There are two stages of the UK official scheme Cyber Essentials – Cyber Essentials and Cyber Essentials Plus. The same five technical controls are covered at both levels, but there are some differences in their degree of validation. Cyber Essentials implies a verified self-assessment by an assessor. Cyber Essentials Plus includes, in addition to it, independent testing of some of the systems. For the majority of UK companies, the decision about the appropriate level of certification depends on some criteria which include expectations of customers, requirements of contracts, types of data, complexity of IT infrastructure and amount of evidence of implementation of controls required.
Thus, Cyber Essentials can be considered sufficient for smaller companies in the UK which require an official baseline certificate proving compliance with Cyber Essentials Scheme controls. Cyber Essentials Plus can be recommended for businesses working with sensitive data, supplying larger organisations or participating in the tender processes.
Quick comparison: Cyber Essentials vs Cyber Essentials Plus
| Area | Cyber Essentials | Cyber Essentials Plus | What it means for your business |
|---|---|---|---|
| Assessment type | Verified self-assessment | Technical audit after Cyber Essentials | Plus gives stronger independent assurance. |
| Controls | Same five technical controls | Same five technical controls | Plus does not introduce a separate framework. |
| Assurance level | Baseline assurance | Higher assurance | Buyers get more confidence that the controls are working. |
| Testing | Questionnaire reviewed by an assessor | Independent technical testing and vulnerability scanning | Plus checks selected systems rather than relying only on written answers. |
| Cost | Fixed published price by organisation size | Usually quoted based on scope and complexity | Plus costs more because it involves assessor testing time. |
| Best for | SMEs, first-time certification and baseline supplier checks | Higher-risk suppliers, IT firms, SaaS providers and sensitive data handlers | The best option depends on your risk and buyer requirements. |
| Effort | Lower preparation burden | More preparation, evidence and remediation work | Plus needs more technical readiness before the audit. |
| Buyer confidence | Good trust signal | Stronger proof for tenders and supply chains | Plus can help when procurement teams want more than a declaration. |
What is Cyber Essentials?
Cyber Essentials is the basic level of accreditation under the Cyber Essentials Scheme in the United Kingdom. This evaluates whether the organisation has the basic security measures in place to mitigate typical cyber threats through the Internet.
This is not exclusive to organisations in the tech industry alone. Organisations in accounting, charities, schools, construction, retail, legal firms, healthcare providers, consultancy firms, manufacturing and government suppliers use it. What it does is that it makes the organisation evaluate the protection of its devices, accounts, applications, cloud services and Internet-facing systems from typical attacks.
A senior individual who is typically an equivalent board member, director, or someone else who holds the same level of authority signs the statement. This is important. Cyber Essentials is not just a form that the IT department can fill out on their own. It is a statement made at the business level regarding the state of security at the time of certification.
Cyber Essentials is often the first certificate of cybersecurity that SMEs are asked to provide. It helps in supplier onboarding, tendering, assurance of customers and internal improvements. It also provides a means for the business to solve some of the most common issues such as software that is not supported, poor account management or no multi-factor authentication.
What is Cyber Essentials Plus?
Cyber Essentials Plus is the high-assurance form of the same scheme. It utilises the same five technical controls of Cyber Essentials. However, what makes it different from Cyber Essentials is that the independent assessor will conduct technical tests. These technical tests reveal whether the controls have been implemented in the selected systems within the scope.
And that is the primary difference. Cyber Essentials Plus is not another completely separate standard, nor is it a full penetration test. Rather, it is a technical audit associated with Cyber Essentials requirements. According to the scope agreed upon, the assessor will be conducting testing on the user devices, servers, cloud services, internet gateway and external-facing services. This testing can include vulnerability testing, testing of software/patches, testing of anti-malware, and isolation of accounts testing. This assessment may also verify that two-factor authentication is required from users while accessing cloud services.
