Cyber Essentials vs Cyber Essentials Plus: Choose the Best Certification for Your Business
The UK Government’s Department for Science, Innovation and Technology (DSIT) and Home Office release a joint Cyber Security Breaches Survey each year – with the latest release sharing that 7.7m cyber crimes were experienced last year. That’s around half of all UK businesses – highlighting how important cyber security measures are.
This is where government backed certification schemes like Cyber Essentials and Cyber Essentials Plus come into play. These certifications provide a framework for you to strengthen your organisation’s security against common threats.
92% fewer insurance claims are made by organisations that have Cyber Essentials governed controls in place. But what exactly are the differences between Cyber Essentials and Cyber Essentials Plus certifications, and which one is best for your business?
In this article, we’ll share insights on each certification and why each is important, and help you decide the best path to boost your cyber resilience.
Key Takeaways
- Cyber Essentials is a government-backed certification that helps UK businesses implement fundamental cyber security controls to protect against common threats.
- Cyber Essentials Plus includes everything in Cyber Essentials, but with an additional independent technical audit, providing stronger assurance that defences are correctly implemented.
- The right certification depends on your risk profile, regulatory needs, and client expectations – Cyber Essentials is ideal for SMEs and first-time certifications, while CE+ is better suited for larger or more regulated organisations.
- CE+ includes external vulnerability scans, device audits, and configuration checks, offering proof that your cyber controls are working in practice – not just on paper.
- Both certifications boost credibility, reduce cyber insurance premiums, and open new business opportunities, including eligibility for UK government contracts.
What is Cyber Essentials?
Cyber Essentials is a UK government backed certification scheme designed to help businesses of all sizes protect themselves against common cyber threats.
Cyber Essentials comes in two levels: Cyber Essentials (basic) and Cyber Essentials Plus. Both certifications provide assurance that an organisation is implementing fundamental security controls but they do have differences that must be taken into account when deciding which is the best level for your business.
An update to the Cyber Essentials question set will take effect in April 2025, moving from the Montpellier version to the newly created Willow question set. These new questions introduce stricter security requirements, particularly around multi-factor authentication (MFA), cloud security, and endpoint protection:
Basic Certification Level
Cyber Essentials is a key starting point in any organisation’s cyber security journey. The scheme is run in partnership with IASME and the NCSC, and it’s designed to help UK organisations of all sizes protect themselves against the most common cyber threats.
What are the five key Cyber Essentials controls?
- Firewalls and Internet Gateways: CE certification asks if you have boundary firewalls or secure internet gateways in place to protect your network from unauthorised access. The framework includes directions around the frequency of changing default firewall passwords and closing unnecessary open ports
- Secure Configuration: Devices and software must be configured securely to be able to pass the certification. It mandates that you must have methods in place to disable or remove unused accounts and services, and enforce strong administrative passwords
- User Access Control: You must have policies to manage accounts and privileges so that staff have access only to what they need. Administrator accounts must also be tightly controlled to prevent misuse
- Malware Protection: This section seeks to understand your use of anti-malware software or application whitelisting to guard against viruses, ransomware, and other malicious code
- Patch Management: Also called Security Update Management. This part of the certification outlines how you keep your devices and applications updated with the latest security patches. Known vulnerabilities should be fixed promptly to avoid exploitation
What is Cyber Essentials Plus?
Cyber Essentials Plus (CE+) includes everything in the standard Cyber Essentials certification – the self-assessment against the same five controls – but with an added independent technical audit of your systems against your SAQ answers.
Advanced Certification Level
With Cyber Essentials Plus, a qualified security assessor, such as DigitalXRAID, will perform a series of tests on your IT infrastructure. This assessment is typically done remotely and should utilise the highest quality tooling such as Nessus.
The Cyber Essentials Plus audit includes:
- Vulnerability Scans: The assessor will conduct external vulnerability scans on your internet facing systems (your public IP addresses) to check for known vulnerabilities or open ports that shouldn’t be exposed.
