Choosing between Cyber Essentials and Cyber Essentials Plus is a decision most UK organisations face when they want to prove their security credentials. Both certifications share the same technical foundation, but they differ in how compliance is verified. That distinction matters for your reputation, contract eligibility, and actual security.

This guide covers the assessment process, costs, requirements, and practical considerations for both levels.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme that helps organisations protect themselves against common cyber attacks. The National Cyber Security Centre launched it in 2014 to establish a clear baseline for cyber security across organisations of all sizes.

Why does it exist? Most successful cyber attacks exploit basic vulnerabilities: weak passwords, unpatched software, poorly configured firewalls, inadequate access controls. Fundamental security hygiene prevents a substantial proportion of attacks, and the NCSC designed Cyber Essentials to address these weaknesses without requiring complex infrastructure.

The numbers back this up. According to GOV.UK, over 215,000 certificates have been awarded since 2014, and organisations with these controls make 92% fewer cyber insurance claims.

The Five Technical Controls

Both certifications require the same five technical controls. These form the core of the certification and represent the minimum standard recommended by the NCSC.

Firewalls

Firewalls act as a barrier between your internal network and external threats. The certification requires all internet-connected devices to be protected by a properly configured firewall. Default rules should block all inbound connections unless explicitly required. Personal firewalls must be enabled on devices used outside the office, and administrative interfaces shouldn't be accessible from the internet unless absolutely necessary.

Secure Configuration

This ensures computers and network devices are set up to reduce vulnerabilities. You'll need to remove or disable unnecessary software and services, change default passwords on all devices, disable auto-run features, and ensure only approved software can be installed.

User Access Control

This control limits who can access your systems and data. User accounts go only to authorised individuals. Administrative privileges go only to those who genuinely need them. Admin accounts shouldn't be used for day-to-day tasks like email and web browsing. Access gets removed promptly when no longer required.

Malware Protection

You can achieve protection through anti-malware software or application whitelisting. Anti-malware must be installed and kept up to date, or you implement whitelisting to prevent unauthorised software from running. Users should be prevented from installing unapproved applications, and malware signatures need updating at least daily.

Patch Management

Keeping software up to date closes known vulnerabilities. All software must be licensed and supported. Automatic updates should be enabled where possible. High-risk or critical patches need applying within 14 days of release. Unsupported software must be removed from devices in scope.

Key Differences

While both certifications assess the same five controls, the verification method differs substantially.

Cyber Essentials (Basic)

This is a verified self-assessment. Your organisation completes an online questionnaire describing how you implement each control. A senior official, typically a director, signs off to confirm accuracy. An accredited Certification Body reviews the answers and issues the certificate if everything checks out.

It's a self-assessment questionnaire with no on-site or technical verification. You're relying on honest, accurate self-reporting. The process typically takes days or weeks and costs less than Plus.

Cyber Essentials Plus

Plus adds hands-on technical verification. An external assessor conducts tests to confirm that declared controls are actually in place and working.

This includes everything from basic Cyber Essentials, plus an external technical audit. Assessors test internet gateways, representative user devices, and internet-accessible servers. They run vulnerability scans and practical checks. You must typically complete Plus within three months of achieving basic certification.

The key difference: basic Cyber Essentials confirms what you say you do. Plus confirms what you actually do.

The Assessment Process

Basic Assessment

Define your scope first, determining which systems, devices, and networks will be included. Then complete the self-assessment questionnaire through the IASME Consortium's online portal, answering detailed questions about how you implement each control.

A board member or senior manager must attest that answers are accurate. An accredited assessor reviews your submission and may request clarification. If your responses demonstrate compliance, you receive a certificate valid for 12 months.

Plus Assessment

You must hold a valid basic certificate before progressing. Contact an accredited Certification Body to schedule your assessment, typically within three months of basic certification.

Work with the assessor to confirm scope and prepare for the technical audit. The assessor then conducts hands-on tests: external vulnerability scans of internet-facing infrastructure, internal scans of representative devices, verification of malware protection, checks on access controls and administrative privileges, confirmation of patch levels and software versions.

If issues come up, you may have an opportunity to address them before final certification. Upon successful verification, you receive your Plus certificate, valid for 12 months.

Costs and Time

Basic Certification

Costs start at approximately £320 + VAT through IASME-accredited Certification Bodies.

Preparation takes a few hours to a few days, depending on existing documentation. Assessment usually completes within 1-2 weeks of submission. Organisations with mature practices often finish the whole process in 2-4 weeks.

Plus Certification

Pricing varies based on network size and complexity, number of devices in scope, and your chosen Certification Body. Expect £1,000 to £5,000 or more for larger organisations.

The technical audit usually takes 1-2 days on-site or remote. Remediation time varies if issues are found. Total elapsed time typically runs 2-6 weeks from scheduling to certification.

