With cyber threats escalating across every industry, the UK government's Cyber Essentials scheme has become the baseline standard for organisational cybersecurity. But many businesses find themselves stuck at a critical crossroads: should you pursue a cyber essentials certificate at the basic level, or invest in the more rigorous cyber essentials plus certification? The answer depends on your sector, your clients, your risk profile, and your contractual obligations.
This comprehensive guide breaks down everything you need to know about both certification levels — from the cyber essentials self-assessment process to the hands-on technical audit of cyber essentials plus. We'll cover costs, preparation timelines, pass rates, sector-specific requirements, and the practical upgrade path between the two levels. Whether you're a small business owner taking your first steps in cybersecurity compliance or a CTO evaluating which level satisfies your government contract requirements, this article will give you the clarity you need to make the right decision.
What Is the Cyber Essentials Scheme?
Cyber Essentials is a UK government-backed cybersecurity certification scheme, developed in partnership with the National Cyber Security Centre (NCSC) and managed by IASME (the Information Assurance for Small and Medium Enterprises Consortium). Launched in 2014, the scheme was designed to help organisations of all sizes protect themselves against the most common internet-based cyber threats.
The scheme operates on a straightforward premise: by implementing five fundamental technical controls correctly, organisations can prevent the vast majority of commodity cyber attacks. These are not advanced, nation-state-level threats — they're the everyday attacks that target vulnerabilities in firewalls, software, access controls, and malware protection. The NCSC estimates that proper implementation of Cyber Essentials controls would prevent around 80% of the cyber attacks seen in the wild.
The scheme has two distinct levels of certification, each serving different purposes and requiring different levels of rigour:
Cyber Essentials (Basic)
Cyber Essentials Plus
The Five Technical Controls Explained
Both levels of the Cyber Essentials scheme assess the same five core technical controls. Understanding these controls is essential whether you're pursuing a basic cyber essentials certificate or the full cyber essentials plus certification. The difference lies not in what is assessed, but in how it is assessed.
1. Firewalls and Internet Gateways
Your organisation must have boundary firewalls or internet gateways configured to protect all devices connected to the internet. This includes hardware firewalls, software firewalls on individual devices, and router-level security. Default passwords on all firewall and gateway devices must be changed, unnecessary ports and services must be closed, and administrative interfaces must not be accessible from the internet unless absolutely necessary and properly secured.
2. Secure Configuration
All computers, servers, tablets, and mobile devices within scope must be configured securely. This means removing or disabling unnecessary software, changing default passwords, and ensuring that each device is set up to minimise vulnerabilities. Auto-run features should be disabled, and the principle of least privilege should be applied to user accounts.
3. User Access Control
Access to data and services must be granted only to those individuals who need it. Administrative accounts should be used only for administrative tasks, never for day-to-day activities like email and web browsing. Multi-factor authentication (MFA) is now required for all cloud services and internet-facing administrative interfaces — a requirement strengthened in the January 2022 update to the scheme.
4. Malware Protection
Organisations must deploy at least one of three approaches to malware protection: anti-malware software that is kept up to date and configured to scan regularly; application whitelisting (allowlisting) that only permits approved software to execute; or sandboxing that limits the impact of untrusted software. For most organisations, up-to-date anti-malware software is the most practical approach.
5. Security Update Management
All software and firmware must be kept up to date. Critical and high-severity security patches must be applied within 14 days of release. Software that is no longer supported by the vendor (end-of-life software) must be removed from scope or replaced. This is one of the most common areas where organisations fail their assessment, particularly with legacy systems.
Security Update Management is the number one reason organisations fail their Cyber Essentials assessment. Before starting the self-assessment, run a full audit of every device and application in scope. Any software that hasn't received a security patch within the last 14 days — or that has reached end of life — must be updated or removed before you proceed.
Cyber Essentials: The Self-Assessment Process
The basic cyber essentials self-assessment is exactly what it sounds like: your organisation completes a detailed online questionnaire that demonstrates your compliance with the five technical controls. However, calling it a "self-assessment" can be somewhat misleading — your answers are reviewed and verified by a qualified assessor from an IASME-accredited certification body. It's not simply a tick-box exercise you can rush through in an afternoon.
How the Self-Assessment Works
The process begins when you register with an accredited certification body and gain access to the online assessment platform. The questionnaire covers each of the five technical controls with detailed, specific questions about your IT infrastructure, policies, and configurations. You'll need to provide information about:
- The scope of your IT infrastructure — which devices, networks, and cloud services are included
- Your firewall configurations and rules for both boundary and host-based firewalls
- How devices are configured, including default password changes and software installation policies
- User account management, including MFA implementation and administrative account usage
- Your anti-malware strategy and how it is maintained across all in-scope devices
- Your patching process, including how quickly security updates are applied and how end-of-life software is handled
Once submitted, a qualified assessor reviews your responses. If they identify any gaps or inconsistencies, they may come back with clarification questions. This is not a formality — assessors regularly reject applications that don't demonstrate genuine compliance. If your answers reveal that your organisation doesn't meet the required standard, you will not receive your cyber essentials certificate until the issues are resolved.