Normally, a company will undertake the Cyber Essentials before the Plus audit, in accordance with the necessary time limits. In most cases, however, companies will plan for the two stages concurrently, which allows them to align their responses to the assessment questions, the setup of their devices, cloud services audit, and scheduling of the audit.
The Cyber Essentials Plus becomes relevant in scenarios whereby a customer requires more than just a self-assessment. It comes in handy when dealing with large clients, in the public sector, where supply chains are regulated, as well as with managed service providers. In commercial environments, it becomes useful when an independent test is required.
Key differences between the two certification levels
Self-assessment vs technical audit
Cyber Essentials certification involves a verified self-assessment process. The questions are answered, the scope is defined, the explanation of the controls is provided, and the application is submitted through the portal. There will be an assessor reviewing the answers and making queries for clarifications prior to issuing the certificate.
The Cyber Essentials Plus is built upon the same foundation but includes the technical verification process. In this way, the assessor examines some elements of the environment to ensure that the controls are operating as described. That is why the Cyber Essentials Plus is more valuable when it comes to high-risk procurement.
Same controls, different assurance
The five control areas included in both are:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection
Cyber Essentials Plus does not include any additional sixth control or move to ISO 27001. The only difference is the level of validation. While Cyber Essentials proves that the organization has completed a validated self-assessment, Cyber Essentials Plus provides additional assurance since an independent validator has assessed some of the systems within the agreed scope.
Cost and preparation effort
There are official costs associated with Cyber Essentials according to company size. It may take different preparation time, but at least there is an exact cost of the certificate known in advance.
Cyber Essentials Plus is generally quoted on a per-person basis. The extent of the work depends on the number and types of devices, locations, internet-exposed services, cloud services, and remote workforce and assistance needed prior to auditing. An office setting with managed laptops and Microsoft 365 will be easy to audit for compliance. A multi-office setup is harder, particularly if it involves an old infrastructure, mixed operating systems, remote workforce, and servers plus multiple cloud providers.
The cost which is not always considered is that of the assessor. This is actually the internal costs incurred. Someone needs to locate the devices, uninstall unsupported software, install updates, clean up admin rights, define the scope, and check all the cloud services.
Supplier and tender expectations
There are some buyers who ask solely for Cyber Essentials certification. However, there are others who prefer Cyber Essentials Plus certification, particularly when the supplier will handle sensitive data, be connected to the client’s system, provide IT services or have a higher-risk contract.
The requirement in the case of the public sector depends on the type of contract. Government procurement guidelines make it clear that Cyber Essentials and Cyber Essentials Plus can be used for certain types of contracts. Also, it states that the controls should be proportional to the risk. While a low-risk supplier requires Cyber Essentials, a high-risk one can be asked to submit Plus or equivalent certification.
Buyers in the private sector also use the Cyber Essentials scheme to check their suppliers. Some industries which may require the certification include banks, insurance companies, large professional services organisations, technology companies and managed services.
Evidence and buyer confidence
Cyber Essentials provides an accredited indication of trustworthiness. This means that the company has gone through the official controls and has got them reviewed.
Cyber Essentials Plus provides even more convincing evidence. In the case where a procurement team is considering two similar suppliers, the Plus certification will facilitate security discussion. This is particularly true if the other supplier possesses only Cyber Essentials certification. It should be noted that the business is not guaranteed to be secure from any attack, but at least it is officially recognised.
Which certification does your UK business need?
However, there is no one-size-fits-all solution. It will depend on the level of your threat, budget, contract requirements and how much assurance your clients require.
Choose Cyber Essentials if…
Cyber Essentials is normally the logical choice if:
- You are a sole trader, micro or small company just beginning cyber certification.
- A client or bid requires only Cyber Essentials certification.
- Your IT environment is relatively simple and low-risk with cloud being the main storage.
- You are looking for a less costly way of demonstrating a cybersecurity standard.
- You require certification for supplier registration, insurance discussions or just gaining the confidence of your clients.
- You wish to enhance cyber hygiene before going further.
Many small organisations find that Cyber Essentials is sufficient for their procurement requirements. It is also a great checklist for handling various common situations before they become too costly.
