Cyber Essentials Plus Readiness Guide
Good readiness work is usually quiet work - clear scope, fewer unknowns, cleaner ownership, and enough evidence that nobody has to improvise during assessment week.
Cyber Essentials Plus goes more smoothly when Microsoft 365 is treated as part of the real estate, not as a side platform. Entra ID, Exchange Online, SharePoint, OneDrive, Teams, Intune and Defender all affect the assessment story when they control access, devices or data movement.
Quick answer
Before booking assessment dates, prove the scope, MFA coverage, endpoint sample health, patch evidence, malware protection, external sharing position and audit trail. If any of those depend on memory rather than evidence, fix that first.
Who this affects
This affects UK SMEs with Microsoft 365-heavy operations, remote staff, Intune-managed devices, SharePoint/Teams collaboration and customer pressure to show Cyber Essentials Plus readiness.
It is also useful where a business has passed the self-assessment before but has not checked whether the live tenant and endpoint sample still match the answers.
What usually goes wrong
| Failure mode | What it looks like | Why it hurts |
|---|---|---|
| Fuzzy scope | Cloud services, BYOD or supplier access are discussed late | Evidence collection becomes chaotic |
| MFA assumption | Registration exists but enforcement has broad exclusions | Cloud service authentication may not be covered |
| Endpoint mismatch | Intune, Defender and asset lists disagree | Sample checks become slow and defensive |
| Patch gaps | Devices cannot show update status cleanly | The 14-day evidence story weakens |
| Weak ownership | Nobody owns exceptions or exports | Assessment week depends on heroics |
What to check first
Start with the areas that decide pass/fail conversations fastest.
| Area | First check | Useful console or report |
|---|---|---|
| Scope | Which Microsoft 365 services and devices are in scope | Written scope list and asset inventory |
| Identity | MFA enforcement for users, admins and cloud access | Conditional Access or Security Defaults evidence |
| Endpoint | Sample devices are managed, supported and protected | Intune, Defender and update reports |
| Forwarding and phishing controls are known | Exchange Online and Defender policy views | |
| Collaboration | External sharing and guest access are deliberate | SharePoint, OneDrive and Teams settings |
| Audit | Logs and exports are available | Purview audit search and report exports |
Identity and access controls
Identity is where a lot of passes and fails are decided.
- MFA enforced for cloud service access.
- Privileged access separated from day-to-day use.
- Old admin roles removed.
- Leaver process closes or disables accounts promptly.
- Guest and third-party access reviewed and justified.
- Break-glass accounts documented and monitored.
The practical test is simple. Pick one normal user, one admin and one guest. Can you explain exactly what each can reach and what controls apply?
Endpoint and patch checks
Policy intent is not enough. Device state has to line up with what the consoles say.
- Device inventory matches reality.
- Supported operating systems only, or a tightly controlled exception position.
- Security updates applied on time.
- Defender or equivalent protection present and healthy.
- Local admin rights genuinely minimised.
- Firewalls enabled and managed.
Where Microsoft tooling is in use, check that the same devices appear consistently across Intune, Defender and update reporting. When those views disagree, something is usually drifting.
Evidence to collect
| Evidence | What it should prove |
|---|---|
| Scope statement | Services, users, locations and devices in scope |
| Admin roles | Current privileged users and review date |
| MFA enforcement | Policy scope, exclusions and grant controls |
| Endpoint sample | Device ownership, OS support, patch and protection state |
| Mail posture | Forwarding, phishing controls and investigation capability |
| Sharing posture | Guest and external link position |
| Audit capability | Who can search/export logs and when evidence was exported |
If you only have one afternoon, build an evidence folder and start dropping dated exports into it:
mkdir -p evidence/identity evidence/endpoints evidence/mail evidence/sharing
date -u +"%Y-%m-%dT%H:%M:%SZ" > evidence/exported-at.txt
Fix path
- Lock scope in writing.
- Remove obvious admin and MFA exceptions.
- Reconcile endpoint inventory across Intune, Defender and asset records.
- Patch or replace devices that cannot meet the sample standard.
- Review mail forwarding, guest access and external sharing.
- Export evidence and run a small internal sample before the assessor does.
Common mistakes
The common mistake is treating Cyber Essentials Plus as paperwork. The assessor will see the live estate, so screenshots that do not match the tenant only create more questions.
Another mistake is leaving evidence until assessment week. Weak evidence usually points to weak ownership.
Related route
For the matching service path, use Cyber Essentials Plus readiness.
If you want a fast first read, check your Microsoft 365 security score before the evidence sprint.
References
Related notes
04 May 2026 · 3 min
Related: cyber essentials plus, intune, defender for endpoint.
12 Mar 2026 · 3 min
Related: cyber essentials plus, audit logs, microsoft purview.
16 Feb 2026 · 3 min
Related: windows 10, microsoft 365 apps, cyber essentials plus.
Need help mapping this to your own tenant, controls, or assessment timeline?