- Internal Checks: The assessor will examine a sample of your devices (such as PCs, servers, laptops, mobiles) across your network. This includes checking that all patches have been applied within the last 14 days, that anti-malware is functioning correctly, and verifying that users on those sample machines do not have administrator rights on their accounts
- Configuration and Usage Tests: The assessor will test that multi-factor authentication (MFA) is enabled for cloud services accessed by your sample users.
Cyber Essentials Plus is a more thorough check of your cyber defences, however these checks shouldn’t be confused with a penetration test, which is a far more comprehensive assessment of your infrastructure.
Cyber Essentials Plus is also valid for 12 months. You’ll need annual renewal of your CE+ certification, which involves undergoing a fresh audit each year to ensure you’ve maintained those standards continuously.
Key Differences Between Cyber Essentials and Cyber Essentials Plus
Both Cyber Essentials and Cyber Essentials Plus will support the protection of your organisation against common cyber threats. The key difference is the level of assessment and assurance with the 3rd party validation.
The choice of Cyber Essentials vs Cyber Essentials Plus comes down to the level of assurance you need or governed by contractual requirements.
| Cyber Essentials (Basic) | Cyber Essentials Plus (Advanced) | |
Assessment Method |
Verified Self-Assessment – You complete an online questionnaire, attested by a board-level representative, and an external assessor reviews your answers. No hands-on testing of systems is required. | Independent Audit – In addition to the questionnaire, a certified assessor conducts technical tests on your systems (e.g. vulnerability scans, configuration checks, user device audits) to verify controls are correctly implemented. |
Technical Scope |
Five core controls: firewalls, secure configuration, user access control, malware protection, and patch management. You attest that these are in place across the in-scope systems. | Same five controls, but the assessor actively checks that these are in place and working. For example, they’ll scan for unpatched vulnerabilities, test malware defenses with sample files, and confirm strict access controls on user accounts. |
Level of Assurance |
Basic Assurance – Provides confidence that you’ve implemented essential security measures, reducing your vulnerability to common attacks. However, it relies on self-declaration (with independent review), so it doesn’t prove security effectiveness beyond your word. | Higher Level of Assurance – Provides verified evidence that your defences actually work. The hands-on testing means any oversight or misconfigurations are caught and must be fixed before certification. Stakeholders such as clients and possibly even regulators get greater peace of mind knowing an external expert has vetted your security. |
Who It’s Suited For |
SMEs and organisations beginning their cybersecurity journey. Ideal as a cost-effective first step to improve security posture and meet basic compliance requirements. Many small businesses and startups go for CE to demonstrate due diligence in cyber protection. | Larger organisations or those handling sensitive data (e.g. finance, healthcare, government suppliers) where extra assurance is worth the effort. CE+ is also suitable if you’re seeking a competitive edge in tenders. This level can distinguish you as having a more mature cybersecurity stance. |
Certification Cost |
Fixed low cost (£300–£600 +VAT depending on size) for the self-assessment certification. | Higher variable cost. Pricing is based on the scope size and complexity, due to the expert time needed. However, the investment can pay off in risk reduction. |
Time & Resource |
Quick to achieve – The questionnaire can be completed relatively fast (some companies finish in a day or two if they already meet the requirements). It may take a few weeks of prep if you need to address gaps beforehand. | More involved process. CE+ requires the external audit (which might be a day or more of the assessor’s time). If issues are found, you’ll need to remediate and possibly undergo re-testing, which can extend the timeline (commonly you have 30 days to fix any non-compliances). |
Certification Badge |
You can use the Cyber Essentials badge to showcase that your organisation meets the government-backed standard for cyber hygiene. | You get to use the Cyber Essentials Plus badge, showing a higher tier of security assurance. This can be a selling point to security-conscious clients. Both badges are recognised across the UK as markers of good cybersecurity practice. |
Cyber Essentials Certification Process
Cyber Essentials
Cyber Essentials Plus
These are the additional steps needed to complete the Cyber Essentials Plus Certification, once Cyber Essentials Certification has been obtained:
- Timebound process: You have 3 months (90 days) to complete the Cyber Essentials Plus certification
- Schedule an Independent Audit: A certification body will conduct a full audit to verify your cybersecurity controls
- Technical Testing: This includes vulnerability scanning, sample device testing, malware protection checks, and privilege access assessments
- Address Non-Conformities: If weaknesses are found, you’ll be given time to correct them before the final certification decision
- Final Review and Certification: Once all tests are passed, you receive the Cyber Essentials Plus certification, valid for 12 months
To prepare for a Cyber Essentials Plus audit, businesses should review and update all operating systems and software, test multi-factor authentication (MFA) implementation, ensure all critical patches have been applied within the last 14 days, limit administrator privileges, and conduct a mock audit.
