One of the most common questions UK organisations face when considering cybersecurity certification is whether to pursue Cyber Essentials alone or to go further with Cyber Essentials Plus. Both certifications fall under the same government-backed scheme administered by the NCSC, and both address the same five technical controls. Yet there are significant differences in how each certification is achieved, what it proves, and the doors it opens for your organisation.
This article provides a thorough comparison of the two levels, helping you determine which certification is right for your business based on your sector, your clients, your risk profile, and your commercial ambitions.
The Cyber Essentials Scheme at a Glance
The Cyber Essentials scheme was introduced in 2014 by the UK Government to establish a baseline of cybersecurity hygiene for organisations of all sizes. Administered by the National Cyber Security Centre (NCSC) and delivered through accreditation bodies — primarily IASME — the scheme provides two levels of certification, each built around the same five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection.
Both levels require organisations to demonstrate that these controls are in place and functioning. Where they differ is in how that demonstration is verified — and this distinction has significant implications for the level of assurance the certification provides.
Cyber Essentials: The Self-Assessment Level
Cyber Essentials — often referred to as "basic" Cyber Essentials to distinguish it from Plus — is the entry-level certification. Achieving it involves completing a detailed self-assessment questionnaire that covers each of the five technical controls. The questionnaire asks about your organisation's IT infrastructure, the security measures you have in place, and how you manage devices, software, and user accounts.
Once completed, the questionnaire is submitted to an accredited certification body for independent review. The reviewer checks that your answers indicate compliance with the scheme's requirements. If everything is in order, you receive your Cyber Essentials certificate, which is valid for 12 months.
The key characteristic of basic Cyber Essentials is that it is a self-declared assessment. You are telling the certification body what your security controls are, and they are reviewing your declaration. There is no hands-on testing of your actual systems. This makes the process quicker and more affordable, but it also means the level of assurance is lower — the certification confirms what you have stated, not necessarily what has been verified in practice.
Cyber Essentials Plus: The Verified Level
Cyber Essentials Plus builds on the basic level by adding independent technical testing. Rather than simply reviewing your self-assessment, a qualified assessor conducts hands-on tests of your systems to verify that the five controls are genuinely implemented and functioning correctly.
These tests typically include external vulnerability scanning of your internet-facing IP addresses, internal scanning of a representative sample of devices, testing of malware defences using EICAR test files and known malicious URLs, verification of patch levels across operating systems and applications, review of user account configurations and privilege levels, and testing of multi-factor authentication where applicable.
The assessor visits your premises (or conducts the assessment remotely) and actively tests your defences. This is a significant step up from self-assessment — it provides genuine, evidence-based assurance that your controls are working as intended. Consequently, Cyber Essentials Plus carries considerably more weight with clients, partners, insurers, and government departments.
Cyber Essentials
Cyber Essentials Plus
Key Differences Explained
While the table above summarises the main differences, several of these deserve deeper exploration to help you make an informed decision.
Assessment Method
This is the fundamental difference between the two levels. Basic Cyber Essentials relies entirely on self-assessment — you describe your controls, and an assessor reviews your description. Cyber Essentials Plus involves actual testing of your systems by a qualified professional. The assessor uses scanning tools to identify vulnerabilities, attempts to download malware test files to verify your defences, checks patch levels on devices, and reviews account configurations directly.
The practical implication is significant. With basic Cyber Essentials, there is an inherent gap between what an organisation believes its security posture to be and what it actually is. Honest mistakes, oversights, and misunderstandings can mean that controls are not as robust as the self-assessment suggests. Cyber Essentials Plus closes this gap by independently verifying what is actually in place.
Cost
The cost difference between the two levels reflects the additional work involved in the Plus assessment. Basic Cyber Essentials typically costs between £300 and £600 for a small to medium-sized organisation, covering the self-assessment review and certification. Cyber Essentials Plus costs more — typically between £1,500 and £5,000 depending on the size and complexity of your organisation — because it requires an assessor to spend time actively testing your systems.
For larger organisations with complex IT environments, multiple sites, or large numbers of devices, the cost of Plus can be higher. However, when weighed against the commercial benefits — access to government contracts, improved insurance terms, competitive advantage in supply chains — the additional investment frequently pays for itself many times over.
