Cyber Essentials vs Cyber Essentials Plus: Which do you need?
All dispatches
Compliance12 Mar 202612 min read

Cyber Essentials vs Cyber Essentials Plus: Which do you need?

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

Cyber security can often feel like a complex and overwhelming topic for UK small and medium-sized enterprises (SMEs). With a constant stream of threats and a confusing array of potential solutions, it's difficult to know where to start. This is precisely why the UK government, through the National Cyber Security Centre (NCSC), created the Cyber Essentials scheme. It provides a clear, actionable framework to protect your business against the most common cyber attacks. However, the journey doesn't stop there. You'll quickly encounter two distinct levels: Cyber Essentials and Cyber Essentials Plus. While they share the same name, the difference in rigour and assurance is significant. Choosing the right one is a crucial decision that depends on your business's risk profile, your clients' expectations, and your long-term security goals. This guide will demystify both certifications, break down the key differences, and provide the practical advice you need to decide which path is right for your organisation.

What is Cyber Essentials? The Foundation of Your Cyber Security

Think of the standard Cyber Essentials (CE) certification as the essential foundation for your company's cyber defence. It's a baseline, government-backed standard designed to help any organisation, regardless of size, protect itself against a wide range of the most common and unsophisticated cyber threats. It’s the digital equivalent of locking your doors and windows at night—a fundamental security practice that deters opportunistic criminals.

The entire scheme is built upon five core technical controls. These aren't abstract concepts; they are practical security measures that, when implemented correctly, can prevent around 80% of common cyber attacks.

The Five Technical Controls

  1. Firewalls: These are digital barriers that protect your network from unauthorised access from the internet. A properly configured firewall inspects incoming and outgoing traffic, blocking anything that looks suspicious or doesn't meet a specific set of security rules. This applies to your main office network and individual devices like laptops.
  2. Secure Configuration: When you buy new software or hardware—be it a laptop, server, or firewall—it often comes with a default, generic setup. These default settings can be insecure and are often well-known to attackers. Secure configuration involves changing default passwords, removing unnecessary software, and disabling unused features to reduce the potential "attack surface" of your systems.
  3. User Access Control: This control is based on the principle of 'least privilege'. It means your staff should only have access to the software, settings, and data they absolutely need to perform their jobs. Critically, it ensures that staff don't use administrator accounts for their daily work, as a compromised admin account gives an attacker complete control over a system.
  4. Malware Protection: This is about defending against malicious software like viruses, ransomware, and spyware. It involves using reputable antivirus or anti-malware software on your computers and ensuring it is kept up-to-date. It also includes strategies like 'whitelisting', which only allows approved applications to run, effectively blocking any unauthorised software.
  5. Patch Management (Security Update Management): Software is never perfect. Vendors regularly release updates, or 'patches', to fix security vulnerabilities that have been discovered. Patch management is the process of ensuring that all your software and operating systems (like Windows or macOS) are updated in a timely manner, closing the security holes before attackers can exploit them.

The process for achieving the standard Cyber Essentials certification is a verified self-assessment. You complete a detailed online questionnaire (the SAQ) that asks specific questions about how your organisation implements these five controls. Your answers are then reviewed by an external, accredited Certification Body. If your responses demonstrate that you meet the required standard, you are awarded the certification.

What is Cyber Essentials Plus? The Next Level of Assurance

If Cyber Essentials is about declaring that you have locked your doors and windows, Cyber Essentials Plus (CE+) is about having an independent security professional come and physically check that they are locked, strong, and fitted correctly. It is the highest level of certification offered under the scheme and provides a much greater level of assurance.

CE+ covers the very same five technical controls as the standard certification. The crucial difference lies not in what is being checked, but how it is checked. Instead of a self-assessment questionnaire, Cyber Essentials Plus involves a hands-on technical audit and vulnerability scan conducted by an independent, accredited cyber security expert.

You cannot apply for CE+ directly. A business must first pass the standard Cyber Essentials assessment within three months of starting the CE+ audit process. The self-assessment confirms your policies and procedures are in place on paper; the CE+ audit verifies they are working in practice.

