What is a pre-audit and audit call?

If you're preparing for Cyber Essentials Plus (CE+), there are two key stages where an assessor will speak with you: 

• A Pre-Audit Call - to help you prepare
• An Audit Call - the official check for compliance 

These calls are designed to support you and ensure everything is in place for certification. 

The Pre-Audit Call - Helping You Get Ready

This is a helpful, informal discussion to make sure you're on track. 

What typically happens: 

• Vulnerability Management Check: The assessor will confirm that your organisation is running regular vulnerability scans and fixing issues. 
• Scan Review: You'll go over recent scan results together to highlight anything that needs fixing. 
• Q&A Support: You'll be able to ask questions and clarify anything you're unsure about. 

The pre-audit is your chance to get ahead of any issues, with no pressure. 

The Audit Call - The Real Check

This is the official stage where the assessor confirms you meet the CE+ requirements. 

What to expect: 

• Scan Results Rechecked: They'll confirm all issues have been resolved. 

System Checks: 

• Systems are up to date 
• Antivirus is installed and active 
• User accounts are secure with limited admin access 
• Firewalls are configured properly 
• Devices are protected against common threats 
• Multi-Factor Authentication (MFA): The assessor will confirm MFA is enabled where possible on all cloud services (e.g., Microsoft 365 or Google Workspace). MFA is now a critical requirement and a common reason for failing CE+ if not properly implemented. 

Final Thoughts 

Remember, the goal of these calls is to help you meet the standard-not to trip you up. 

With some preparation and communication with your assessor, achieving CE+ can be a smooth and successful process.