Vulnerability Assessment plus exam

This exam (VA+), developed by NCSC and IASME, is a requirement for all Cyber Essentials Plus assessors that do not have a Lead Assessor qualification.


The exam syllabus contains a series of modules that should help you focus on preparation for the exam assessment. It is highly recommended that your learning journey include both theory and practical study.

You can download the exam syllabus here

You can download the guidance notes here


The exam is run remotely and is split into 4 sections, all of which must be passed by obtaining 60% or more in each:

  • Multiple choice paper – 1 hour
  • Vulnerability Scan – 30 minutes
  • Essay – 2 hours
  • Viva – 15 minutes

The cost of the exam is £500 + vat per person


The VA+ certificate is valid for three years, and the exam will need to be retaken at this point in order to renew.



If you would like to book a re-sit please contact [email protected] Please note that the following re-sit criteria applies:

You will need to wait 4 weeks before re-sitting the exam
The re-sit needs to be taken within 3 months of original date
If you have failed 1 or two modules you may re-sit at the following costs:

  • Multiple Choice – £100
  • Longform – £400
  • Practical – £400

A combination of any two of the above re-sit costs will not exceed £500.

If you fail the re-sit then you will be required to re-sit the entire exam after 4 weeks and before 3 months at the cost of £500.

learning outcomes

  • Provide an overview of the vulnerability assessment process.
  • Learn about tools used during the vulnerability assessment process.
  • Understand the underlying concepts of TCP/IP, Ports and Protocols.
  • Apply critical thinking to solve problems encountered during an assessment

Apply tools and techniques to assess:

  • external facing interfaces.
  • internal interfaces
  • the threat of malware (Antimalware solutions, Application whitelisting)
  • Assess the threat of common external attacks (Email, SMS etc)
  • Assess the threat of common internal attacks (Web Applications, Downloads)
  • Report/Explain Vulnerabilities found

    Learning objectives

    • Understand Information security in the corporate world.
    • Understand the laws and regulations involved with vulnerability assessing
    • Understand quantifying and measuring risks associated with vulnerabilities
    • Understand how to find internal and external vulnerabilities
    • Understand how to test hardening measures for malware
    • Report and explain vulnerabilities found throughout a project.

    Book to take the exam

    Please contact us to find out the next dates available to take this exam and book a place

    Find Out More

    Have a look at our Frequently Asked Questions or speak to our team