Choose Cyber Essentials Plus if…
Cyber Essentials Plus may well be something to consider when:
- The company deals with personal, financial, legal, healthcare, education or government-related data.
- The company supplies bigger organisations that employ more rigorous procurement assurance processes.
- The company provides IT support, managed services, hosting, SaaS, software or security-sensitive services.
- Bidding for tenders where stronger assurance might help to strengthen the position.
- The employees are working remotely from a number of cloud-based services.
- Independent technical verification is required by the directors, investors, customers or auditors.
- The customers continuously ask security-related questions.
And Plus is the right choice if the company has pretty good technical controls but is constantly requested to prove them. That will help to reduce unnecessary communication while filling out supplier questionnaires because the certificate carries more practical assurance than self-assessment.
Simple decision matrix
| Business type | Likely starting point | When Plus makes sense |
|---|---|---|
| Sole trader or microbusiness | Cyber Essentials | When a client specifically asks for Plus or the work involves sensitive data. |
| SME professional services firm | Cyber Essentials | When clients in legal, finance, healthcare or public sector markets want stronger assurance. |
| IT provider or MSP | Cyber Essentials Plus | Clients depend on your systems, access and support processes, so Plus is more persuasive. |
| SaaS or software business | Cyber Essentials Plus | Useful for buyer trust, due diligence and security questionnaires. |
| Charity or school | Cyber Essentials | Plus may be justified where data sensitivity, funder requirements or risk level are higher. |
| Public sector supplier | Check the tender | Plus may be needed for higher-risk work or where the buyer specifies it. |
| Financial, legal or healthcare supplier | Cyber Essentials Plus | These sectors often face stronger client assurance expectations. |
| Construction, manufacturing or retail SME | Cyber Essentials | Plus is useful if the business handles sensitive client data or connects into customer systems. |
Cyber Essentials and Cyber Essentials Plus cost in the UK
The cost of Cyber Essentials certification up to June 2026 will depend upon the size of your business:
- Micro Business (0-9 Employees): £320 + VAT
- Small Business (10-49 Employees): £440 + VAT
- Medium Business (50-249 Employees): £500 + VAT
- Large Business (250+ Employees): £6
Unlike other certifications, Cyber Essentials Plus also doesn’t have a fixed cost for its certification as well. The reason behind it is that it is usually given by the certification body, where the assessor needs to have an idea of the scope and effort required for testing.
The cost of Cyber Essentials Plus in the UK may vary depending on the following:
- The number of laptops, desktops, tablets, mobile and server devices
- The number of internet gateways and public IP addresses
- Internet-facing services and hosted systems
- Cloud and SaaS platforms within scope
- Remote access arrangement
- Number of sites
A budget for such certification must consist of three parts: the cost of certification or audit, time spent for preparations and gap fixing. While most organisations focus only on the quote, the effort spent to get the first-time success is also equally important.
How the certification process works
Cyber Essentials process
- Determine the scope of the exercise. Determine whether the entire organisation will be covered or a well-defined portion of the infrastructure will be considered.
- Analyse the five technical controls. Inspect the firewall, secure configuration, patching, access control and malware prevention systems.
- Collect your supporting documentation. Collect information regarding devices, cloud services, administrative accounts, remote working, software and patches.
- Answer the verification self-assessment questions. Use the standard questionnaires for preparation before submitting online.
- Sign off the answers. A member of the board, a director or an equivalent person certifies that the answers are correct.
- Address the concerns of the assessor. Promptly clear any confusion or misinformation.
- Obtain the certificate. Consider the certificate as a snapshot and maintain the controls.
Cyber Essentials Plus process
- Gain Cyber Essentials certification first. Plus certification is an extension of the self-assessed verification.
- Select an accredited certification body capable of performing a Cyber Essentials Plus assessment.
- Verify the scope and the test plan. It is important to clarify the systems, including devices, servers, cloud computing and gateways.