What Are the Benefits of Being Cyber Essentials Certified?
Whether Cyber Essentials certification, or the full Cyber Essentials Plus, achieving certification will bring significant benefits for your organisation.
Protection Against Common Threats
The controls mandated by Cyber Essentials are specifically chosen to stop the vast majority of attacks that businesses face.
The WannaCry ransomware attack – one of the worst ever seen – successfully crippled most of the NHS. Wannacry was a relatively unsophisticated attack and could have been prevented by following basic IT security best practice, according to the UK National Audit Office.
Telecom firm TalkTalk also suffered a well reported data breach that exposed 157,000 customers’ details. The ICO investigation found that “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
Demonstrating Commitment and Credibility
Customers, partners, and regulators want reassurance that you take cyber security seriously. Achieving a Cyber Essentials certificate shows you have put in place a government approved level of protection.
Displaying the Cyber Essentials or CE+ badge on your website, email footers, and marketing materials can enhance your reputation and build trust with stakeholders.
The certification can serve as a differentiator that sets you apart from competitors by indicating a higher level of due diligence.
Meeting Contract Requirements
Achieving these certifications can literally open doors to new opportunities. Cyber Essentials has become a requirement for many government contracts in the UK.
Most UK central government contracts (especially those involving sensitive data) mandate the the organisation must have at least Cyber Essentials certification in place. Some do require Cyber Essentials Plus for higher-risk projects.
Even outside of the Government, industries like finance and healthcare are increasingly asking suppliers to hold Cyber Essentials certification to protect data.
Cyber Insurance Advantages
Many cyber insurance providers view Cyber Essentials Certification as a positive sign that an organisation presents as low risk and offer lower premiums or discounts for certified businesses.
If your company is UK based with under £20m in revenue, achieving Cyber Essentials certification that covers your whole organisation comes with an optional £25k insurance with your certification for free.
Improved Internal Security Posture
Going through the Cyber Essentials process tends to upskill your team and tighten your IT practices. The certification includes you taking inventory of your hardware and software, ensuring your systems are configured correctly, and establishing policies for things like patching and user account management.
Many organisations report that simply preparing for the Cyber Essentials assessment brings improvements to their overall IT infrastructure and security posture.
Cyber Essentials vs Cyber Essentials Plus: Key Considerations for Your Business
Now for the big question – Cyber Essentials or Cyber Essentials Plus: Which is the best for your business? The answer depends on your organisation’s risk profile, the industry you operate in, and the customers you work with. You can always add Cyber Essentials Plus Certification to an existing CE certificate.
Key considerations:
Organisational Needs
If you’re a smaller company with a relatively simple IT setup, the Cyber Essentials Certificate might be sufficient as a starting point. It’s faster and more cost effective. However, larger enterprises or those with complex IT networks would benefit more from the technical verifications from Cyber Essentials Plus. The external audit of CE+ provides an extra set of expert eyes to catch misconfigurations that could otherwise go unnoticed.
