Vulnerability Assessment plus exam

This exam (VA+), developed by NCSC and IASME, is a requirement for all Cyber Essentials Plus assessors that do not have a Lead Assessor qualification.


If you’re interested in booking a VA+ Exam, or viewing the syllabus & guidance notes, please go to


The exam is run remotely and is split into 4 sections, all of which must be passed by obtaining 60% or more in each:

  • Multiple choice paper – 1 hour
  • Vulnerability Scan – 30 minutes
  • Essay – 2 hours
  • Viva – 15 minutes


The VA+ certificate is valid for three years, and the exam will need to be retaken at this point in order to renew.

learning outcomes

  • Provide an overview of the vulnerability assessment process
  • Learn about tools used during the vulnerability assessment process
  • Understand the underlying concepts of TCP/IP, Ports and Protocols
  • Apply critical thinking to solve problems encountered during an assessment

Apply tools and techniques to assess:

  • external facing interfaces
  • internal interfaces
  • the threat of malware (Antimalware solutions,
  • Application whitelisting)
  • Assess the threat of common external attacks (Email, SMS etc)
  • Assess the threat of common internal attacks (Web Applications, Downloads)
  • Report/Explain Vulnerabilities found

Learning objectives

  • Understand Information security in the corporate world
  • Understand the laws and regulations involved with vulnerability assessing
  • Understand quantifying and measuring risks associated with vulnerabilities
  • Understand how to find internal and external vulnerabilities
  • Understand how to test hardening measures for malware
  • Report and explain vulnerabilities found throughout a project

Find Out More

Have a look at our Frequently Asked Questions or speak to our team