What Is Cyber Essentials Plus? A Complete Guide for UK Businesses

For organisations operating in the United Kingdom, the cyber threat landscape has never been more demanding. From ransomware attacks that cripple NHS trusts to phishing campaigns targeting small businesses across the Midlands and the South East, no organisation is immune. The UK Government recognised this growing danger and, through the National Cyber Security Centre (NCSC), established the Cyber Essentials scheme — a framework designed to help organisations of all sizes defend against the most common cyber attacks. At the top tier of this scheme sits Cyber Essentials Plus, an independently verified certification that proves your organisation takes cybersecurity seriously.

This comprehensive guide explains everything you need to know about Cyber Essentials Plus — what it is, how it differs from basic Cyber Essentials, what the certification process involves, and why it matters for your business in 2025 and beyond.

Understanding the Cyber Essentials Scheme

Before diving into Cyber Essentials Plus specifically, it helps to understand the broader Cyber Essentials scheme. Launched in 2014 by the UK Government, Cyber Essentials is a cybersecurity certification programme designed to encourage organisations to adopt good practice in information security. The scheme is overseen by the NCSC and delivered through accreditation bodies such as IASME.

The scheme operates on a simple but powerful principle: by implementing five fundamental technical controls, organisations can protect themselves against roughly 80% of common cyber attacks. These controls address the most frequent attack vectors — the routes that cybercriminals use to gain unauthorised access to systems, steal data, or disrupt operations.

There are two levels to the scheme. Cyber Essentials (sometimes called "basic" Cyber Essentials) involves a self-assessment questionnaire that is independently reviewed. Cyber Essentials Plus takes things further with hands-on technical verification conducted by a qualified assessor. Think of basic Cyber Essentials as declaring that your house has locks on all the doors, while Cyber Essentials Plus is having a locksmith come round and test every single one.

What Exactly Is Cyber Essentials Plus?

Cyber Essentials Plus is the higher level of the Cyber Essentials certification. It provides an independently verified assessment of your organisation's cybersecurity posture against the five technical controls defined by the NCSC. Unlike the basic level, which relies on self-assessment, Cyber Essentials Plus involves a qualified assessor physically or remotely testing your systems to confirm that the controls are properly implemented and functioning as intended.

The certification is valid for 12 months and must be renewed annually. This ensures that organisations maintain their security standards over time rather than achieving certification once and allowing standards to slip. The annual renewal also means that the assessment criteria evolve alongside the threat landscape, keeping certified organisations current with emerging risks.

The Five Technical Controls

At the heart of Cyber Essentials Plus are five technical controls. Each addresses a specific area of cybersecurity risk, and together they form a robust baseline defence. During a Cyber Essentials Plus assessment, every one of these controls is tested and verified by the assessor.

1. Firewalls

Firewalls act as the first line of defence between your internal network and the outside world. They control incoming and outgoing network traffic based on predetermined security rules. For Cyber Essentials Plus, the assessor will verify that boundary firewalls and internet gateways are correctly configured, that default passwords have been changed, and that only necessary network services are accessible from the internet. Personal firewalls on individual devices are also checked, particularly for laptops and other devices that may connect to untrusted networks.

2. Secure Configuration

Every device and piece of software comes with default settings that are often not secure. Secure configuration means changing these defaults to reduce vulnerabilities. The assessor will check that unnecessary software has been removed, default accounts have been disabled or their passwords changed, and auto-run features are turned off. This control ensures that systems are configured to provide only the services and access that are genuinely needed.

3. Security Update Management

Software vulnerabilities are discovered constantly, and vendors release patches to fix them. Security update management — commonly called patch management — ensures that these updates are applied promptly. For Cyber Essentials Plus, all software must be licensed and supported, and critical or high-risk security updates must be applied within 14 days of release. The assessor will scan your systems to identify any missing patches.

4. User Access Control

Not every user needs access to every system or piece of data. User access control ensures that accounts are managed properly — each user has their own account, administrative privileges are restricted to those who genuinely need them, and strong authentication mechanisms are in place. The assessor will verify that password policies are enforced, that multi-factor authentication is used where appropriate, and that user accounts are reviewed regularly.