Step 1: Define Your Scope
Identify all devices, networks, cloud services, and users that will be included in the assessment. The scope defines the boundary of your certification and must include all internet-connected devices.
Step 2: Register with a Certification Body
Choose an IASME-accredited certification body and pay the assessment fee. You'll receive access to the online self-assessment questionnaire and guidance documentation.
Step 3: Prepare Your Environment
Audit your infrastructure against the five controls. Update software, configure firewalls, implement MFA, review user accounts, and ensure malware protection is active on all in-scope devices.
Step 4: Complete the Questionnaire
Answer all questions accurately and thoroughly. Provide specific details about configurations, policies, and processes. Avoid vague or generic responses.
Step 5: Assessor Review
A qualified assessor reviews your submission, may request clarifications, and either grants certification or identifies areas requiring remediation before re-submission.
Step 6: Certification Issued
Upon successful assessment, you receive your Cyber Essentials certificate, valid for 12 months. Your organisation is listed on the NCSC's certified organisations directory.
Common Self-Assessment Pitfalls
Even though the cyber essentials self-assessment doesn't involve hands-on technical testing, organisations frequently stumble on several common issues:
- Scope definition errors: Excluding devices or cloud services that should be in scope, or defining an overly broad scope that creates unnecessary complexity
- BYOD oversights: Failing to account for personal devices used to access corporate data, email, or cloud services
- Cloud service misunderstandings: Not recognising that SaaS platforms like Microsoft 365, Google Workspace, and Salesforce are within scope
- MFA gaps: Having MFA on some services but not all cloud services and internet-facing admin interfaces as required
- Patching delays: Honestly reporting that critical patches take longer than 14 days to apply
- Legacy software: Running unsupported operating systems or applications that haven't been properly isolated from scope
Many organisations attempt to exclude their cloud services from scope to simplify the assessment. Under the current Cyber Essentials requirements, this is not permitted. Any cloud service where you control user access and configuration — including Microsoft 365, Google Workspace, AWS, Azure, and similar platforms — must be included in your assessment scope. Attempting to exclude them will result in a failed assessment.
Cyber Essentials Plus: The External Audit
The cyber essentials plus assessment takes everything from the basic level and adds independent, hands-on technical verification. Where the basic level trusts your self-reported answers, cyber essentials plus requires a qualified assessor to physically or remotely test your systems to confirm that the controls you claim to have in place actually work as described.
To pursue cyber essentials plus certification, you must first hold a valid basic Cyber Essentials certificate. The Plus assessment must be completed within three months of your basic certification — if you exceed this window, you'll need to recertify at the basic level before proceeding.
What the Assessor Tests
The cyber essentials plus assessment involves several specific technical tests that go well beyond what any questionnaire can verify:
| Test Area | What the Assessor Does | What They're Looking For |
|---|---|---|
| External Vulnerability Scan | Scans all internet-facing IP addresses and services using professional vulnerability scanning tools | Open ports, unpatched services, misconfigured firewalls, exposed administrative interfaces, SSL/TLS weaknesses |
| Internal Device Audit | Samples a representative selection of in-scope devices (desktops, laptops, servers, mobile devices) | Up-to-date OS and application patches, active malware protection, secure configurations, proper account privileges |
| Malware Protection Test | Attempts to execute benign test malware (EICAR test files) via USB, email, and web download vectors | Confirms that anti-malware software actively detects and blocks malicious files from all common delivery methods |
| Email Phishing Simulation | Sends test emails with simulated malicious attachments and links to sampled user accounts | Verifies that email filtering blocks dangerous attachments and that downloaded files are caught by endpoint protection |
| User Access Verification | Reviews user account configurations, admin privilege assignments, and MFA implementation across cloud and on-premise systems | Least privilege enforcement, MFA on all required services, no shared admin accounts, proper account lifecycle management |
| Web Browsing Test | Attempts to download test malware through web browsers on sampled devices | Confirms that web filtering and endpoint protection work together to prevent drive-by downloads and malicious file execution |
The Sampling Approach
For larger organisations, the assessor cannot test every single device. Instead, they use a representative sampling approach. The IASME guidance requires assessors to test a minimum sample that includes devices running each operating system in use, devices from different departments and locations, servers, mobile devices, and any devices with non-standard configurations. The assessor has discretion to increase the sample size if they identify issues during testing.
This sampling approach is one reason why the cyber essentials plus assessment sometimes reveals issues that the basic self-assessment missed. A device that was overlooked during the self-assessment — perhaps a legacy server running outdated software, or a developer workstation with relaxed security controls — may be selected for testing during the Plus audit.
Before your Cyber Essentials Plus assessment, conduct your own internal audit using the same approach the assessor will take. Test a sample of devices from every operating system, department, and location. Pay particular attention to devices that might have been overlooked — personal devices used for work, development machines, network equipment, and any devices running non-standard configurations. The fewer surprises the assessor finds, the smoother your certification process will be.
