Cyber Essentials Plus Audit Evidence, the Hub

Net Sec Group is an IASME and NCSC certification body. The CE Plus evidence pack is the primary artefact the assessor reads on the day; pack quality decides whether the engagement runs cleanly or rolls into rework. This hub indexes the two audit-evidence spokes on this site, drawn from our 800-plus engagement history.

Articles in this hub

CE Plus Evidence Screenshots Checklist, the Per-Control Specification

The 5-row screenshot specification table, one per Cyber Essentials control: the screen the engineer must capture, the visible-required fields the assessor rejects without, the redaction-permitted fields. Plus the 3-tier redaction acceptance model (always-accepted personal data and secrets, footer-noted commercially sensitive identifiers, never-accepted control-owner-name and configuration values), the 5 rejection patterns we see (cropped timestamps, non-production tenant, redacted configuration, user-view not admin-view, stale exports), and the assessor's typical sequencing for reviewing the pack.

CE Plus MFA Evidence, the Acceptable Formats by Identity Provider

The 4-row identity-provider-by-evidence-type table for Microsoft Entra, Google Workspace, Okta, and Duo. Per identity provider, the primary artefact (Conditional Access policy export, 2-Step Verification enforcement page, Factor Enrollment Policy, Admin Policy), the supporting artefacts (authentication methods reports, audit logs, system logs), what the assessor accepts cleanly, what gets rejected. Plus the assessor-accepted MFA factor list (hardware key, authenticator app TOTP, push with number matching) and a sample MFA evidence cover page.

When to read which article

| Where you are | Read this | |---|---| | Assembling the evidence pack and unsure which screenshots to capture | CE Plus Evidence Screenshots Checklist | | Configuring or evidencing MFA on cloud admin (any identity provider) | CE Plus MFA Evidence, Acceptable Formats | | Both apply (most engagements) | Read screenshot checklist first, then MFA evidence (which sits inside the User Access Control section of the screenshot pack) |

How this hub relates to the other three

The audit-evidence hub is one of four on this site. The other three:

• Vulnerability scanning: scanner choice, scan-tier mapping, false-positive handling, cloud-vs-on-prem methodology
• Platform-specific: per-platform hardening for Windows 11, macOS, Intune, and Google Workspace
• Technical controls: foundation references for each Cyber Essentials control

The audit-evidence pack pulls evidence from each of the other three pillars. The platform-specific articles produce per-device evidence; the vulnerability-scanning articles produce scan output evidence; the technical-controls articles produce policy-level evidence. The audit-evidence pillar tells you how to package all of it.

Common questions

What is the simplest acceptable evidence pack?

A folder per control (5 folders), 3 to 6 primary screenshots per control, sample-level evidence per the IASME formula, an index document, and a short scope statement. Typically 25 to 50 screenshots total for an SME engagement.

Where do we book CE Plus?

Book a Cyber Essentials Plus assessment with Net Sec Group.

Reference material

• Cyber Essentials Plus Assessment Guide
• Cyber Essentials Plus Sample Sizes
• Cyber Essentials Five Controls Technical Guide