Skip to main content
Survey Solutions

Cyber Essentials Plus: What it means for your project survey data and your site

Published on by James Wyllie

Online security measures on a computer showcasing the cyber essentials accreditation

Most projects now have a host of information and online data they need to manage. Survey drawings, utility records, CAD files, Point clouds, Drone imagery and plans showing access routes and boundaries are just the tip of the iceberg. All of that data moves fast between consultants, contractors, clients, and suppliers. If one link in the chain gets compromised, the impact rarely stays “digital”. It can cause delays, rework, commercial risk, and in the worst cases, a safety breach. This is why a Cyber Essentials Plus certification matters.

What is Cyber Essentials?

Cyber Essentials (CE) is a UK government backed certification scheme, developed with the National Cyber Security Centre (NCSC). It focuses on five technical controls designed to reduce exposure to the most common internet based attacks.

Those controls cover the basics that stop a lot of real-world incidents:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • Access control
  • Malware protection
  • Security update management

This is the kind of baseline many procurement teams now expect as standard, especially in regulated sectors and public sector supply chains.

What Cyber Essentials Plus adds

Cyber Essentials is the standard level of the certification, and relies on a verified self-assessment. Cyber Essentials Plus (often shortened to CE+) goes further. It tests whether those controls work in practice, not just on paper. Under UK procurement guidance, Cyber Essentials Plus uses the same controls as Cyber Essentials, but also includes vulnerability testing that can be done remotely and on site.

In plain terms, an independent assessor checks your environment through technical testing, including vulnerability scans and checks on a sample of user devices and systems. That independent verification is gives clients stronger assurance that a supplier’s day-to-day setup matches the best standard possible.

Why this accreditation matters right now

The UK Cyber Security Breaches Survey 2025 found that 43% of businesses reported experiencing a cyber security breach or attack in the past 12 months, This figure rises for medium and large businesses. The same report also highlights phishing as the most common and disruptive type of attack, and reports an average cost of breaches for businesses of £1,600 (with higher averages when excluding £0 reports).

Construction and the built environment make attractive targets because:

  • Supply chains are wide, with lots of crossover and handoffs
  • People need fast access to files to keep sites moving
  • Teams work across offices, sites, and temporary setups
  • Legacy systems and mixed device estates are common
  • Sensitive data can sit in inboxes, shared drives, and third-party platforms

Cyber Essentials Plus does not eliminate risk. Nothing does, but it reduces the easy wins attackers look for.

What it means for your projects and sites

If you’re a client, consultant, or contractor, here is what Cyber Essentials Plus should mean in practice when you appoint a supplier.

Lower friction during onboarding
Many organisations now require suppliers to show evidence of baseline cyber controls before data transfer starts. Cyber Essentials certificates provide a recognisable way to demonstrate that baseline.

For certain public sector contracts, central government policy has required suppliers bidding for specific contract types to hold Cyber Essentials or Cyber Essentials Plus certification, or to demonstrate equivalent controls. So if your project touches public sector procurement, frameworks, or sensitive information flows, Cyber Essentials Plus can reduce delays at the assurance stage.

Better protection for shared project information
Survey deliverables often include data that you do not want exposed or tampered with, such as:

  • Utility mapping outputs
  • Measured building plans
  • Site control networks and setting out data
  • Drone imagery and 3D models
  • Drawings used for demolition, enabling works, and temporary works
  • Location plans and access information for secure sites

Cyber Essentials Plus focuses on controls that reduce common attack paths. That helps protect the confidentiality and integrity of files shared across the project team.

More confidence in everyday working practices
Cyber security is more than an IT policy, it shows up on site in day-to-day small decisions:

  • How laptops and tablets are configured
  • How user accounts are managed
  • How devices get patched and protected
  • How malware is prevented from running
  • How access is limited to the people who need it

Cyber Essentials Plus forces these controls to be demonstrable.

A clearer conversation about scope and data handling

One detail that gets missed in supplier checks is scope. A Cyber Essentials certificate can apply to a whole organisation, or it can be scoped to part of it. Procurement guidance also notes that you should check scope and consider third parties, because certification may not include every supplier or cloud service involved in delivery.

In other words, clients should still ask sensible questions:

  • What does your certificate cover?
  • What systems do you use to store and transfer our files?
  • Who gets access, and how do you control it?
  • What do you do if an incident happens?

Cyber Essentials Plus doesn’t replace project due diligence. It makes the due diligence easier to validate.

What is changing in 2026

Cyber Essentials updates every year to stay relevant. IASME (the Cyber Essentials delivery partner) has announced the next annual update will go live in April 2026, applying to assessment accounts created after 27 April 2026. They also highlight an important marking change: where multi-factor authentication is available for cloud services and it is not implemented, that can result in an automatic failure.

If you manage a supply chain, this matters because:

  • Some suppliers will scramble close to renewals
  • Some will fail on MFA adoption
  • If Cyber Essentials Plus is part of your supplier assurance, plan ahead. Ask for renewal dates. Ask about MFA rollout. Avoid last-minute panics that derail mobilisation.

Survey Solutions and Cyber Essentials Plus

Survey Solutions holds Cyber Essentials Certified Plus as part of our wide range of accreditations and certifications.

What that means for you is simple:

  • You get independent verification, not just a statement of intent
  • You reduce risk in the exchange of project data
  • You get smoother assurance conversations with your internal teams
  • You work with a supplier that treats data protection as part of delivery, not an afterthought

If you have specific project requirements around data handling, secure sites, or controlled information, we’ll align our delivery approach to your needs. Cyber Essentials Plus is the baseline, but your project brief still sets the standard where we’ll provide engineering certainty to ensure you stay on track and in budget.

Survey company that is part of British Cartographic Society
Chartered Institution of Civil Engineers
The Contractors Health & Safety Assessment Scheme
Construction Line
Cyber Essentials – Certified Plus
European Ground Penetrating Radar Association
ISO9001: 2015
ISO27001: 2017
ISO45001: 2018
ISO14001: 2015
SMAS Worksafe
The Survey Association
Achilles & Achilles UVDB
Thames Water Safety Passport