What We Learned doing Cyber Essentials Plus Certification (And Why It Matters in the AI Era)

Add Jam recently achieved Cyber Essentials Plus certification. Here's what the process involved, why compliance matters more than ever when AI writes your code and some tips for making the process easier.

| 10 min read
What We Learned doing Cyber Essentials Plus Certification (And Why It Matters in the AI Era) blog post header image

We recently went through Cyber Essentials Plus certification at Add Jam. It's something we'd been meaning to do for a while and in early 2026, with AI tools now deeply embedded in how software gets built, it felt like the right time to get serious about formally proving our security posture and having that as a differentiator vs vibe coded projects.

The process was more involved than expected but genuinely worthwhile. Not just for the badge on the website, but for what it forced us to think about as a team.

What even is Cyber Essentials Plus?

Cyber Essentials is a UK government-backed certification scheme run by the National Cyber Security Centre (NCSC). It's designed to help organisations protect themselves against the most common cyber threats. There are two levels:

  • Cyber Essentials is a self-assessment. You answer questions about your security controls, submit them and an assessor reviews your answers and you Pass or Fail. This is quite low effort to get.
  • Cyber Essentials Plus goes further. An independent assessor actually tests your systems and processes. They scan your infrastructure, check your devices and verify that what you claim is true with an audit.

The certification covers five core areas:

  1. Firewalls - Are your internet-facing devices and services properly protected?
  2. Secure Configuration - Are systems configured to reduce vulnerabilities? No default passwords, unnecessary services disabled.
  3. User Access Control - Do the right people have the right level of access? Are admin privileges restricted?
  4. Malware Protection - How are you defending against malicious software?
  5. Security Update Management - Are you keeping software up to date and patching known vulnerabilities?

None of these are exotic. They're the basics. But the basics done properly is what stops 80% of common attacks. The UK government requires Cyber Essentials for suppliers handling certain types of sensitive and personal information on government contracts and increasingly private sector clients are asking for it too.

For a company like Add Jam that is building software that handles other people's data, it's a way to demonstrate that we take security seriously rather than just saying we do.

Why this matters more in the age of AI

Here's where it gets interesting. In 2026, most development teams are using AI tools daily. We use Claude Code extensively. GitHub Copilot is everywhere. ChatGPT is being used for everything from writing database migrations to generating infrastructure configs.

These tools are genuinely brilliant. We've written about vibe coding and the incredible things non-technical founders can build with AI. We've discussed what it takes to go from vibe code to production. But there's a dimension to this conversation that doesn't get enough attention: compliance and liability.

When Claude writes a line of code, who is responsible for it?

The answer, right now in 2026, is unambiguously us. The professionals. The developers. The CTOs who approve pull requests and the teams that ship to production.

Claude doesn't have professional indemnity insurance. GPT doesn't sign contracts with your clients. An AI tool has no legal liability when the code it generated introduces a security vulnerability that leaks user data. You do.

This isn't a theoretical concern. We've reviewed codebases where AI-generated code had:

  • API endpoints with no authentication checks
  • User data returned in responses that should have been scoped to admin roles
  • SQL queries constructed from unvalidated user input
  • Secrets and API keys committed to version control because the AI didn't know about the .gitignore

Each of these is a potential compliance failure. They are rookie mistakes that would show up in a Cyber Essentials Plus assessment. And each was introduced by AI tools that were doing exactly what they were asked to do by a user.

The liability sits with the humans. We need to review, understand and take ownership of every line of code that goes into production regardless of whether a human or an AI wrote it. This is exactly the kind of deep technical oversight that certification processes like Cyber Essentials Plus force you to codify.

If anything, AI has made certifications like this more important, not less. When code generation is this accessible, the differentiator isn't who can produce code fastest. It's who can ensure that code is secure, compliant and production worthy.

What getting certified actually looks like

Unlike the basic level of certification going through Cyber Essentials Plus is not just filling in a form. Here's roughly what the journey looked like for us.

Getting your house in order

Before the assessment we needed to document our security policies, review every device that touches client work and ensure our infrastructure met the standard. This meant:

  • Ensuring every laptop and mobile device is up to date
  • Reviewing firewall configurations across our hardware
  • Verifying that FileVault encryption was enabled everywhere on our macOS devices
  • Checking that all operating systems and software were on supported versions
  • Ensuring password policies met the minimum requirements (12+ characters, lockout policies) and ensuring MFA is enforced on all services
  • Disabling unnecessary services (remote login, screen sharing, AirDrop in certain contexts)

It's the kind of thing you assume is already sorted until you actually check. Spoiler: it's never all sorted.

Centralising documentation with Notion

One thing that made the process significantly more manageable was centralising everything in Notion. We built out a dedicated Cyber Essentials workspace that became our single source of truth.

This included:

  • Policy documents - Acceptable use, access control, patch management, incident response
  • Asset registers - Every device, its owner, OS version, encryption status, last audit date
  • Audit logs - Records of security checks, when they were run, who ran them and results
  • Evidence collection - Screenshots, scan reports and configuration exports organised by control area

Having everything in one place was invaluable when the assessor asked for evidence. Rather than scrambling to find screenshots or remember when we last checked something, we could point to timestamped records. It also meant the whole team could see the current compliance status at a glance and anyone could flag if something had drifted.