5. Malware Protection

Malware — malicious software including viruses, trojans, ransomware, and spyware — represents one of the most significant threats to organisations. This control requires that anti-malware solutions are deployed and kept up to date, that users are prevented from installing unauthorised software, and that application whitelisting or sandboxing is used where appropriate. The assessor will test whether malware defences are actually functioning by attempting to download test files.

The Cyber Essentials Plus Assessment Process

The assessment process for Cyber Essentials Plus is more involved than the basic level and typically follows a structured sequence. Understanding this process helps you prepare effectively and avoid any surprises on the day of assessment.

Step 1: Achieve Basic Cyber Essentials

Before you can pursue Cyber Essentials Plus, you must first hold a valid Cyber Essentials (basic) certificate. This involves completing the self-assessment questionnaire, which covers the same five technical controls. The questionnaire is reviewed by an accredited assessor who confirms that your stated controls meet the required standard. This certificate must be current — you cannot apply for Plus with an expired basic certificate.

Step 2: Engage a Certification Body

You need to select an accredited certification body to conduct your Cyber Essentials Plus assessment. These bodies are accredited by IASME (or another approved accreditation body) and employ qualified assessors who are trained to test the five controls. It is worth comparing providers on price, availability, and the support they offer in helping you prepare for assessment.

Step 3: Scoping

Before the technical testing begins, the assessor will work with you to define the scope of the assessment. This involves identifying which systems, devices, and networks are in scope. Generally, all user devices that access the internet or handle organisational data are included, along with the network infrastructure that supports them. Cloud services that you manage (Infrastructure as a Service, for example) may also fall within scope, while fully managed Software as a Service typically does not.

Step 4: Technical Testing

This is the core of the Cyber Essentials Plus assessment. The assessor conducts a series of tests to verify that each of the five controls is properly implemented. These tests typically include external vulnerability scanning of your internet-facing systems, internal vulnerability scanning of a representative sample of devices, testing of malware defences using EICAR test files, verification of patch levels and software currency, review of access control policies and configurations, and testing of multi-factor authentication where applicable.

Step 5: Remediation (If Needed)

If the assessor identifies any gaps or failures during testing, you will usually be given a short window — typically up to 30 days — to remediate these issues and undergo retesting. Common failures include missing patches on one or two devices, a misconfigured firewall rule, or an account with unnecessary administrative privileges. These are usually straightforward to fix once identified.

Step 6: Certification

Once all five controls pass the assessment, you are awarded your Cyber Essentials Plus certificate. This certificate is valid for 12 months and is listed on the NCSC's public register of certified organisations, providing visible proof of your security credentials to clients, partners, and stakeholders.

Why Cyber Essentials Plus Matters for UK Organisations

Obtaining Cyber Essentials Plus certification delivers tangible benefits that extend well beyond the certificate itself. For many UK organisations, it has become a commercial necessity as much as a security measure.

Government Contracts

Since 2014, Cyber Essentials certification has been mandatory for all UK Government contracts that involve the handling of sensitive and personal information. Many government departments and local authorities now specifically require Cyber Essentials Plus — the higher level — for contracts involving more sensitive work. If your organisation bids for public sector work, holding Plus certification can be the difference between winning and losing a contract.

Supply Chain Requirements

Large organisations are increasingly requiring their suppliers to demonstrate cybersecurity credentials. Cyber Essentials Plus is widely recognised across UK supply chains, and holding the certification can streamline onboarding processes, reduce the burden of security questionnaires, and give you a competitive advantage when tendering for work with security-conscious clients.

Cyber Insurance

The cyber insurance market in the UK has tightened considerably in recent years. Insurers are demanding more evidence of cybersecurity controls before providing coverage, and premiums reflect the risk profile of the insured. Holding Cyber Essentials Plus can help you secure more favourable terms and demonstrates to insurers that your organisation has been independently verified against a government-backed standard. Some Cyber Essentials certifications also include a basic level of cyber insurance as part of the package.

Reputation and Trust

Data breaches and cyber attacks are front-page news in the UK. Customers, partners, and stakeholders are increasingly aware of cybersecurity risks and want assurance that the organisations they work with are taking appropriate measures. Displaying your Cyber Essentials Plus badge on your website, proposals, and marketing materials sends a clear signal that your organisation has been independently tested and meets a recognised standard.

