Cyber Essentials Plus Readiness Guide

Cyber Essentials Plus goes more smoothly when you stop treating it like a questionnaire and start treating it like an operational check on the real environment. This guide covers the areas that most often catch Microsoft 365 teams out.

For Microsoft 365 teams, that means two things. First, the tenant is part of the core estate, not a side platform. Second, evidence needs to exist before the assessment window opens, not because screenshots are sacred, but because weak evidence usually points to weak ownership.

1. Lock the scope before you fix anything else

Make sure the team can describe what is in scope without hand-waving.

• Entra ID, Exchange Online, SharePoint, OneDrive, Teams, Intune, and any relevant Defender workload should be considered explicitly.
• Business devices, including remote devices and any BYOD arrangements that access organisational data or services, need a clear position.
• Legacy systems or awkward exceptions need documented treatment, not optimistic silence.

If scope is fuzzy, every later control check gets slower.

Identity and access controls

This is where a lot of passes and fails are decided.

• MFA enforced for cloud service access.
• Privileged access separated from day-to-day use.
• Old admin roles removed.
• Leaver process closes or disables accounts promptly.
• Guest and third-party access reviewed and justified.

The practical test is simple. Pick one normal user, one admin, and one guest. Can you explain exactly what each can reach and what controls apply?

3. Devices, updates, and malware protection

Policy intent is not enough here. Device state has to line up with what the consoles say.

• Device inventory matches reality.
• Supported operating systems only, or a tightly controlled exception position.
• Security updates applied on time.
• Defender or equivalent protection present and healthy.
• Local admin rights genuinely minimised.
• Firewalls enabled and managed.

Where Microsoft tooling is in use, check that the same devices appear consistently across Intune, Defender, and update reporting. When those views disagree, something is usually drifting.

4. Mail and collaboration controls

Microsoft 365 estates often look tidy until somebody checks how information actually moves.

• Mail forwarding is reviewed and controlled.
• Inbox rules and unusual mailbox activity can be investigated.
• External sharing settings are known and intentional.
• Guest access is reviewed often enough to mean something.
• Collaboration sprawl has a named owner, not just a technical owner.

This is the area where "we set that once" causes the most avoidable trouble.

5. Evidence before assessment week

I would want these items ready before the date is booked:

Area	Minimum evidence
Identity	Admin role view, MFA coverage, Conditional Access state
Endpoint	Compliance, onboarding, and update evidence
Mail	Mail security posture and mailbox investigation capability
Sharing	External access settings and exceptions
Governance	Named owners and remediation notes

If you only have one afternoon, build this folder structure first and start dropping dated exports into it:

mkdir -p evidence/identity evidence/endpoints evidence/mail evidence/sharing
date -u +"%Y-%m-%dT%H:%M:%SZ" > evidence/exported-at.txt

It is simple, but it stops a lot of chaos later.

6. Dry run the sample

Before the assessor does anything, do your own small sample review:

1. Pick two or three ordinary endpoints.
2. Check support state, patch level, local admin status, firewall, and protection health.
3. Pick one mailbox and one user timeline for a quick audit search.
4. Check one guest access path and one external sharing path.

If that mini-review feels clumsy, the full week will feel worse.

References

• NCSC: Cyber Essentials overview
• Microsoft Learn: Endpoint security in Microsoft Intune
• Microsoft Learn: Learn about auditing solutions in Microsoft Purview