Cost Comparison: CE vs CE Plus
Cost is often a deciding factor for organisations evaluating which level of certification to pursue. The price difference between a basic cyber essentials certificate and cyber essentials plus certification is substantial, reflecting the additional work involved in the hands-on technical audit.
| Cost Element | Cyber Essentials (Basic) | Cyber Essentials Plus |
|---|---|---|
| IASME Assessment Fee | £300 – £500 + VAT | Included (requires basic cert first) |
| Certification Body Fee | Included in assessment fee | £1,500 – £3,500 + VAT (varies by org size) |
| Preparation / Consultancy (Optional) | £500 – £2,000 | £1,000 – £5,000 |
| Remediation Costs (Typical) | £0 – £2,000 | £500 – £10,000+ |
| Internal Staff Time | 1 – 3 days | 3 – 10 days |
| Total Typical Cost (SME) | £300 – £2,500 | £2,000 – £8,000 |
| Total Typical Cost (Enterprise) | £500 – £3,500 | £5,000 – £20,000+ |
| Renewal (Annual) | Same as initial assessment | Same as initial assessment |
It's worth noting that the assessment fee for Cyber Essentials basic is set by IASME and is tiered based on organisational size — specifically, by the number of employees. Micro businesses (0-9 employees) pay the lowest fee, while large enterprises pay more. The cyber essentials plus fee, charged by the certification body conducting the technical audit, varies more significantly depending on the complexity of your IT environment, the number of sites, and the range of devices in scope.
Both Cyber Essentials and Cyber Essentials Plus include free cyber liability insurance underwritten by a major insurer. The basic level includes cover up to £25,000, which may be sufficient for smaller businesses. This insurance is included in the certification fee at no additional cost and provides coverage for incidents related to the five technical controls assessed by the scheme.
Pass and Fail Rates
Understanding the pass and fail rates for both certification levels can help you set realistic expectations and allocate appropriate preparation time. The data paints an interesting picture of where organisations typically struggle.
The basic cyber essentials self-assessment has a high first-time pass rate when organisations prepare properly — typically around 92% for those who work with a consultancy or follow structured preparation guides. Without preparation, the pass rate drops considerably, as many organisations discover gaps in their compliance only after submitting their questionnaire.
The cyber essentials plus assessment has a noticeably lower first-time pass rate, hovering around 75%. This is not because the controls are different, but because hands-on testing reveals issues that self-assessment often misses. Common failure points at the Plus level include:
- Unpatched devices: Devices with outstanding critical security updates, often discovered on machines not included in the organisation's regular patching cycle
- Missing MFA: Cloud services or administrative interfaces where MFA has not been enabled despite being reported as compliant
- Firewall misconfigurations: Ports or services exposed to the internet that were not identified during the self-assessment
- BYOD non-compliance: Personal devices accessing corporate resources without adequate security controls
- Anti-malware gaps: Devices where anti-malware software has been disabled, expired, or is not configured for real-time scanning
Importantly, failing the cyber essentials plus assessment is not the end of the road. Most certification bodies offer a remediation window — typically 30 days — during which you can fix the identified issues and undergo a focused re-test of only the failed elements. The re-test pass rate is significantly higher, as you know exactly what needs to be fixed.
Government Contract Requirements
For many UK organisations, Cyber Essentials certification is not optional — it's a contractual requirement. Since October 2014, the UK government has required all suppliers bidding for government contracts that involve the handling of certain types of information to hold a valid Cyber Essentials certificate. Understanding exactly when each level is required is critical for businesses in the public sector supply chain.
When Basic Cyber Essentials Is Sufficient
A basic cyber essentials certificate is required for all government contracts where the supplier will be handling any personal information or where the contract involves the provision of certain IT products or services. In practical terms, this covers the majority of government contracts that involve digital service delivery, data processing, or IT infrastructure management.
When Cyber Essentials Plus Is Required
Cyber essentials plus certification is required — or strongly recommended — in several specific scenarios:
- MOD contracts: The Ministry of Defence requires Cyber Essentials Plus for most contracts involving access to defence systems, data, or networks
- NHS contracts: NHS Digital and many NHS trusts now require or strongly prefer Cyber Essentials Plus for IT service providers and data processors
- Contracts handling sensitive data: Any government contract involving OFFICIAL-SENSITIVE data, personal data at scale, or data that could cause significant harm if breached
- Critical national infrastructure: Suppliers to CNI sectors are increasingly required to hold Cyber Essentials Plus as a minimum baseline
- Frameworks and dynamic purchasing systems: Many government procurement frameworks, including G-Cloud and Digital Outcomes and Specialists, now list Cyber Essentials Plus as either mandatory or a scored evaluation criterion
| Contract Type | CE Basic Required | CE Plus Required | Notes |
|---|---|---|---|
| General government IT contracts | Yes | Recommended | Minimum requirement for most public sector work |
| MOD / Defence contracts | Yes | Yes | Plus required for access to defence data or systems |
| NHS Digital / NHS Trust IT | Yes | Strongly recommended | Increasingly mandated for data processors |
| OFFICIAL-SENSITIVE data handling | Yes | Yes | Plus required when handling sensitive data |
| G-Cloud framework | Yes | Evaluated | Plus certification scores additional points |
| Local authority contracts | Varies | Varies | Increasingly common, check individual requirements |
| Education sector contracts | Recommended | Recommended | DfE encourages all education suppliers to certify |
Government contract requirements for Cyber Essentials are not static. Departments and frameworks regularly update their requirements, and the trend is consistently towards requiring higher levels of assurance. If you're currently meeting requirements with a basic certificate, it's worth planning for an upgrade to Plus — the requirement may become mandatory before your next contract renewal.