If your business processes personal information, financial data, healthcare records, or intellectual property, the ramifications of a breach are much higher. Cyber Essentials Plus offers greater assurance that data is truly safeguarded.
Client and Regulatory Requirements
Are you aiming to bid for government contracts or tenders that specify you must have CE+? If yes, then your choice is clear.
If you just need to tick the box for basic compliance or to satisfy general cyber insurance or board expectations, then the standard Cyber Essentials certification will achieve that goal.
Budget and Resources
Cyber Essentials is relatively inexpensive. Cyber Essentials Plus will require budgeting for the assessor’s fees and possibly dedicating IT staff to support the audit and remediation. If budget is tight, you should start with CE to demonstrate progress to external parties.
Many IT directors justify the spend on CE+ by positioning it as an insurance policy against common attack vectors.
Future Business Goals
Implementing the five controls and getting Cyber Essentials certification will elevate your security maturity as a first step.
If you already have a security team and have implemented standards such as ISO 27001 certification, and regular penetration testing, you might find that you’re ready for Cyber Essentials Plus.
Comparison with ISO 27001
There are distinct differences between Cyber Essentials and ISO 27001 in process and purpose.
Scope & Framework
Cyber Essentials is a security certification that’s considered an entry point to cyber security measures. It focuses on five key technical controls to mitigate common cyber threats. It’s designed for organisations looking for a simple and cost effective way to improve security posture.
ISO 27001 is a much more comprehensive Information Security Management System (ISMS) framework. It requires organisations to establish, implement, maintain, and continually improve their security policies and processes, covering everything from risk assessment, to governance, compliance, and ongoing improvement.
Recognition
Cyber Essentials is widely recognised in the UK. Many UK government contracts mandate at least Cyber Essentials certification.
ISO 27001 is an international standard with global recognition and is often required by larger enterprises and multinational companies as part of vendor risk management programs.
Implementation Complexity
Cyber Essentials is far simpler to implement and quicker to achieve, with just a self-assessment process for the basic certification. SMEs with limited resources would find Cyber Essentials a practical first step before considering the more complex requirements of ISO 27001.
ISO 27001 requires significant time, resource and full organisational commitment. It includes work to define security policies, conduct risk assessments, and ultimately implement ongoing ISMS management processes.
Certification Process
With Cyber Essentials or Cyber Essentials Plus, you must complete a self-assessment questionnaire, possibly engage 3rd party auditing of controls and undergo a review by the certification body.
ISO 27001 is a longer and more involved process. First, you must conduct a gap analysis against the ISO framework to understand what work is required to complete your Information Security Management System (ISMS).
Then when all documentation and implementation has been implemented, an internal audit and external audit from an accredited certification body must be completed before certification is awarded. Retaining certification includes regular internal audits throughout the year.
Can Cyber Essentials Be a Stepping Stone to ISO 27001?
Cyber Essentials lays a strong foundation in your technical controls that are also required for ISO 27001 certification. Many organisations use Cyber Essentials as an initial benchmark exercise before attempting to work towards ISO 27001 compliance.
Conclusion: Ensuring Cyber Security for Your Business
Cyber Essentials and Cyber Essentials Plus are both useful frameworks to improve your business’s cyber resilience.
Choosing between Cyber Essentials and Cyber Essentials Plus comes down to the level of assurance your business or your customers require. If you’re just starting out on cyber security improvements, Cyber Essentials is the perfect starting point that delivers quick results. If you need to validate your security measures for high value clients then Cyber Essentials Plus will provide the confidence that your defences hold up against cyberattacks.
Achieving Cyber Essentials certification can be straightforward with the right guidance. If you’re looking for expert support to guide you through the process or to conduct a Cyber Essentials Plus audit, we’re here to help.
Get in touch with the DigitalXRAID team to get your Cyber Essentials journey started today.