What the Cyber Essentials Plus Audit Involves

The technical audit is a series of practical tests designed to simulate a basic cyber attack and prove your controls are effective. Here’s what the auditor will typically do:

  • External Vulnerability Scan: The auditor will scan your internet-facing IP addresses (the public 'front door' to your network) to identify any known vulnerabilities in your firewall or web services. This mimics what a real-world hacker would do when first probing your business for weaknesses.
  • Internal Patch Audit: The auditor will test a representative sample of your company's computers and servers to confirm that the operating systems and common software (like web browsers, Microsoft Office, etc.) are fully patched and up-to-date against known vulnerabilities. They aren't just taking your word for it; they are actively checking version numbers and update histories.
  • Malware Protection Checks: This is a very practical test. The auditor will attempt to introduce safe, simulated malware files onto a sample workstation via two common routes: email and a web browser. They will check if your anti-malware software can detect and block these files, and if your browser and email security settings prevent them from running.
  • Access Control and Configuration Tests: The auditor will review user accounts to ensure that staff are not using accounts with excessive administrative privileges for their day-to-day activities. They will also check for other insecure configuration settings, such as applications that run automatically when a USB drive is inserted.

Passing Cyber Essentials Plus demonstrates to your customers, suppliers, and regulators that your commitment to security isn't just a paper-based exercise. It proves your defences have been independently tested and verified to work effectively.

The Key Differences at a Glance: Verification, Rigour, and Cost

While both certifications aim for the same security outcome, their approach, intensity, and the value they represent are very different. Understanding these differences is key to making the right choice.

Verification Method

  • Cyber Essentials: A verified self-assessment. You declare your compliance through a questionnaire, which is then reviewed by a Certification Body. It's based on trust but verified for completeness and sense.
  • Cyber Essentials Plus: An independent technical audit. An external expert actively tests your systems to verify that your controls are implemented and working correctly. It’s a "show me, don't just tell me" approach.

Level of Assurance

  • Cyber Essentials: Provides a good baseline level of assurance. It shows you understand and have implemented fundamental security controls. It tells the world, "We take cyber security seriously and have the right policies in place."
  • Cyber Essentials Plus: Provides a much higher level of assurance. It proves that your security controls have withstood a simulated attack by a professional. It tells the world, "Our cyber security has been independently tested and verified."

Time and Effort

  • Cyber Essentials: The process is relatively quick. For a well-prepared SME, the questionnaire can be completed in a few hours, with certification often granted within a few business days. The main effort is in the preparation—ensuring the controls are in place beforehand.
  • Cyber Essentials Plus: This is a more involved process. It requires significant preparation to ensure you will pass the audit. You also need to coordinate with the auditor, provide them with access to systems, and have staff available for the testing. The process from start to finish can take several weeks.

Cost

  • Cyber Essentials: The cost is relatively low, typically running into the hundreds of pounds. This makes it highly accessible for even the smallest businesses and sole traders.
  • Cyber Essentials Plus: The cost is significantly higher, usually running into the thousands of pounds. This reflects the time, tools, and expertise required from the independent auditor to conduct the hands-on technical assessment.

So, Which Certification is Right for Your Business?

The answer isn't a simple one-size-fits-all. It depends entirely on your specific circumstances. Here are some common scenarios to help you decide.

When to Choose Cyber Essentials (The Standard Certification)

The standard CE certification is the perfect starting point for most UK SMEs. You should consider this option if:

  • You're at the beginning of your security journey: It provides a clear, manageable framework to build your security from the ground up.
  • You need to meet a basic tender requirement: Many UK government contracts, especially those not involving highly sensitive data, require suppliers to hold a valid Cyber Essentials certificate.
  • You have a limited budget: It is an affordable way to demonstrate a serious commitment to cyber security to your customers and stakeholders.
  • You want to reduce your cyber insurance premiums: Many insurers recognise CE as a positive step and may offer lower premiums to certified organisations.
  • You primarily handle low-risk data: If you don't process large volumes of personal or commercially sensitive data, CE provides a proportionate and effective level of protection.