Sector-Specific Guidance
While Cyber Essentials is a universal scheme, the practical implications and requirements vary significantly by sector. Here's what organisations in key industries need to know about choosing between CE basic and cyber essentials plus.
Healthcare
The healthcare sector is one of the most targeted industries for cyber attacks, and the consequences of a breach can be life-threatening. NHS Digital's Data Security and Protection Toolkit (DSPT) aligns closely with Cyber Essentials, and many NHS trusts now require cyber essentials plus certification from their IT suppliers and data processors.
If your organisation processes patient data, connects to NHS networks (such as the Health and Social Care Network — HSCN), or provides IT services to healthcare organisations, Cyber Essentials Plus should be considered essential rather than optional. The sensitivity of health data, combined with the regulatory requirements under UK GDPR and the Data Protection Act 2018, makes the additional assurance of an external technical audit well worth the investment.
Financial Services
Financial services organisations operate under some of the most stringent regulatory oversight in the UK, with the FCA and PRA both emphasising operational resilience and cybersecurity. While Cyber Essentials is not specifically mandated by financial regulators, it is widely recognised as a baseline that complements existing regulatory frameworks.
For smaller financial services firms — including IFAs, mortgage brokers, and fintech startups — a cyber essentials certificate at the basic level demonstrates a commitment to cybersecurity fundamentals. However, larger firms and those handling significant volumes of client funds or personal financial data should strongly consider cyber essentials plus certification. Many institutional clients and partners now require it as part of their third-party risk management processes.
Legal Sector
Law firms handle some of the most sensitive information of any profession — from merger and acquisition details to criminal case files and personal injury claims. The Solicitors Regulation Authority (SRA) has increasingly focused on cybersecurity, and the Law Society actively recommends Cyber Essentials certification for all firms.
For law firms, the reputational risk of a data breach can be existential. Client confidentiality is the foundation of the solicitor-client relationship, and demonstrating Cyber Essentials Plus certification provides tangible evidence of your commitment to protecting that confidentiality. Large corporate clients increasingly require their legal advisers to hold cyber essentials plus certification as a condition of engagement.
Education
The education sector has seen a dramatic increase in cyber attacks, with schools, colleges, and universities all being targeted. The Department for Education (DfE) strongly encourages all schools and academy trusts to achieve Cyber Essentials certification, and the sector-specific guidance from the NCSC highlights education as a high-priority area for cybersecurity improvement.
For most schools and colleges, a basic cyber essentials certificate provides an appropriate level of assurance relative to their risk profile and resources. However, multi-academy trusts, universities, and education technology providers should consider Cyber Essentials Plus, particularly if they manage centralised IT infrastructure or process large volumes of student data.
Preparation: What It Takes for Each Level
The preparation effort for Cyber Essentials versus cyber essentials plus differs significantly. Understanding what's involved helps you plan resources, timelines, and budget effectively.
Preparing for Cyber Essentials Basic
For the cyber essentials self-assessment, preparation is primarily about understanding your current security posture and ensuring it meets the five controls. For a well-managed IT environment, this can take as little as one to two weeks. For organisations with legacy systems, inconsistent policies, or limited IT resources, plan for four to eight weeks.
Key preparation steps include:
- Asset inventory: Document every internet-connected device, including BYOD devices, cloud services, and network equipment
- Patching audit: Check every device for outstanding security updates and end-of-life software
- Firewall review: Verify that all boundary and host firewalls are properly configured with unnecessary ports closed
- Access control review: Ensure MFA is enabled on all cloud services and that admin accounts are used only for admin tasks
- Anti-malware check: Confirm that all in-scope devices have active, up-to-date anti-malware protection
- Policy documentation: While not formally required, documenting your security policies helps ensure consistent answers in the questionnaire
Preparing for Cyber Essentials Plus
Preparing for the cyber essentials plus assessment requires everything above, plus additional technical preparation to ensure your systems will pass hands-on testing. Plan for four to twelve weeks of preparation, depending on the size and complexity of your environment.