Actual Security Improvement

Beyond the commercial and reputational benefits, the most fundamental reason to pursue Cyber Essentials Plus is that it genuinely improves your security posture. The five controls address the most common attack vectors, and having them independently verified ensures they are actually working. Many organisations discover previously unknown vulnerabilities during the assessment process — a missing patch here, a misconfigured firewall rule there — that could have been exploited by attackers.

Common Misconceptions About Cyber Essentials Plus

Despite the scheme's growing popularity, several misconceptions persist that can deter organisations from pursuing certification or lead to inadequate preparation.

"It's Only for Large Organisations"

This is entirely untrue. Cyber Essentials Plus is designed to be achievable for organisations of all sizes, from sole traders to multinational corporations. The controls are scalable — a small business with ten laptops and a cloud-based email system can achieve certification just as readily as a large enterprise with thousands of devices. In fact, smaller organisations often find the process simpler because they have fewer systems to manage and less complexity in their IT environments.

"It's Too Expensive"

The cost of Cyber Essentials Plus varies depending on the size and complexity of your organisation, but it is generally modest compared to the potential cost of a cyber attack. For small organisations, the total cost — including both basic Cyber Essentials and Plus — typically ranges from a few hundred to a few thousand pounds. When weighed against the average cost of a UK data breach (which runs into tens of thousands of pounds for small businesses and millions for larger organisations), the investment is highly worthwhile.

"It's a One-Off Exercise"

Cyber Essentials Plus certification is valid for 12 months and must be renewed annually. This is not a weakness of the scheme — it is a strength. The annual cycle ensures that organisations maintain their security controls over time and adapt to new threats. Treating certification as a one-off exercise misses the point entirely. The real value comes from embedding the five controls into your ongoing IT management processes.

"We Use Cloud Services, So It Doesn't Apply"

Cloud services are very much within scope for Cyber Essentials Plus. While the responsibility for securing the underlying infrastructure may rest with the cloud provider, your organisation remains responsible for how you configure and use those services. User access controls, secure configuration of cloud applications, and patch management of devices that access cloud services are all assessed. The shift to cloud has not eliminated the need for Cyber Essentials — if anything, it has made proper configuration and access management more important.

Preparing for Cyber Essentials Plus

Successful Cyber Essentials Plus certification starts with thorough preparation. Organisations that invest time in preparation before the assessment typically pass first time and avoid the stress and cost of remediation.

Begin by conducting an internal audit of your current security controls against the five requirements. Identify any gaps — devices with missing patches, accounts with excessive privileges, firewalls with default configurations — and address them before the assessor arrives. Document your policies and procedures so that you can demonstrate not just that controls exist, but that they are consistently applied.

Ensure that all devices in scope are running supported operating systems and software. Unsupported software — such as Windows versions that have reached end of life — will cause an automatic failure. Check that all security updates have been applied within the required 14-day window. Verify that user accounts follow the principle of least privilege, with administrative access restricted to those who genuinely need it.

Finally, test your malware defences. Download the EICAR test file (a harmless file designed to trigger antivirus alerts) and confirm that your security software detects and blocks it. This is one of the tests the assessor will perform, and it is easily verified in advance.

The Future of Cyber Essentials Plus

The Cyber Essentials scheme continues to evolve. Recent updates have expanded the scope to include home workers' devices, cloud services, and thin clients, reflecting the changing nature of how organisations operate. The NCSC regularly reviews and updates the technical requirements to address emerging threats and technologies.

Looking ahead, we can expect the scheme to continue adapting. The increasing adoption of zero-trust architectures, the growing use of artificial intelligence in both attack and defence, and the ongoing shift towards cloud-native infrastructure will all influence future iterations of the standard. Organisations that embed the principles of Cyber Essentials into their culture — rather than treating certification as a checkbox exercise — will be best positioned to adapt to these changes.

For UK organisations, Cyber Essentials Plus has become a de facto standard for demonstrating cybersecurity competence. Whether you are pursuing government contracts, satisfying supply chain requirements, securing cyber insurance, or simply protecting your organisation from the most common threats, the certification provides a clear, achievable, and independently verified framework for doing so.