When to Choose Cyber Essentials Plus (The Advanced Certification)

Investing in Cyber Essentials Plus is a strategic decision that signals a mature and proactive approach to security. You should strongly consider this option if:

  • You handle sensitive data: If your business processes personal data (making you subject to GDPR), financial information, or valuable intellectual property, CE+ provides the high level of assurance that regulators like the ICO and your clients will expect.
  • You are part of a high-value supply chain: Larger corporations, particularly in sectors like defence, finance, and critical infrastructure, will often mandate that their key suppliers hold CE+ to protect the entire supply chain.
  • You need to bid for specific government contracts: Certain UK government and Ministry of Defence (MoD) contracts that involve sensitive information or systems will explicitly require Cyber Essentials Plus.
  • You want a competitive advantage: Holding a CE+ certificate can be a powerful differentiator, showing potential clients that you are a more secure and trustworthy partner than your competitors.
  • You want genuine peace of mind: The independent audit provides invaluable, real-world confirmation that your defences are not just theoretical but are practically effective.

The Practical Path: How to Achieve Certification

Whether you're aiming for CE or CE+, the journey starts in the same place: preparation. Simply diving into the questionnaire or audit without preparation is a recipe for failure.

  1. Scope and Gap Analysis: The first step is to define the scope of your certification (which parts of your business will be included) and perform a gap analysis. This involves assessing your current IT systems and practices against the five technical controls to identify where you are falling short. A trusted IT partner can be invaluable here, providing an objective view of your current security posture.
  2. Remediation and Implementation: Once you've identified the gaps, you need to fix them. This is the practical work of implementing the five controls. It might involve deploying new antivirus software, reconfiguring your firewall, enforcing password policies, or creating a robust patch management schedule.
  3. Complete the Self-Assessment Questionnaire (SAQ): With the controls in place, you can confidently complete the SAQ. This is the formal application for the standard Cyber Essentials certification and is a prerequisite for CE+. Be thorough and honest in your answers.
  4. The Cyber Essentials Plus Audit (If Applicable): If you are pursuing CE+, this is the final step. You will work with your chosen Certification Body to schedule the technical audit. Ensure your team is prepared and that the auditor has the access they need to perform their tests efficiently.

Working with a managed IT and cyber security provider like Black Sheep Support can streamline this entire process, from the initial gap analysis to liaising with the Certification Body, ensuring you are fully prepared to pass first time.

Key Takeaways

  • Same Foundation, Different Rigour: Both Cyber Essentials and Cyber Essentials Plus are based on the same five technical controls. The key difference is the verification method—a self-assessment for CE versus a hands-on technical audit for CE+.
  • CE is the Starting Point: Standard Cyber Essentials is the foundational certification, ideal for SMEs starting their security journey, meeting basic tender requirements, or working with a limited budget.
  • CE+ is the Gold Standard: Cyber Essentials Plus offers a much higher level of assurance through independent testing. It is essential for businesses handling sensitive data, working in high-risk supply chains, or wanting to prove their security is robust.
  • The Choice Depends on Your Context: Your decision should be based on your business's specific risk profile, data handling obligations (like GDPR), customer expectations, and contractual requirements.
  • Preparation is Everything: Regardless of the level you choose, success depends on thorough preparation. A gap analysis and a clear plan to implement the five controls are non-negotiable first steps.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

How achieving Cyber Essentials helps you win government contracts
Compliance

How achieving Cyber Essentials helps you win government contracts

# How achieving Cyber Essentials helps you win government contracts For UK SMEs looking to stay ahead in the modern workplace, understanding compliance is fund...

GDPR compliance basics for UK small businesses
Compliance

GDPR compliance basics for UK small businesses

# GDPR compliance basics for UK small businesses For UK SMEs looking to stay ahead in the modern workplace, understanding compliance is fundamentally important...

Microsoft Tackles 17 Critical Flaws in May Patch Tuesday Update
Security

Microsoft Tackles 17 Critical Flaws in May Patch Tuesday Update

Microsoft's May 2026 Patch Tuesday update has addressed 17 critical vulnerabilities affecting Windows, Office, and SharePoint, among other products. W...