Cyber Essentials Plus for UK Manufacturers: A Practical Guide to Certification

This Cyber Essentials Plus manufacturing UK guide explains what the certification covers, what it costs in 2026, how to scope it correctly for a factory environment, and the six-step route most manufacturers should follow to pass first time. Cyber Essentials Plus is no longer optional for UK manufacturers that sell into the MOD supply chain, tier 1 automotive, aerospace, pharmaceuticals or food retail — it is a gate on the contract.

Last updated: 23 April 2026

What is Cyber Essentials Plus?

Cyber Essentials is a UK government-backed certification scheme, launched in 2014 by the [National Cyber Security Centre](https://www.ncsc.gov.uk/cyberessentials/overview) and administered by IASME. It checks that an organisation has five basic controls in place: firewalls and internet gateways, secure configuration, user access control, malware protection and security update management. According to the NCSC, these controls block around 80% of the most common cyber attacks.

There are two levels. Standard Cyber Essentials is a verified self-assessment — you complete a questionnaire, an accredited assessor reviews it, and you get a certificate. Cyber Essentials Plus adds an independent technical audit on top: an assessor actually tests your devices, runs vulnerability scans and verifies that the controls you claimed are genuinely in place. Both certificates last 12 months and both require annual renewal.

For a manufacturer, the Plus level carries real weight. It signals to your customer’s procurement team, your cyber insurer and your board that you have not just written policies, you have evidence that they work.

Why UK manufacturers need the Cyber Essentials Plus manufacturing UK guide

Three forces are pushing UK manufacturers to certify:

• Customer contract requirements. MOD suppliers, tier 1 automotive, aerospace, food retail and increasingly pharmaceutical customers now write Cyber Essentials Plus into procurement contracts. No certificate, no purchase order.
• Supply chain compliance. Even without a direct MOD contract, many manufacturers sit two or three tiers down a regulated supply chain. The flow-down clauses land with you.
• Cyber insurance. Insurers routinely ask for Cyber Essentials Plus evidence before renewing. Those without it face higher premiums, tighter exclusions, or outright declined cover.
• NIS2 and UK regulation. The emerging UK Cyber Security and Resilience Bill and NIS2 flow-down from EU customers are widening the net. Many manufacturers that thought they were out of scope are now in.
• Ransomware risk. UK manufacturing is one of the most attacked sectors. The five Cyber Essentials controls measurably reduce the likelihood and impact of a shop-floor ransomware incident.

According to [IASME and the NCSC](https://iasme.co.uk/cyber-essentials/), over 50,000 UK organisations now hold a current Cyber Essentials certificate. The manufacturing share is growing fastest, driven almost entirely by customer pressure.

The 2026 cost of Cyber Essentials Plus for a UK manufacturer

Costs come in three layers. First, the basic Cyber Essentials assessment fee set by IASME, which ranges from £320 plus VAT for a micro organisation to £600 plus VAT for 250+ employees. Second, the Plus assessment fee, which is set by the certification body and varies by scope and device count. For manufacturers, typical 2026 ranges are:

• Micro (1 to 9 employees): £1,500 to £2,000 for the Plus audit.
• Small (10 to 49): £2,000 to £3,000.
• Medium (50 to 249): £3,000 to £5,000.
• Large (250+): £5,000 and upwards.

The third layer — remediation and preparation — is almost always the biggest. Patching out-of-support Windows devices, replacing unmanaged shop-floor laptops, rolling out multi-factor authentication and rebuilding admin accounts can add another £1,000 to £20,000 depending on size. A realistic first-year total for a mid-sized UK manufacturer usually sits between £6,000 and £13,500.

Scoping Cyber Essentials Plus for a factory environment

Scope is where most manufacturing certifications go wrong. The assessment covers in-scope IT devices: end-user laptops and desktops, servers (on-premise and cloud), mobile phones, tablets and the network boundary. Guest Wi-Fi, properly isolated OT networks, and truly air-gapped production equipment can be scoped out.

In a typical manufacturer that means:

• In scope: ERP servers, engineering laptops, office PCs, finance laptops, CAD workstations, mobiles with email, Microsoft 365 or Google Workspace tenants, VPN endpoints, the firewall and boundary routers.
• Conditionally in scope: Shop-floor Windows PCs used for quality, labelling, works-order printing and MES terminals. These are in scope unless they sit on a fully segmented OT network with no direct internet access.
• Usually out of scope: PLCs, SCADA controllers, robot controllers, CNC machine HMIs and similar embedded OT devices, provided they are on a separate VLAN and not directly reachable from the corporate network.