Time to Achieve
Basic Cyber Essentials can typically be achieved within a few days to a couple of weeks, assuming your controls are already in reasonable shape. The self-assessment questionnaire takes a few hours to complete, and the review process is usually swift.
Cyber Essentials Plus requires more calendar time. You must first hold a valid basic certificate, then schedule the Plus assessment with a certification body. The assessment itself typically takes one to two days, depending on the number of devices and the complexity of your environment. If remediation is required, add additional time for fixes and retesting. From start to finish, the process typically takes four to eight weeks.
Level of Assurance
The assurance provided by each level is fundamentally different. Basic Cyber Essentials provides a statement of intent — it confirms that your organisation has declared its compliance with the five controls. Cyber Essentials Plus provides evidence of compliance — it confirms that a qualified assessor has tested your systems and found them to meet the required standard.
This distinction matters enormously to organisations that rely on your security credentials. Government departments, large enterprises, and sophisticated buyers understand the difference between self-declaration and independent verification. For high-stakes relationships, Cyber Essentials Plus is frequently the expected standard.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment type | Self-assessment questionnaire | Independent technical testing |
| Typical cost (SME) | £300 – £600 | £1,500 – £5,000 |
| Time to achieve | 1 – 2 weeks | 4 – 8 weeks |
| Vulnerability scanning | Not included | External and internal scans |
| Malware testing | Not included | EICAR and URL-based tests |
| Patch verification | Self-declared | Assessor-verified on devices |
| Assurance level | Moderate | High |
| Government contracts | Meets basic requirement | Meets all requirements |
| Renewal frequency | Annual | Annual |
When Basic Cyber Essentials Is Sufficient
For some organisations, basic Cyber Essentials provides an appropriate level of certification. Consider staying at the basic level if your organisation meets the following criteria.
You do not currently bid for government contracts or work within supply chains that specifically require Cyber Essentials Plus. Your clients and partners are satisfied with self-assessed certification rather than independently verified testing. Your organisation is small, with a straightforward IT environment, and you are confident that your self-assessment accurately reflects your actual security posture. Budget constraints are a genuine concern, and the additional cost of Plus assessment would be difficult to justify in the short term.
Even in these circumstances, basic Cyber Essentials is valuable. It provides a structured framework for thinking about cybersecurity, identifies areas for improvement, and demonstrates to clients and stakeholders that you take security seriously. Many organisations use basic Cyber Essentials as a stepping stone, achieving the basic level first and then progressing to Plus when their commercial or operational circumstances require it.
When Cyber Essentials Plus Is the Right Choice
For a growing number of UK organisations, Cyber Essentials Plus has become the expected standard rather than an optional enhancement. You should strongly consider pursuing Plus if any of the following apply to your organisation.
Government contracts: If you bid for contracts with UK Government departments, the Ministry of Defence, the NHS, local authorities, or other public sector bodies, Cyber Essentials Plus is increasingly required — particularly for contracts involving sensitive data, personal information, or critical infrastructure. Having Plus certification already in place means you can respond to tenders immediately without delays for certification.
Regulated sectors: Organisations operating in regulated sectors such as financial services, healthcare, legal, and defence are often expected to demonstrate the highest available level of cybersecurity certification. Cyber Essentials Plus provides independently verified evidence of your security controls, which can satisfy regulatory expectations and reduce the burden of individual compliance assessments.
Supply chain pressure: Large organisations — including FTSE 250 companies, major retailers, and infrastructure operators — are increasingly requiring their suppliers to hold Cyber Essentials Plus. If your clients include large enterprises, achieving Plus can be essential for maintaining and growing those relationships.
Cyber insurance: Insurers in the UK are tightening their requirements. Holding Cyber Essentials Plus can make it easier to obtain coverage, secure more favourable premiums, and satisfy the insurer's due diligence requirements. The independent verification inherent in Plus carries more weight with underwriters than self-assessed certification.
Genuine security assurance: If you want to know — not just believe — that your security controls are working, Cyber Essentials Plus provides that assurance. The independent testing identifies real vulnerabilities that self-assessment alone might miss. Many organisations report that the Plus assessment uncovered issues they were not aware of, enabling them to fix problems before they were exploited.
