Cyber Essentials Plus is the baseline security certification for UK businesses selling into enterprise, healthcare, government, or regulated sectors. If your infrastructure runs on AWS, you are well-positioned to pass - but the technical audit tests what the assessor can observe, not what you intend to implement.
We have guided UK startups through Cyber Essentials Plus on AWS across healthcare (NHS integrations), fintech (banking licence applications), and EdTech (children's data protection). We know what the assessors check and how to structure your cloud environment so that passing is straightforward.
Audit your current AWS infrastructure against all five CE+ controls. Clear report showing what passes today, what needs remediation, and a prioritised plan to close gaps. Typically 1-2 weeks.
We fix the gaps - defined in code, version-controlled, repeatable. Security groups, IAM Identity Center, Secrets Manager, automated patching. Typically 2-6 weeks depending on current state.
Evidence preparation, team briefing on what the assessor will ask, and availability during the assessment to answer infrastructure questions. If findings arise, we remediate and support re-assessment.
CE+ is annual. We maintain your compliance posture as infrastructure evolves - monitoring for drift, applying patches, managing access changes, and preparing for recertification.
Move from EC2 to Fargate and the underlying OS patching obligation shifts to AWS. Three CE+ controls become architectural statements rather than evidence-gathering exercises.
Encryption at rest and in transit by default, automated patching, point-in-time recovery. Multiple CE+ requirements addressed by a single architectural decision.
When every resource is defined in Terraform, security controls are version-controlled and auditable. The assessor reviews code, not screenshots.
Centralised SSO with enforced MFA, role-based permission sets, session expiry. Clean evidence for the user access control requirement.