What to Expect From Your Assessor — CE+

01Before the Day

Setting the stage — remote, scoped, and locked

The assessment is almost always run remotely over screen-share — there's no remote agent to install. The technical work is 4 to 6 hours across one working day, occasionally split over two half-days for larger or more complex estates.

An evidence checklist arrives in advance

You'll be sent the checklist ahead of time so you can prepare exports and screenshots before anyone joins the call.

Scope is confirmed at kickoff — and verified

The assessor confirms scope at the start. At CE+ this is verified, not self-declared as it was at Basic.

4–6 hours of hands-on testing

One working day for most estates; two half-days for larger or more complex environments.

Lock this in early

Under the April 2026 rules, the verified self-assessment must be finalised before CE+ testing starts — and it cannot be changed afterwards based on what the audit finds. Make sure the answers you submit match reality before the assessor begins.

02Device Selection

Sampling is driven by builds, not headcount

A build is a unique combination of OS, edition, major version and feature-update level. The assessor picks a sample of each in-scope device type — and the number selected scales with how many devices share that build.

Devices in the buildSampled

A build of 1

0

2 – 5 devices

0

6 – 19 devices

0

20 – 60 devices

0

61 and above

0

Where you run a mixture of Windows Pro, Business and Enterprise, a sample is taken from each.

Windows 11 23H2 Pro and 24H2 Pro count as separate builds — a deferred feature update can quietly inflate your sample.

Linux and macOS devices are selected too, along with a sample of Android and iOS devices from the inventory.

Servers and hypervisors are tested in full — no sampling applies.

03What Gets Tested on Each Device

Three probes per sampled device

On every selected device the assessor runs the same battery of checks — exercising user privilege, malware protection, secure configuration and patching together.

1

Local Administrator rights

Users are checked on the device to confirm whether they hold Local Administrator, and that admin and standard accounts are properly separated.

2

Email filtering & payload testing

An automated platform fires a myriad of emails at the target. Then the user is guided to download a zip, extract it, and run each file — mixing file types to probe how the endpoint handles each.

EMAIL · APermitted out at all?

EMAIL · BAllowed to land in the inbox?

FILE · APermitted to run?

FILE · BRuns without consent — or at all?

3

Internal vulnerability scan

Expect an authenticated scan against the sampled devices. This is where the patching controls are proven.

This is the part most likely to catch you out — see the second-sample rule below.

04Evidence Requested Throughout

Have these ready — live and as screenshots

Screenshot evidence and configuration exports are requested across the whole process. Be ready to demonstrate each one live during the screen-share as well as supplying the screenshots.

Intune / MDM

Your management plane and policy posture.

Asset inventory

Every in-scope device accounted for.

RMM patch status

Each device's patching state, on demand.

AV / EDR

Installed and active — not just present.

Confirm AV or EDR is active, not merely installed — the assessor will want to see it running.

05Know These Cold

Auto-fail territory

The patching controls

Under the April 2026 marking criteria, patching is now auto-fail territory. Failing either control fails the whole assessment, regardless of how everything else scores.

A6.4 · Operating systems & firmware

High-risk or critical updates for operating systems and router / firewall firmware installed within 14 days of release.

A6.5 · Applications

High-risk or critical updates for applications — including associated files and extensions — installed within 14 days of release.

The same auto-fail logic now applies to MFA on every cloud service where it's available — free, bundled or paid.

0

Days max

Measured from the vendor's publication date — not when the patch reaches the device.

06The Second-Sample Rule

Why you can't selectively fix

This is the single most important behavioural point — and it's now baked into the scheme. IASME audits found organisations applying updates only to the sampled devices during the audit, passing CE+ while leaving the rest of the estate vulnerable.

The old shortcut

Patch only the tested boxes

It no longer works — and it actively exposes you. The scheme is built to detect exactly this.

The rule now

Original sample + a fresh random sample

On retest the assessor rechecks the original sample and pulls a new random sample from across the whole estate.

The stakes are real

A second failure results in revocation of the verified self-assessment certificate — not just the Plus. Patching only the tested devices is the fastest way to lose both.

07Conduct During the Assessment

Be open. Surface, don't silently fix.

Comply with your assessor at all times. The scheme is now built to detect selective, last-minute remediation — and the penalty for being caught is far worse than the original finding.

Do this

✓Be open and honest with the assessor at every step.
✓Have a mitigation or plan in play for every eventuality.
✓If something's broken, surface it and explain the remediation plan.
✓Let the retest mechanism do its job across the whole estate.

Never do this

✕Shield or negate information from the assessor.
✕Silently fix issues mid-assessment — that's the "silent fixing" the scheme now catches.
✕Apply selective, last-minute remediation to the sampled devices only.
✕Hope a problem goes unnoticed — the penalty is far worse than the finding.

Honesty is the winning strategy

The retest is designed to reward organisations that fix the whole estate and surface issues openly. Do that, and the second sample becomes proof you're secure — not the trap that catches you out.