Getting scope right requires a proper network diagram, an asset register and an honest look at how engineers actually connect to the shop floor. A good Cyber Essentials Plus manufacturing UK guide always starts with scope, not controls.

A six-step route to first-time pass

Around 32% of Cyber Essentials Plus assessments require remediation on first attempt, according to published industry data. First-time pass is entirely achievable with the right sequence:

1. Scoping workshop. Decide what is in scope, what is out, and document the boundary. Book two hours with IT, operations and a senior manager.
2. Gap assessment. Map your current state against the five controls. Focus on unsupported Windows versions, admin account sprawl, MFA coverage, patch timelines and antivirus coverage across laptops used off-site.
3. Remediation plan. Patch, replace or decommission anything that cannot pass. Common blockers are end-of-life Windows 10 devices, shared admin accounts, legacy RDP exposure and unpatched browsers on shop-floor terminals.
4. Basic Cyber Essentials. Complete the self-assessment questionnaire and submit. This has to pass before Plus can be booked.
5. Plus technical audit. An IASME-accredited assessor performs external vulnerability scans, sample device configuration checks, MFA tests, malware protection tests and email filtering tests. Under the v3.3 Danzell update, assessors test MFA enforcement, endpoint configuration and vulnerability remediation more rigorously across both Windows and Apple devices.
6. Certificate and board paper. Once passed, publish the certificate, update your customer portal submissions, and take a short paper to the board describing scope, residual risk and renewal date.

Budget six to twelve weeks end-to-end. Remember that Plus must be completed within three months of the basic Cyber Essentials pass.

Common manufacturing pitfalls

The same issues fail manufacturers every year:

• Shop-floor PCs running Windows 10 after end of support, with no exception plan.
• Shared admin passwords used by maintenance engineers across multiple machines.
• MFA not enforced on Microsoft 365 for engineers or directors.
• RDP exposed to the internet for remote machine support by vendors.
• Antivirus not installed on engineering laptops used off-site.
• Missing inventory of shadow IT, USB devices and unmanaged mobiles.
• No evidence of timely patching, particularly for browsers and email clients.

A fractional IT director or experienced manufacturing IT partner can run the scoping and remediation in parallel, keep the certification body focused, and stop the project stalling between IT and operations.

Frequently Asked Questions

What is Cyber Essentials Plus and why does it matter for UK manufacturers?

Cyber Essentials Plus is the UK government-backed cybersecurity certification scheme, administered by IASME on behalf of the NCSC. It goes beyond the self-assessed Cyber Essentials certificate by adding an independent technical audit. For UK manufacturers it matters because tier 1 customers, MOD suppliers, insurers and enterprise procurement teams increasingly demand it before awarding or renewing contracts.

How much does Cyber Essentials Plus cost for a UK manufacturer?

Assessment fees typically range from £1,500 for a micro manufacturer up to £5,000+ for a large site, on top of the basic Cyber Essentials fee of £320 to £600. A realistic first-year total cost for a 50-person manufacturer, including remediation, preparation and staff time, is usually between £6,000 and £13,500.

Does Cyber Essentials Plus cover the shop floor and OT equipment?

The scheme focuses on in-scope IT devices — laptops, servers, desktops, mobiles, cloud services and network boundaries. Pure OT such as PLCs and SCADA controllers is usually scoped out if properly segmented from the corporate network. Defining the scope correctly is one of the most important decisions in a manufacturing certification, and gets manufacturers in trouble more often than any technical control.

How long does Cyber Essentials Plus certification take for a manufacturer?

Most UK manufacturers should plan six to twelve weeks end-to-end. That covers scoping, remediation of any gaps, the basic Cyber Essentials submission and finally the independent Plus technical audit. Plus must be completed within three months of passing basic Cyber Essentials, otherwise you start again.

Take the Next Step

If you are a UK manufacturer preparing for customer-driven certification and you want a practical Cyber Essentials Plus manufacturing UK guide turned into a working plan, Bailey & Associates can help. We run scoping workshops, remediation programmes and certification-body liaison for manufacturers across the UK, on a fixed monthly retainer from £2,000 per month with no tie-in and cancel-anytime terms. Fifteen-plus years of UK manufacturing IT experience, sector-only focus, and board-ready reporting. Learn more about our manufacturing IT services or book a free discovery call today.