Additional preparation steps for Plus include:
- Pre-audit vulnerability scan: Run your own external vulnerability scan to identify issues before the assessor does
- Device sampling audit: Test a representative sample of devices from every OS, department, and location — exactly as the assessor will
- Malware protection testing: Use EICAR test files to verify that your anti-malware blocks threats from USB, email, and web download vectors
- Email security testing: Send test emails with simulated malicious attachments to verify email filtering is working correctly
- Admin account audit: Review all accounts with administrative privileges, remove unnecessary elevated access, and verify MFA on every admin account
- Evidence preparation: While the assessor conducts their own tests, having evidence of your security posture (screenshots, reports, configuration exports) speeds up the process
| Preparation Aspect | Cyber Essentials Basic | Cyber Essentials Plus |
|---|---|---|
| Typical preparation time | 1 – 4 weeks | 4 – 12 weeks |
| Staff involvement | IT manager or team lead | IT team + department representatives |
| Technical skills needed | Moderate — understanding of IT environment | High — hands-on system administration |
| External support recommended | Helpful but not essential | Strongly recommended |
| Pre-assessment testing | Review questionnaire in advance | Full internal audit mimicking assessor's approach |
| Day-of-assessment effort | 1 – 2 hours to submit questionnaire | 1 – 3 days (assessor on-site or remote) |
| Remediation window | Varies — resubmit when ready | Typically 30 days for focused re-test |
The Upgrade Path: CE Basic to CE Plus
Many organisations start with a basic cyber essentials certificate and later upgrade to cyber essentials plus. This is not only common — it's the designed pathway. You cannot achieve Cyber Essentials Plus without first holding a valid basic certificate. Understanding the upgrade process helps you plan the transition efficiently.
Step-by-Step Upgrade Process
1. Achieve Cyber Essentials Basic
Complete the self-assessment questionnaire and receive your basic certificate. This establishes your baseline and starts the three-month window for pursuing Plus.
2. Engage a CE Plus Certification Body
Contact an IASME-accredited certification body that offers Cyber Essentials Plus assessments. Many organisations use the same body for both levels, but this is not required. Book your assessment date early — popular certification bodies can have waiting lists.
3. Conduct Internal Pre-Audit
Perform your own internal audit using the same technical tests the assessor will conduct. Run external vulnerability scans, check device configurations, test malware protection, and verify MFA across all in-scope services.
4. Remediate Issues
Fix any gaps identified during your internal pre-audit. Patch devices, close unnecessary ports, enable MFA where missing, and ensure all anti-malware is active and up to date. Document changes for your records.
5. Undergo the CE Plus Assessment
The assessor conducts external vulnerability scans, samples devices for internal testing, runs malware protection tests, and verifies your security controls through hands-on technical audit. This typically takes 1-3 days.
6. Remediation (If Needed)
If issues are found, you'll receive a detailed report. Most certification bodies allow a 30-day remediation window for a focused re-test of failed elements only. Use this time to address specific issues and request the re-test.
7. Certification Achieved
Once all tests are passed, you receive your Cyber Essentials Plus certificate, valid for 12 months. Your organisation appears on the NCSC directory with the Plus designation, demonstrating the highest level of Cyber Essentials assurance.
The Three-Month Window
One critical aspect of the upgrade path is the three-month window. Your cyber essentials plus assessment must be completed within three months of receiving your basic certificate. If you miss this window, your basic certification will need to be renewed before you can proceed with Plus. This means planning ahead is essential — don't wait until month two to start looking for a certification body.
If you're planning to pursue Cyber Essentials Plus, book your assessment with a certification body before or immediately after completing your basic certification. This ensures you have a confirmed date within the three-month window and avoids the risk of waiting lists pushing you beyond the deadline. At Cloudswitched, we help clients plan both certifications as a coordinated process rather than two separate projects.
Which Level Do You Actually Need?
The decision between a basic cyber essentials certificate and cyber essentials plus certification ultimately depends on your specific circumstances. Here's a practical framework for making the decision.
Choose Cyber Essentials Basic If:
- You're a small business taking your first formal steps in cybersecurity certification
- Your government contract requirements specify only the basic level
- Your clients and partners require Cyber Essentials but don't specify Plus
- Budget constraints make the full Plus assessment financially challenging right now
- You have a straightforward IT environment with limited complexity
- You're building a cybersecurity foundation and plan to upgrade to Plus within 12 months
Choose Cyber Essentials Plus If:
- You handle sensitive data — personal data at scale, financial data, health data, legal privileged information
- You bid for government contracts that require or prefer Plus certification
- Your clients include NHS, MOD, financial institutions, or other organisations that mandate Plus from their suppliers
- You want independent verification that your security controls actually work, not just that you believe they do
- You operate in a high-risk sector where the reputational impact of a breach would be severe
- You want to demonstrate market-leading cybersecurity commitment to differentiate from competitors
- Your cyber insurance provider offers premium reductions for Plus certification
Best Suited for CE Basic
Best Suited for CE Plus
The Business Case for Cyber Essentials Plus
Beyond the certification itself, there are compelling business reasons to invest in cyber essentials plus certification that go beyond mere compliance.
Competitive Advantage
In competitive tender situations — whether for government contracts or private sector work — cyber essentials plus provides a clear differentiator. When two suppliers offer comparable services at similar prices, the one with Plus certification demonstrates a higher commitment to security. This advantage is particularly pronounced in sectors where data security is a key concern for buyers.
Risk Reduction
The cyber essentials plus assessment is, in effect, a professional security audit conducted by qualified experts. The technical testing process frequently identifies vulnerabilities that the organisation was not aware of — unpatched devices, misconfigured firewalls, exposed services. The value of this testing extends well beyond the certificate itself; it's an opportunity to improve your actual security posture with expert guidance.
