Read how Cyber Essentials Plus certification helps consultancies and retailers strengthen security and build trust through verified cybersecurity standards.
In today’s digital economy, trust is built on more than just delivery.
As a full-service digital consultancy, we work closely with businesses to develop platforms, integrate systems, and maintain the backbone of digital experiences.
Every decision we make, every system we touch, and every process we implement can have real-world implications for our clients’ customers.
That responsibility isn’t something we take lightly.
Our clients count on us to handle critical infrastructure and sensitive data with care. That means cybersecurity can’t just be a background consideration. We must embed it into how we operate.
That’s what led us to pursue Cyber Essentials Plus certification: to ensure our commitment to digital resilience is not just a statement, but something externally verified and continually improved.
Cyber Essentials Plus is a government-backed cybersecurity certification designed to help organisations defend against the most common forms of cyber attack. It focuses on practical, achievable steps that dramatically reduce your exposure to threat actors who target basic weaknesses.
Unlike the self-assessed basic certification, Cyber Essentials Plus involves an independent technical audit of your systems and infrastructure. It covers five control areas:
Having Cyber Essentials Plus tells clients, regulators, and partners that you’ve done the work. That you’re taking security seriously and not cutting corners.
It shows that you’ve implemented effective defences and submitted them to external scrutiny, not just policy, but actual practice.
Acquiring CE+ certification has helped validate the hard work we’ve done behind the scenes to maintain secure systems and resilient processes.
But more importantly, it helps assure our clients that when they work with us, their data is protected by design.
Consultancies often operate at the heart of complex digital change.
We’re not just building websites or running campaigns, we’re integrating payment systems, managing customer databases, deploying cloud-native infrastructure, and supporting long-term technology strategies.
This makes us a valuable partner, but also a potential target.
Cyber Essentials Plus for consultancies ensures we are not the weakest link in the supply chain.
By achieving certification, we’ve demonstrated that:
We see this as part of our role, not just to deliver outcomes, but to protect the environments in which those outcomes live.
Achieving Cyber Essentials Plus certification was a meaningful milestone for our consultancy.
It wasn’t a quick win or a rubber-stamped exercise. It required reflection, collaboration, technical work, and third-party scrutiny.
However, the outcome was worth it. It has created a more secure operating environment and a stronger foundation for the work we do with clients.
Here’s how we approached the journey from initial planning to full certification.
Before beginning any formal steps, we needed to understand exactly what was required. Cyber Essentials Plus is based on five technical control themes:
These areas are deceptively simple. Most organisations believe they cover these basics already.
However, Cyber Essentials Plus doesn’t rely on assumptions. It requires real evidence, which means every control must be working consistently across every relevant device.
We started by mapping our environment and taking a detailed look at how our existing controls aligned with the certification criteria.
The first formal stage in the process was completing the standard Cyber Essentials self-assessment.
While this is the simpler version of the certification, it’s also a vital foundation.
It forced us to document our security approach and confirm that we had the right policies and systems in place.
We used this stage to conduct an honest internal audit, asking:
By treating this stage as a rehearsal for the Plus certification, we identified issues early and avoided surprises later.
Once we had a clear understanding of our current state, we moved into an improvement phase.
We focused on four critical areas:
This phase took several weeks and we involved multiple teams - from infrastructure to operations, to ensure nothing was missed.
To move forward with Cyber Essentials Plus, we needed to work with an accredited certification body.
We looked for:
Our chosen certification body worked closely with us to plan the scope of the audit and set expectations.
They also helped us identify the specific devices and systems that would sample for testing.
The technical audit is what separates Cyber Essentials Plus from the basic level. During this process, an external assessor reviews a sample of devices and systems from within your organisation.
Our cyber essentials audit included:
We prepared in advance by ensuring all devices to be tested were fully compliant, up to date, and documented.
The assessment conducted remotely over a single day with our IT team assisting in real time.
Following the audit, we received a brief feedback report.
While we had passed, we still took time to address small advisory points the assessor raised such as tightening our user offboarding procedure and applying stricter controls on shared accounts used during testing.
Cyber Essentials Plus is not a pass-and-forget certification. The process itself taught us that even strong policies can drift over time without clear ownership and oversight.
This process helped us sharpen our focus and make security part of the rhythm of our work. It wasn’t just about meeting a standard, it's about building a more resilient business for ourselves and our clients.
By working through Cyber Essentials Plus, we:
We don’t claim to be immune to cyber threats - no organisation is.
Cyber Essentials Plus helps us reduce risk in a measurable, repeatable way. We’re proud to share that security as part of the trust we build with every client we work with.
Security is no longer confined to one team. It’s now something everyone plays at Sherwen plays a role in.
Many organisations begin with Cyber Essentials Basic.
It’s a logical starting point, but its self-assessment nature means there’s no external verification.
It’s possible to pass without actually implementing some of the measures in practice.
Cyber Essentials Plus addresses this by requiring:
For a consultancy like ours that works with public-facing platforms and handling sensitive data, we felt that a self-assessed approach wasn’t enough.
Cyber Essentials Plus provided:
Retailers face unique challenges. They manage large volumes of customer data, operate at scale, and often face high-volume attacks like credential stuffing, phishing, and malware distribution.