Cost factors include: number of devices and users, network complexity, geographic distribution, remediation needs, and choice of Certification Body.

Which Level Do You Need?

When Basic Is Typically Sufficient

Basic certification works when you want to demonstrate baseline commitment to security, when clients request evidence but don't specify Plus, when you're a smaller organisation with limited IT complexity, or when budget constraints make Plus impractical right now. It also works well as a stepping stone toward more comprehensive improvements.

When Plus Is Required or Recommended

Government contracts: Many public sector contracts involving sensitive, personal, or financial data require Plus as a minimum. This has been the case since 2014 for central government.

Regulated industries: Healthcare, finance, legal, and other regulated sectors often need the additional assurance.

Sensitive data: If you process significant volumes of personal or commercially sensitive information, verified controls offer stronger protection and demonstrate due diligence.

Supply chain requirements: Larger organisations increasingly require suppliers to hold Plus certification.

Client trust: Independent verification carries more weight than self-assessment.

Public Sector Contracts

Since 2014, government policy has required suppliers bidding for contracts involving certain sensitive and personal information to hold Cyber Essentials. Many contracts specify Plus, particularly those involving personal citizen data, financial information, law enforcement work, or critical national infrastructure.

Check specific requirements in tender documents. They vary by contract and department.

How to Prepare

For Basic Certification

Map all devices, software, and accounts in scope. Consider remote workers, cloud services, and bring-your-own-device arrangements.

Assess your current practices against each of the five controls. The NCSC publishes detailed guidance.

Address gaps. Common issues include devices running unsupported operating systems, inconsistent patch management, excessive administrative privileges, weak password policies, and default credentials on networking equipment.

Document your approach clearly. This speeds up the questionnaire process. Make sure the person signing off understands what they're attesting to.

For Plus Certification

All basic preparation applies. Beyond that:

Run internal vulnerability scans to identify and address issues before the assessor does. Tools like Nessus, OpenVAS, or cloud-based scanners help here.

Verify patch levels, especially on devices that will be tested. Confirm anti-malware is active, current, and correctly configured on all in-scope devices.

Review administrative accounts to ensure privileged access is genuinely restricted and admin accounts aren't used for routine tasks.

Check internet-facing services. External servers will be scanned, so remove unnecessary services and secure configurations.

Talk to the assessor beforehand to clarify scope, scheduling, and any specific requirements.

Common Misconceptions

"Certification means we're secure." Cyber Essentials addresses common threats but doesn't cover all attack vectors. Sophisticated, targeted attacks may bypass these controls. It's a baseline, not comprehensive security.

"We're protected against all cyber attacks." The scheme focuses on commodity attacks, the automated, opportunistic threats affecting most organisations. Advanced persistent threats, insider risks, and social engineering require additional measures.

"Certification lasts indefinitely." Both certificates are valid for 12 months. You need annual recertification.

"Self-assessment means the controls don't matter." The questionnaire requires honest responses, and there are legal implications to false information. More importantly, the controls provide genuine protection regardless of certification.

"Plus means we don't need penetration testing." Plus includes vulnerability scanning, but it's not equivalent to a full penetration test. The scope and depth differ significantly.

What Cyber Essentials does provide: a clear framework for fundamental controls, evidence of due diligence, eligibility for certain contracts, reduced likelihood of successful commodity attacks, and a foundation for building more mature practices.

How It Relates to ISO 27001

Cyber Essentials and ISO 27001 serve different purposes at different levels of maturity.

Cyber Essentials focuses on five specific technical controls with prescriptive requirements and clear pass/fail criteria. It's relatively quick and inexpensive, addresses a defined set of common threats, and requires no formal management system.

ISO 27001 is a comprehensive Information Security Management System taking a risk-based approach to all aspects of information security. It requires documented policies, procedures, and continuous improvement. It covers organisational, physical, and technical security. It's significantly more resource-intensive and independently audited.

Many organisations treat Cyber Essentials as a foundational step toward ISO 27001, achieving basic technical controls first, then progressing when they need a more comprehensive framework. The two aren't mutually exclusive. Many organisations hold both.

Other related standards include IASME Cyber Assurance (which extends Cyber Essentials with governance requirements), the NIST Cybersecurity Framework (useful for international operations), and SOC 2 (relevant for service organisations with US clients).

Making Your Decision

The choice typically comes down to three factors.

Contract requirements: if you need Plus for specific contracts, the decision is made.

Risk tolerance: organisations handling sensitive data or facing higher threats benefit from verified controls.

Resources: basic certification requires less time and money, making it accessible to smaller organisations or those early in their security journey.

For many organisations, the pragmatic approach is to start with basic Cyber Essentials to establish the framework, then progress to Plus when business requirements or risk profiles warrant it. Both represent meaningful steps toward better security. The right choice depends on your circumstances.