Supply Chain Assurance
The trend towards supply chain security assurance is accelerating rapidly. Large organisations increasingly require their entire supply chain to demonstrate cybersecurity credentials. Having cyber essentials plus certification positions your organisation as a trusted partner, reducing friction in procurement processes and opening doors to opportunities that would otherwise be closed.
Insurance Benefits
Many cyber insurance providers offer reduced premiums for organisations holding Cyber Essentials Plus certification. The logic is straightforward — organisations that have passed an independent technical audit present a lower risk profile. The premium savings over time can partially offset the cost of maintaining Plus certification, making the financial case even more compelling.
How Cyber Essentials Has Evolved
The Cyber Essentials scheme has undergone several significant updates since its launch in 2014. Understanding these changes is important because they affect how you prepare for your assessment and what the scheme covers in its current form.
Key Changes in Recent Years
The most significant update came in January 2022, when IASME introduced version 3.1 of the Cyber Essentials requirements. This update reflected the evolving threat landscape and the increasing shift to cloud-based and remote working environments. Key changes included:
- Cloud services explicitly in scope: All cloud services where the organisation controls user access and configuration must now be included in the assessment, removing previous ambiguity
- MFA now mandatory: Multi-factor authentication is required for all cloud services and any service accessible from the internet, not just recommended as best practice
- Home working addressed: The requirements now explicitly cover home routers and personal devices used for work, reflecting the post-pandemic reality of remote and hybrid working
- Thin clients and zero clients: New guidance for organisations using virtual desktop infrastructure (VDI), thin clients, and similar remote access technologies
- 14-day patching requirement formalised: The requirement to apply critical and high-severity patches within 14 days was strengthened and clarified, with specific guidance on how to handle patches when the 14-day window is impractical
- Device unlocking mechanisms: Specific requirements for device unlock methods, including minimum password lengths and biometric authentication standards
These changes mean that any guidance or preparation advice published before 2022 may be outdated. Always work from the current version of the Cyber Essentials requirements, available from the NCSC website, and ensure your certification body is assessing you against the latest standard.
Common Myths and Misconceptions
Several persistent misconceptions about Cyber Essentials can lead organisations astray. Let's address the most common ones.
Myth: "Cyber Essentials means we're fully secure"
Cyber Essentials — even at the Plus level — covers five fundamental technical controls. It is deliberately a baseline standard, not a comprehensive cybersecurity framework. Achieving a cyber essentials certificate does not mean your organisation is immune to cyber attacks. It means you have implemented the basic controls that prevent the majority of commodity attacks. More sophisticated threats, social engineering, insider threats, and advanced persistent threats require additional measures beyond Cyber Essentials.
Myth: "We only need to certify our main office"
The scope of Cyber Essentials includes all internet-connected devices and services used by the organisation, regardless of location. This includes home workers' devices, cloud services, mobile devices, and any equipment at branch offices. Attempting to artificially narrow your scope to exclude certain locations or device types will be identified during assessment and will result in failure.
Myth: "We can just tick the boxes and pass"
While the basic cyber essentials self-assessment is a questionnaire, it is reviewed by a qualified assessor who will identify inconsistencies, gaps, and implausible answers. The assessor may request additional information or clarification. And at the Plus level, the hands-on technical testing will immediately reveal any gap between what was claimed and what actually exists. Honesty and thoroughness are essential.
Myth: "Our IT provider handles all this, so we don't need to worry"
Even if your IT is fully managed by a third-party provider, the Cyber Essentials certification is your organisation's responsibility. You need to understand what your IT provider does and doesn't do, ensure they are implementing the required controls, and be able to accurately answer the assessment questions. Your IT provider can support the process, but the certification belongs to your organisation.
One of the most valuable outcomes of the Cyber Essentials process is not the certificate itself — it's the process of systematically reviewing your security posture. Many organisations discover significant vulnerabilities during preparation that they were previously unaware of. The certification process forces a structured, comprehensive review that might not otherwise happen until after a breach.
Cyber Essentials and Other Frameworks
Cyber Essentials does not exist in isolation. Understanding how it relates to other cybersecurity and compliance frameworks helps you position it within your broader governance, risk, and compliance strategy.
Cyber Essentials and ISO 27001
ISO 27001 is the international standard for information security management systems. It is significantly more comprehensive than Cyber Essentials, covering organisational governance, risk management, human resources security, physical security, and more. However, the two are complementary: Cyber Essentials covers specific technical controls that align with several ISO 27001 Annex A controls. Many organisations pursue Cyber Essentials as a stepping stone towards ISO 27001, and the preparation work for Cyber Essentials contributes directly to an ISO 27001 implementation.
Cyber Essentials and GDPR / UK GDPR
While Cyber Essentials is not a GDPR compliance mechanism, achieving certification demonstrates that your organisation has implemented appropriate technical measures to protect personal data — a key requirement under Article 32 of the UK GDPR. The Information Commissioner's Office (ICO) has acknowledged Cyber Essentials as evidence of good practice, and certification may be considered a mitigating factor in the event of a data breach investigation.