- Perform the pre-assessment preparations. Patch systems, decommission outdated equipment, verify MFA, clean up administration rights and get remote users ready.
- Have the technical audit performed. The auditor performs vulnerability scans and other tests of the sample of selected systems.
- Remediate findings. Resolve the issues found during the testing according to the program requirements.
- Perform Cyber Essentials Plus assessment within three months after Cyber Essentials certification.
Cyber Essentials requirements checklist
Both levels use the exact same five controls. Before beginning with any one of the two assessments, please consider checking your organisation against this checklist.
Firewalls
Firewalls prevent any unwanted access to the internet. Consider routers, boundary firewalls, cloud networking policies, and internet gateways. Remove any rules that no longer serve any business purpose. Ensure that all administrative interfaces are not exposed without protection.
Secure configuration
Do not leave devices, servers, routers, cloud systems, and applications open with insecure defaults. Disable accounts, disable services that do not need to run, reset default passwords, and set secure configurations. A system that was acceptable three years ago will not be acceptable today if nothing has been done since then.
User access control
Access should be based only on what users require. Admin access should be properly managed, separate from other user activities and protected. Multi-factor authentication is very important when dealing with cloud services. In case of our current approach to the scheme, all cloud services that store or process organisational information should be regarded seriously and cannot just be overlooked since they are hosted by a third party.
Malware protection
Anti-malware solutions should match the type of device and be enabled. This could mean use of an appropriate anti-malware solution, application white-listing, sandboxing or even the controls built into the platform. The key thing here is that such protection should be enabled and applied to in-scope devices.
Scope checks to include
Ensure that all of the below items fall within the scope before responding to the survey:
- Cloud computing, including Microsoft 365, Google Workspace, Dropbox, CRM systems, finance systems and HR systems
- Company’s laptops, desktop computers, mobile phones and tablets
- BYOD, if it gives access to organisational information
- Working remotely and working from home
- Internet-connected servers and services
- Administration accounts managed by your MSP or third-party IT provider
- Routers, firewalls and internet gateways
- All legal entities falling under the scope of the certificate
Common mistakes that delay certification
These issues keep recurring again and again. All of them are easily avoidable provided you prepare in advance for the assessment.
- Failure to identify unsupported software within scope. Outdated operating system versions, unpatched applications and hidden servers may easily cause issues.
- Neglecting cloud providers. Cloud platforms used to host business data need to be taken into consideration even if it is the provider that is responsible for the underlying infrastructure.
- Assuming multi-factor authentication is optional. If the cloud service supports multi-factor authentication, make sure you find out the requirement.
- Inadequate patch management documentation. Without any proof that the patch management processes take place, the assessment gets more complicated.
- Weak administrative privileges management practices. Everyday users should never operate using administrative accounts.
- Neglecting remote employees. Devices used at home by your employees also need to comply with controls.
- Providing contradictory information. The self-assessment needs to accurately reflect your business processes.
- Relying on the Plus audit to discover vulnerabilities. The process of Cyber Essentials Plus certification goes more easily if the obvious vulnerabilities have already been fixed.
- Thinking that Plus includes a penetration test. It is just an audit of controls, not a penetration test.
- Setting the scope for the certificate based on what the customer will not accept. Narrow scope is fine, but customers can still want a wider one.
Is Cyber Essentials Plus the same as a penetration test?
No. Cyber Essentials Plus includes testing and vulnerability scanning, but it is different from penetration testing.
Cyber Essentials Plus evaluates whether the controls specified in Cyber Essentials have been implemented properly within the agreed-upon scope. Penetration testing goes further and tries to find out vulnerabilities within a specific system, application, network, or target. Manual exploitation, business logic testing, privilege escalation and attacks on the target can be performed during penetration testing.
It can be described in the following way: Cyber Essentials Plus evaluates the basic controls. Penetration testing explores how the system can be breached. Both types of testing are required by some organisations, but they cannot substitute each other.
Cyber Essentials vs ISO 27001: do you need both?