When retailers work with third parties like digital consultancies and agencies, they need to know their partners are secure.
By becoming Cyber Essentials Plus certified, we’ve demonstrated that we’re serious about:
This isn’t just a matter of liability, it’s about trust.
When a customer interacts with a retail brand, they expect the brand to handle their personal information with care. We help meet those expectations.
High-profile cyberattacks on major retailers have become alarmingly frequent, each one a reminder that common cyber threats can cause major damage when basic controls are missing or inconsistently applied.
Attacks on Marks & Spencer, the Co-op, and Adidas UK each followed familiar patterns and exploited preventable weaknesses. They also illustrate why practical certifications like Cyber Essentials Plus are so vital to today’s digital organisations.
Marks & Spencer was hit by a cyberattack in April 2025 that disrupted its online services and loyalty program. Customers experienced significant delays and issues when placing orders online, while the company was forced to temporarily suspend elements of its digital platform.
The incident was reportedly linked to the Scattered Spider hacker group, known for using phishing and social engineering tactics to compromise employee credentials. Once inside, attackers were able to interfere with customer-facing systems, triggering a costly interruption to operations.
This type of attack underscores the importance of technical controls like enforced multi-factor authentication, monitored user access, and proactive vulnerability patching, all of which are core requirements of Cyber Essentials Plus.
If such controls had been rigorously in place, the compromise of internal credentials could have been significantly harder or rendered useless.
In March 2024, the Co-op was forced to take some of its systems offline following a major cyberattack that targeted internal infrastructure. Customers reported issues with payment systems and stock levels across UK stores. The disruption lasted for more than two weeks, with services only gradually returning to normal.
The root cause appears to have been the exploitation of a vulnerability in third-party software, which allowed attackers to move laterally within the Co-op's network. This resulted in operational disruption and the potential exposure of sensitive customer data.
This breach highlights the critical role of patch management and secure system configuration.
Cyber Essentials Plus requires organisations to apply critical updates within a strict 14-day window and to manage software dependencies carefully. Had these controls been universally enforced, the window of opportunity for exploitation could have been closed or significantly narrowed.
Adidas UK recently (May 27, 2025) reported a breach in which customer names, email addresses, and hashed passwords were exposed. While no payment information was stolen, the incident affected customers across Europe and raised serious questions about data protection and account security.
The attack stemmed from unauthorised access to a legacy database that had not been properly secured or decommissioned. Attackers were able to access historical user records, which in many cases had not been adequately anonymised or isolated from live systems.
Cyber Essentials Plus calls for the removal of unsupported or unnecessary software and systems. It also places emphasis on user access control and data minimisation. By removing or isolating such legacy environments and applying proper access restrictions, the risk of this type of breach would have been greatly reduced.
These cases are not isolated events. They reflect a pattern seen across many industries, where outdated systems, inconsistent patching, and poor credential management allow attackers to gain a foothold.
Cyber Essentials Plus is specifically designed to address these high-frequency threats by ensuring that common vulnerabilities are closed and that best practices are applied across all devices and users.
While no certification can prevent every possible breach, the standards enforced through Cyber Essentials Plus can stop many of the attacks that organisations face every single day. It is one of the most practical steps a business can take to reduce risk, protect customers, and strengthen trust.
Here's some benefits of CE+ for digital retailers.
Cyber Essentials Plus significantly reduces your risk of falling victim to the most common types of cyber attacks, including phishing, malware, and credential theft. These make up the bulk of daily cyber incidents facing businesses.
Achieving certification sends a strong signal that you’re serious about cybersecurity. For digital consultancies, this helps win client confidence and smooth procurement processes.
The certification process encourages better patching discipline, more consistent device management, and a clearer approach to access control and configuration.
More clients are requesting security certifications as part of procurement and compliance requirements. Being certified simplifies conversations and shortens sales cycles.
With certified controls in place, your systems are less likely to suffer disruptions due to ransomware or other preventable breaches—keeping your operations running more smoothly.
Cyber Essentials Plus must be renewed annually. This creates a built-in cadence for review, audit, and improvement—something every modern digital team can benefit from.
Secure systems tend to be stable systems.
Our certification efforts have led to more consistent infrastructure, clearer roles and responsibilities, and better resilience across the platforms we support.
This benefits our clients by:
No organisation is too small or too large to benefit from Cyber Essentials Plus.
With threats increasing and expectations rising, having an externally verified cybersecurity baseline is quickly becoming a requirement.
The cost of certification is modest compared to the potential financial and reputational damage of a breach. And for digital teams looking to improve resilience, it’s a practical framework that gets results.
We’ve seen first-hand how certification helps build trust and improve internal performance. That’s why we recommend it to our clients as a valuable next step in their own cybersecurity journeys.
Cyber Essentials Plus is not the end of our security journey. It’s a benchmark we plan to renew and improve upon.
We’re continuing to invest in our cyber hygiene:
Our goal is to be a consultancy that delivers confidently and securely.
Because when clients trust us with their data, we owe them more than just functionality.
We owe them peace of mind so they can continue to grow.
You may also like