Cyber Essentials and NIST / CIS Controls
For organisations with international operations, the Cyber Essentials controls map closely to elements of the NIST Cybersecurity Framework and the CIS Critical Security Controls. This alignment means that work done for Cyber Essentials also contributes to compliance with these international frameworks, reducing duplication of effort for organisations that need to demonstrate compliance across multiple standards.
| Framework | Scope | Relationship to Cyber Essentials | Typical Use |
|---|---|---|---|
| Cyber Essentials | 5 technical controls | Baseline UK standard | UK government contracts, SME cybersecurity foundation |
| ISO 27001 | Full ISMS (114 controls) | Cyber Essentials is a subset | Enterprise, international clients, comprehensive security |
| UK GDPR | Data protection | CE demonstrates "appropriate technical measures" | All organisations processing personal data |
| NIST CSF | Full cybersecurity framework | CE maps to several NIST subcategories | International operations, US clients |
| SOC 2 | Trust service criteria | Complementary, some overlap in security controls | SaaS providers, US market |
| PCI DSS | Payment card data | Complementary for payment-handling organisations | E-commerce, payment processing |
Renewal and Ongoing Compliance
Both Cyber Essentials and cyber essentials plus certification are valid for 12 months from the date of issue. Renewal is not automatic — you must undergo the full assessment process again each year. This annual requirement ensures that your security controls remain current and that new devices, services, and configurations introduced during the year are properly assessed.
Planning for Renewal
Start planning your renewal at least eight weeks before your certificate expires. This gives you sufficient time to audit your current environment, address any changes since your last certification, and schedule the assessment. For cyber essentials plus renewals, book your assessment date even earlier, as certification bodies may have limited availability.
Key renewal considerations include:
- New devices and services: Any devices or cloud services added since your last certification must be included in scope and compliant with the five controls
- Staff changes: Review user accounts for leavers and joiners, ensure access permissions are current, and verify MFA is active for all users
- Software changes: Any new software introduced must be kept patched and properly configured
- Policy updates: Ensure your security policies reflect any operational changes during the year
- Updated requirements: Check whether IASME has updated the Cyber Essentials requirements since your last certification and adjust your controls accordingly
Choosing the Right Certification Body
All Cyber Essentials assessments must be conducted through an IASME-accredited certification body. While the assessment criteria are standardised, the quality of service, support, and guidance can vary significantly between providers. Here's what to look for:
- IASME accreditation: Verify that the certification body is currently accredited — check the IASME website for the latest list of approved assessors
- Sector experience: Choose a certification body with experience in your sector, particularly if you have sector-specific requirements or regulatory overlaps
- Support level: Some certification bodies offer bare-minimum assessments, while others provide guidance, pre-assessment reviews, and remediation support
- Turnaround time: Ask about typical assessment timescales, particularly for Plus assessments which require scheduling
- Remediation support: If you fail, what support does the certification body offer for remediation and re-testing?
- Bundle pricing: Many certification bodies offer discounted pricing when you book both CE basic and Plus together
How Cloudswitched Supports Your Certification
As a London-based IT managed service provider, Cloudswitched has guided hundreds of UK organisations through both Cyber Essentials and cyber essentials plus certification. Our approach goes beyond simply helping you pass the assessment — we ensure your organisation genuinely meets the required standards, so certification reflects real security improvement rather than paper compliance.
Our Cyber Essentials Support Includes:
- Gap analysis: We audit your current IT environment against the five technical controls, identifying every issue that needs resolution before you begin the assessment
- Scope definition: We help you define the correct scope for your assessment, ensuring all required devices and services are included while avoiding unnecessary complexity
- Remediation: Our engineers resolve identified gaps — patching devices, configuring firewalls, implementing MFA, removing end-of-life software, and securing user accounts
- Self-assessment support: For the basic level, we guide you through the questionnaire, ensuring your answers are accurate, specific, and complete
- Plus preparation: For the cyber essentials plus assessment, we conduct a full internal pre-audit replicating the assessor's testing methodology, so you know exactly what to expect
- Assessment coordination: We liaise with your chosen certification body, schedule assessments, and provide support during the assessment process
- Ongoing compliance: As your managed IT provider, we maintain your compliance year-round, ensuring that the controls assessed during certification remain in place between renewals
The most cost-effective approach to Cyber Essentials certification is to work with an IT provider who maintains your compliance as part of their ongoing managed service, rather than treating certification as an annual one-off project. When your IT environment is continuously managed to meet Cyber Essentials standards, the annual assessment becomes a straightforward confirmation rather than a stressful remediation exercise.
Real-World Decision Scenarios
To bring this comparison to life, here are some realistic scenarios that illustrate when each level of certification is the right choice.
Scenario 1: A 15-Person Marketing Agency
A growing London marketing agency with 15 staff uses cloud-based tools (Google Workspace, Asana, Figma) and handles client data including campaign performance data and some personal data. They want to demonstrate professionalism to larger clients and are beginning to respond to RFPs that ask about cybersecurity credentials.