Cyber Essentials considers the most important technical controls that can minimise common internet-based risks. ISO/IEC 27001 is more comprehensive. This is a standard of information security management systems, dealing with governance, risk assessment, continual improvement, policies, controls, and management responsibilities.
A small organisation might choose Cyber Essentials since this framework is practical and easier to understand. A large organisation, SaaS provider or company dealing with corporate clients will need to adopt ISO 27001 as a demonstration of a more comprehensive information security management approach. Some organisations are using both – Cyber Essentials Plus and ISO 27001.
They address different questions. Cyber Essentials checks whether the critical technical controls are implemented. ISO 27001 checks whether the organisation has a managed system of information protection.
Final Recommendation
Cyber Essentials is the right choice for many businesses in the UK since it acts as proof of a certified baseline of cyber security. Cyber Essentials Plus is the preferred route where customers, agreements or risk requirements dictate a more robust form of independent assessment.
Select Cyber Essentials if you need a workable and less expensive certificate, and your customers require nothing beyond the baseline certificate. Select Cyber Essentials Plus if you deal with sensitive information, serve larger organisations, offer IT or SaaS services, or if you want better proof of security in tender and supply chain assessments.
Ensure that you understand what is required in terms of assessment before making the decision. Check the exact language of the customer and confirm the scope of the assessment. It will be easier to obtain the certificate when the business views it as a project of security enhancement.
Frequently Asked Questions
Cyber Essentials Plus involves an independent technical test in addition to assessing the controls that Cyber Essentials also assesses. The main difference is assurance; Cyber Essentials Plus provides better proof that the controls have been implemented effectively in selected systems.
Yes. Cyber Essentials Plus is an extension of Cyber Essentials. Normally, you do the verification assessment first, followed by completing the Cyber Essentials Plus assessment in the allotted time frame of three months from the last completion of the Cyber Essentials assessment.
Cyber Essentials Plus is not mandatory for all businesses in the UK. In certain cases, it could be mandatory due to a tender requirement or a contractual, client or supply chain policy requirement. For public sector contracts, requirements vary depending on the type of contract involved.
Usually, yes. Cyber Essentials will suffice for a small-scale and low-risk business requiring a recognised basic certificate. Cyber Essentials Plus will be more applicable where the business deals with sensitive data, serves larger customers or repeatedly requested better proof.
Cyber Essentials Plus is usually priced on an individual basis. The cost will depend on the number of devices, cloud services, gateways, servers, sites, remote workers and time required for the assessment. It would be wise to allocate resources for preparation and remediation.
Cyber Essentials can be thought of as an annual certification process. The businesses tend to renew their Cyber Essentials certification each year so that the certificate is up to date and the customer can know that the controls were assessed against the scheme requirements.
Cyber Essentials Plus can incorporate internal and external vulnerabilities assessment, device user sampling assessment, software support and patching assessment, malware protection assessments, account segregation assessments, cloud service MFA assessments and internet facing services reviews within the scope agreed.
Yes. Your cloud services used by your organisation to store or process data should be considered. Some controls will be implemented by your cloud provider, but you as an organisation are responsible for account management, access, MFA, users and data.
Problems found will be described to you, and you might need to remediate and re-test within the terms of the scheme. Sometimes the problem can be solved easily, but if left to the point of audit, it can endanger your certificate.
Eligible organisations in the UK which have domicile in the UK and whose turnover does not exceed £20 million can be covered with included cyber liability insurance if their self-assessed Cyber Essentials certification encompasses all the organisations and if they apply for it. Check the current scheme rules and policy wording since insurance coverage can change from time to time.
It makes sense to get Cyber Essentials Plus if you need greater assurance to win contracts, to satisfy your customers, to eliminate security friction with your suppliers or to prove that your controls really do work. This could be less important for a very small and low-risk business needing just baseline certification.
Cyber Essentials Plus is done by an accredited certification body operating in accordance with the official scheme. Not all IT support providers are accredited to issue Plus certificates.