If you're considering Cyber Essentials, my advice is: set up your documentation system first. The process is vastly easier when you're not retrofitting evidence after the fact.

Building internal tooling for device compliance

This is where we went a bit further than most. Rather than manually checking each laptop against the Cyber Essentials criteria, we built an internal command-line tool that automates the entire audit.

The tool runs over 45 automated checks across all five Cyber Essentials control areas:

  • Firewall checks - Application Firewall status, stealth mode, sharing services (SSH, Screen Sharing, SMB, AirDrop, Bluetooth sharing and more)
  • Secure configuration - System Integrity Protection, Gatekeeper, FileVault encryption, automatic login disabled, screen lock settings, macOS version still in support
  • User access control - Admin account verification, guest accounts disabled, password policy enforcement, account lockout policies
  • Malware protection - XProtect definition freshness, third-party antivirus detection, legacy runtime scanning (old Java, Flash, Python 2), stale application detection
  • Security updates - Automatic update settings, browser versions, full software inventory, Homebrew package freshness

It produces a clear terminal report with pass/fail/warning status for each check and optionally generates a timestamped JSON evidence file. The JSON output maps directly to the CE+ control areas which makes it straightforward to include in audit documentation.

The whole thing is written in pure Bash with zero dependencies. It runs on any modern Mac without installing anything. We built it because we needed it and checking every machine manually was tedious and error-prone.

Should we share this?

We've been discussing whether to open source the tool. It's genuinely useful beyond Add Jam. Any UK company going through Cyber Essentials Plus on macOS would benefit from automated device auditing rather than manual checking.

We're leaning towards releasing it publicly. The core utility of automating compliance checks for a well-known standard benefits the wider community and there's no competitive disadvantage in sharing it. If anything we figure it demonstrates the kind of engineering rigour we apply to everything.

There might also be a commercial angle here with a native app or something... We're still working this out. If you're interested in the tool or the idea or some sort of related compliance service, get in touch and let us know.

What certification doesn't cover

Cyber Essentials Plus is a solid baseline but it's worth being honest about its limitations. It covers the fundamentals of device and network security. It doesn't cover:

  • Application security - How your actual codebase handles authentication, authorisation and data protection
  • Supply chain security - The security posture of the third-party services and APIs you depend on
  • AI-specific risks - Prompt injection, model poisoning or data leakage through AI tools (there's no established certification for this yet)
  • Organisational security culture - Whether your team actually follows the documented processes day-to-day

Certification is a starting point, not a destination. We treat it as one layer in a broader approach to security that includes code reviews, dependency auditing, infrastructure hardening and ongoing vigilance.

Trust as a differentiator

There's a reason we invested time in this beyond the certificate itself. As AI tools lower the barrier to producing software, the market is going to get noisier. More people and more agencies will be able to ship code quickly. That's great for innovation but it creates a real problem for the people commissioning software.

How do you know the team building your product is actually taking security seriously? How do you know they're reviewing AI-generated code rather than shipping it unchecked? How do you know your user data is being handled properly?

Certifications like Cyber Essentials Plus are one answer. They're independently verified. They require evidence. They force you to maintain standards rather than just claim them.

For startups handling user data, processing payments or operating in regulated sectors like healthcare or fintech, working with a certified development partner isn't just nice to have. It's risk management.

Need technical leadership you can trust?

If you're building a product and want confidence that your development is secure, compliant and production-ready, we can help in a couple of ways.

Our Fractional CTO service gives you experienced technical leadership without the overhead of a full-time hire. We provide the deep technical oversight that AI tools can't: reviewing architecture decisions, ensuring code quality, managing security posture and giving you honest assessments of where your product stands. This is particularly valuable if your team is using AI tools heavily. Someone needs to be the accountable adult in the room.

If you're looking for a development partner to build or scale your product, get in touch or jump ahead and book a free consultation.

DevelopmentBusinessAIOpinion
Michael Hayes's avatar

Michael Hayes

Co-founder

Previous blog post:

Please Stop Ending Every Sentence with 'Right?' Header Image
Please Stop Ending Every Sentence with 'Right?'That verbal tic where you end every sentence with 'right?' might be undermining your message.

Recent case studies

Here's a look at some of products we've brought to market recently

With Jack - Freelance Insurance

With Jack - Freelance Insurance

With Jack offers peace of mind and protection for UK freelance creatives and SMEs. Friendly, personable and reliable insurance.

Simple ASO Keyword Tool - Free ASO Platform

Simple ASO Keyword Tool - Free ASO Platform

We built a free, no-nonsense App Store Optimization tool that helps developers avoid common keyword mistakes and boost their app's visibility. What started as an afternoon project has evolved into a suite of free ASO tools helping app creators worldwide get their apps discovered.

PEM Diary - ME/CFS Crash Log

PEM Diary - ME/CFS Crash Log

PEM Diary is a React Native mobile app designed to help individuals with ME/CFS track and document PEM episodes. Built from personal experience, this app serves as a handy tool to understand your condition

We take products from an idea to revenue

Add Jam is your plug in team of web and mobile developers, designers and product managers. We work with you to create, ship and scale digital products that people use and love.

Book a callContact us
Hello, let's chat 👋
michael hayes avatar photo

Michael Hayes

Co-founder of Add Jam

Hey! Co-founder of Add Jam here. I'm available to chat about startups, tech, design, and development. Drop me a message or book a call in my calendar at a time that suits you.