You cannot achieve Cyber Essentials Plus without first holding a valid basic Cyber Essentials certificate. The Plus assessment must be completed within three months of the basic certificate being issued. Plan your timeline accordingly to avoid having to repeat the basic assessment.
The Progression Path
Many organisations find it practical to approach the Cyber Essentials scheme as a progression. Start with basic Cyber Essentials to establish your baseline, identify any gaps in your controls, and gain familiarity with the scheme's requirements. Then, when your controls are mature and your commercial circumstances warrant it, progress to Cyber Essentials Plus for the additional assurance and commercial benefits it provides.
This phased approach is particularly sensible for organisations that are new to formal cybersecurity certification. The basic level provides a structured introduction to the five controls without the pressure of hands-on testing. Once you are confident in your controls, the step up to Plus is manageable and the assessment is less likely to surface unexpected issues.
However, if your organisation already has robust IT management processes, experienced technical staff, and a clear commercial need for Plus certification, there is no reason to delay. You can pursue both levels concurrently — completing the basic self-assessment and scheduling the Plus assessment in quick succession.
Scope Considerations
One area where the two levels differ in practice is scope. For basic Cyber Essentials, you define the scope of your assessment when completing the self-assessment questionnaire. While the guidance encourages including your entire IT estate, there is some flexibility in defining boundaries — for example, excluding isolated test environments or legacy systems that are not connected to the internet.
For Cyber Essentials Plus, the scope is scrutinised more carefully by the assessor. All user devices that access organisational data or the internet are typically in scope, along with the network infrastructure that supports them. The assessor will want to see a representative sample of devices from across your organisation, including different operating systems, roles, and locations. Attempting to narrow the scope artificially to avoid testing problematic devices is likely to be challenged.
Cloud services add another layer of complexity. For both levels, the question is one of responsibility. If you manage the configuration of a cloud service — setting user permissions in Microsoft 365, for example — that configuration is in scope. If the cloud provider manages everything (as with a pure SaaS product), the service itself may be out of scope, but the devices you use to access it are not.
Making Your Decision
The choice between Cyber Essentials and Cyber Essentials Plus ultimately depends on your organisation's specific circumstances. Consider the following questions as you make your decision.
Do your current or prospective clients require a specific level of certification? If they require Plus, the decision is already made. Are you bidding for government contracts? If so, Plus is increasingly the expected standard. Do you operate in a regulated sector where independent verification carries weight? Plus provides that verification. Is your IT environment well-managed, with current patches, strong access controls, and functioning malware defences? If so, the Plus assessment should be straightforward. Can your organisation absorb the additional cost of Plus, and will the commercial benefits outweigh that cost?
For most UK organisations that take cybersecurity seriously and operate in any form of supply chain or regulated environment, Cyber Essentials Plus represents the better investment. The additional cost is modest when compared to the commercial opportunities it unlocks, the insurance benefits it provides, and the genuine security assurance it delivers.
That said, basic Cyber Essentials remains a valuable certification in its own right. It establishes a foundation, provides a framework for improvement, and signals a commitment to cybersecurity that is absent from organisations with no certification at all. If budget or timing constraints make Plus impractical in the short term, starting with basic Cyber Essentials is always better than doing nothing.
Beyond Cyber Essentials
It is worth noting that Cyber Essentials Plus, while excellent for baseline cybersecurity, is not the only certification available. Organisations with more advanced security requirements may wish to consider additional certifications such as ISO 27001 (a comprehensive information security management system), SOC 2 (commonly required by US-based clients), or sector-specific standards. Cyber Essentials Plus provides an excellent foundation upon which these more advanced certifications can be built.
Whichever path you choose, the most important step is the first one. Engaging with the Cyber Essentials scheme — at either level — puts your organisation on a structured path towards better cybersecurity. In a threat environment that grows more sophisticated every year, that step has never been more important.
Need Help Choosing the Right Certification?
Cloudswitched provides expert guidance on Cyber Essentials and Cyber Essentials Plus certification. Whether you are starting from scratch or ready to progress to Plus, our team will assess your current position and recommend the most effective path forward. Speak with our specialists today.
Get Cyber Essentials Plus Guidance
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.