical security. Many tenders require both.
How often does CE+ need to be renewed?
Cyber Essentials Plus certification must be renewed annually. A lapsed certificate will result in a fail at the SQ stage for contracts where it is mandated.
Do all my subcontractors need CE+?
Under DEFCON 658 and PPN 014, the requirement cascades down the supply chain. Any subcontractor handling the buyer's data or accessing the buyer's systems must hold the appropriate level of certification.
What happens if we fail the CE+ vulnerability scan?
You typically have a short remediation window (often 30 days) to fix the identified vulnerabilities and be rescanned. This is why robust, continuous patch management is critical before the audit.
Can we use virtual patching to meet CE+ requirements?
Virtual patching is not an acceptable mitigation for the security vulnerabilities of legacy, unsupported operating systems under the CE scheme. Systems must be running supported software.
Crafting the perfect evidence pack
When submitting your tender, the evidence pack is just as important as the narrative. Evaluators need to see the proof backing up your claims.
What to include in your evidence pack
- The CE+ Certificate: Ensure it is current and covers the scope of the services being procured. If your certificate only covers a subsidiary or a specific office, and the contract will be delivered from elsewhere, you will fail the requirement.
- Summary Risk Assessment: Include a high-level summary of your most recent risk assessment, demonstrating that you understand the threats relevant to the contract.
- Key Policies: While you shouldn't dump your entire ISMS into the bid, providing specific, relevant policies (e.g., Incident Response Plan, Data Handling Policy) can be beneficial if requested.
- Metrics and Dashboards: Provide anonymised screenshots of your security dashboards showing patch compliance, training completion rates, or vulnerability scan results. Visual evidence is highly persuasive.
The strategic value of CE+
Ultimately, CE+ is more than just a hurdle; it is a framework for building a resilient organisation. By embracing the principles behind the five controls and embedding them into your daily operations, you not only improve your security posture but also create a compelling narrative for your tender responses.
When you can articulate how your security controls protect the buyer's data, demonstrate a culture of continuous improvement, and provide concrete evidence of your capabilities, your CE+ certification transforms from a tick-box exercise into a powerful scoring asset.
By following the strategies outlined in this guide, you can ensure that your next tender response not only meets the mandatory requirements but also stands out as a beacon of security excellence.