Recommendation: Cyber Essentials Basic. A basic cyber essentials certificate provides the credential they need for most client requirements, and their cloud-first IT environment makes the self-assessment relatively straightforward. They should plan to upgrade to Plus within 12-18 months as client expectations increase.
Scenario 2: A 200-Person Legal Firm
A regional law firm with 200 employees handles sensitive client data including financial information, personal injury claims, and corporate M&A documentation. They have several major corporate clients who are tightening their supply chain security requirements, and they regularly handle legally privileged material.
Recommendation: Cyber Essentials Plus. The sensitivity of the data they handle, combined with client expectations and regulatory pressure from the SRA, makes cyber essentials plus certification the appropriate choice. The independent verification provides assurance to both the firm and its clients.
Scenario 3: An IT Company Bidding for MOD Work
A 50-person IT services company is expanding into defence sector work. They're bidding for a contract that involves managing network infrastructure for a MOD facility, with access to OFFICIAL-SENSITIVE data.
Recommendation: Cyber Essentials Plus (mandatory). MOD contracts involving access to defence systems and OFFICIAL-SENSITIVE data require cyber essentials plus certification as a non-negotiable baseline. Without it, their bid will not be considered regardless of technical capability or pricing.
Scenario 4: A Primary School Academy Trust
A multi-academy trust managing five primary schools wants to improve its cybersecurity posture following NCSC guidance. They have limited IT resources (one part-time IT coordinator) and a tight budget.
Recommendation: Cyber Essentials Basic. The basic cyber essentials self-assessment provides an appropriate level of assurance for the trust's risk profile and is achievable within their resource constraints. The DfE encourages basic certification for all education organisations, and the process itself will drive meaningful security improvements.
Frequently Asked Questions
How long does Cyber Essentials certification last?
Both Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months. You must re-certify annually to maintain your certified status.
Can we go straight to Cyber Essentials Plus without doing Basic first?
No. Cyber Essentials Plus requires a valid basic Cyber Essentials certificate. You must complete the cyber essentials self-assessment first, then proceed to the cyber essentials plus assessment within three months.
What happens if we fail the assessment?
For the basic assessment, you can address the identified issues and resubmit. For Plus, most certification bodies offer a 30-day remediation window followed by a focused re-test of the failed elements. Failing is not uncommon and is not a cause for concern — it's an opportunity to fix genuine security gaps.
Do we need Cyber Essentials if we already have ISO 27001?
ISO 27001 is more comprehensive than Cyber Essentials, but they are separate certifications. Some government contracts specifically require Cyber Essentials certification, even if you hold ISO 27001. The good news is that ISO 27001-certified organisations typically find the Cyber Essentials process straightforward.
Are home workers' devices in scope?
Yes. Under the current Cyber Essentials requirements, any device used to access organisational data or services is in scope, including home workers' personal devices if used for work purposes. This includes the requirement for firewalls (the home router counts as a boundary device), anti-malware, patching, and secure configuration.
Does Cyber Essentials cover physical security?
No. Cyber Essentials is focused exclusively on technical cybersecurity controls. Physical security, staff training, incident response planning, and business continuity are outside the scope of Cyber Essentials. For a more comprehensive approach that includes these areas, consider ISO 27001 or the NCSC's 10 Steps to Cyber Security guidance.
Can our IT provider hold Cyber Essentials on our behalf?
No. The certification must be in your organisation's name. Your IT provider can support the process and may hold their own certification, but your organisation must independently certify. If your IT provider manages your systems, they can help you achieve and maintain compliance, but the certificate must belong to you.
Making Your Decision: A Practical Summary
Choosing between Cyber Essentials and cyber essentials plus is not a question of "good" versus "better" — it's about matching the level of assurance to your organisation's specific needs, obligations, and risk profile. Both levels demonstrate a commitment to cybersecurity that puts you ahead of the vast majority of UK businesses that hold no certification at all.
Start with these three questions:
- Do any of your contracts or clients require Cyber Essentials Plus specifically? If yes, the decision is made — you need Plus. Check MOD, NHS, and large corporate client requirements carefully.
- Does your organisation handle sensitive data that could cause significant harm if breached? If yes, the independent verification of Plus provides meaningful assurance that your controls are genuinely effective.
- Is your primary goal to demonstrate a baseline commitment to cybersecurity? If yes, basic Cyber Essentials achieves this at a fraction of the cost and effort, and positions you for an upgrade when the need arises.
Whatever level you choose, the most important step is starting the process. Every day your organisation operates without basic cybersecurity controls in place is a day you're unnecessarily exposed to preventable threats. The Cyber Essentials scheme, backed by the NCSC and IASME, provides a clear, structured, and achievable path to fundamental cybersecurity — and either level of certification marks a significant improvement in your organisation's security posture.
Ready to Achieve Cyber Essentials Certification?
Whether you need a basic Cyber Essentials certificate or full Cyber Essentials Plus certification, Cloudswitched makes the process straightforward. Our London-based team handles everything from gap analysis and remediation to assessment coordination and ongoing compliance management. Get certified with confidence — talk to our cybersecurity specialists today.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
