Cyber Essentials vs Cyber Essentials Plus: what’s the difference?
For organisations looking to strengthen their security, Cyber Essentials has become a familiar name. Backed by the UK government and overseen by the National Cyber Security Centre (NCSC), this certification scheme offers two levels of assurance: Cyber Essentials and Cyber Essentials Plus.
While they share the same technical requirements, the difference in how they’re verified can have significant implications for your organisation’s holistic cyber security, insurance claims and supply chain relationships.
Table of contents
- What is Cyber Essentials?
- What is Cyber Essentials Plus?
- Cyber Essentials vs Cyber Essentials Plus: The differences SMEs should care about
- Why Cyber Essentials Plus is the practical choice for SMEs
- Is there ever a case to choose Cyber Essentials only?
- Making the right choice for your organisation
What is Cyber Essentials?
This is the UK government’s minimum baseline standard for cyber security. It’s designed to help organisations of all sizes protect themselves against the most common cyber threats.
How Cyber Essentials works
The process is straightforward:
- Complete a self-assessment questionnaire covering approximately 70–100 questions, depending on your organisation’s scope.
- Submit your self-assessment answers.
- A certification body reviews and approves your submission.
What Cyber Essentials covers
The certification focuses on five essential control areas:
- Secure configuration
- User access control
- Malware protection
- Security update management
- Firewalls
Where Cyber Essentials is useful
Cyber Essentials serves as a good starting point for organisations building their security maturity. It’s particularly appropriate when you need to simply meet a minimum contractual requirement, such as with government contracts.
However, there’s a critical limitation: it only confirms that you believe the controls are implemented. The certification doesn’t verify whether the controls are truly in place or working effectively.
What is Cyber Essentials Plus?
Cyber Essentials Plus includes everything in the standard Cyber Essentials certification but adds independent verification.
What Cyber Essentials Plus includes
A Cyber Essentials Plus audit typically covers several components, conducted by a qualified technical assessor:
- Vulnerability scanning
- Endpoint sampling
- Email and browsing security checks
- Malware defence tests
- Review of multi-factor authentication (MFA), admin accounts and access controls
- You must obtain standard Cyber Essentials certification first, then complete the Cyber Essentials Plus audit within 90 days.
Why this matters
- Cyber Essentials Plus removes human error, blind spots or misinterpretations of the questionnaire. It’s surprisingly common for organisations to believe their controls meet the requirements, only to discover during a Cyber Essentials Plus audit that configurations aren’t quite right, patches haven’t been applied consistently, or devices have been overlooked.
- Cyber Essentials Plus identifies vulnerabilities that wouldn’t be found through paperwork alone. You might have answered ‘Yes’ to having malware protection on all devices, but the audit might reveal that some remote workers’ laptops haven’t been updated in months.
- Most importantly, Cyber Essentials Plus gives you an accurate picture of your real cyber posture. For most SMEs, this represents the first truly meaningful level of cyber assurance – moving from self-declaration to verified implementation.
Cyber Essentials vs Cyber Essentials Plus: The differences SMEs should care about
Difference 1: Verification method and process
The fundamental difference lies in how the two certifications verify compliance.
Cyber Essentials Plus requires preparation, but this vastly improves cyber resilience. When an assessor examines your actual systems, any gaps become visible – and must be addressed before certification is granted.
| Area | Cyber Essentials | Cyber Essentials Plus |
| Assessment type | Self-assessed | Independently tested |
| Evidence required | None | Live system checks, scans and simulations |
| Assurance level | Basic | High |
| Approx. time required | Depends on the size of the organisation | Must be completed within 90 days after achieving CE |
| Staff involvement | Mainly documentation (and technical remediation but proof not required) | IT, operations and leadership |
| Remediation work | Light | Medium to high (but valuable) |
Difference 2: Pricing vs cost of risk
| Cyber Essentials | Cyber Essentials Plus (addition to CE) |
|
£660 + VAT regardless of organisation size |
£1,450 – £4,300 + VAT, depending on the size of your organisation |
Cyber Essentials is undoubtedly more affordable. However, the cost of a breach is what really matters:
- Loss of business
- Ransomware payments (if you choose to pay)
- System downtime and productivity losses
- Insurance excess and potential premium increases
- Regulatory fines under GDPR and other frameworks
- Reputational damage that can take years to rebuild
Recent UK government data shows that the average cost of the most disruptive cyber breaches in 2024 was £3,550 for businesses and £8,690 for charities (excluding those who reported zero cost). The report notes these costs are “self-reported estimates, which may represent an underestimation of full financial impact.”
Cyber Essentials Plus dramatically reduces the probability and impact of these events by finding vulnerabilities before attackers do.
Difference 3: When risk becomes real
This is the aspect that organisations rarely consider until it’s too late.
If a breach occurs and you only have Cyber Essentials
When you make an insurance claim following a cyber incident, insurers may review the accuracy of your self-assessment. They may challenge whether controls were genuinely implemented, as you stated. Misinterpretations or even honest errors in your self-assessment can lead to delayed or reduced payouts – precisely when you need support most.
…But if a breach occurs and you have Cyber Essentials Plus
With Cyber Essentials Plus, you have independent, third-party verification that your controls were properly implemented at the time of certification.
Insurers typically process claims faster when they have verified assurance. You’re significantly less likely to face disputes because Cyber Essentials Plus provides proof of due diligence. The independent audit creates a clear record that your organisation took security seriously and implemented recognised standards.
So, Cyber Essentials Plus isn’t just a certification – it’s legal and insurance protection. In the event of a breach, the independent verification can be the difference between a straightforward insurance claim and a protracted dispute.
Why Cyber Essentials Plus is the practical choice for SMEs
Several factors make Cyber Essentials Plus increasingly relevant for SMEs:
- SMEs are now primary cyber targets. The notion that only large enterprises face sophisticated attacks is outdated. Criminals specifically target smaller organisations – and even charities – because they often have weaker defences while still holding valuable data. In the last 12 months, 43% of UK businesses experienced a cyber breach or attack.
- Lean IT teams benefit from external verification. Many SMEs lack dedicated security professionals. Cyber Essentials Plus provides an expert assessment of your defences, identifying blind spots that internal teams might miss.
- It’s cheaper to maintain than to recover. The mathematics are straightforward. A Cyber Essentials Plus assessment costs £1,450 – £4,300, depending on the size of your organisation. But the average cost of a single breach is £3,550 for disrupted businesses and potentially millions for larger incidents. Even setting aside the financial calculations, the operational disruption and reputational damage of a breach are often incalculable.
- Supply chains increasingly expect Cyber Essentials Plus. As organisations develop their security practices, they’re raising the bar for suppliers. While Cyber Essentials might have been acceptable in the past, more sophisticated buyers now require Cyber Essentials Plus as evidence of genuine security implementation.
- Cyber Essentials is a starting point; Cyber Essentials Plus is the security baseline. Think of CE as documenting your security intentions, while Cyber Essentials Plus verifies your security reality. For organisations handling customer data, processing transactions or supporting critical operations, this verification isn’t optional – it’s essential.
Is there ever a case to choose Cyber Essentials only?
Yes, but only in limited scenarios, such as:
- Very early-stage organisations with extremely limited budgets and minimal customer data might start with Cyber Essentials while building towards Cyber Essentials Plus.
- Businesses handling minimal personal or sensitive data might find Cyber Essentials sufficient, particularly if they’re not in supply chains requiring greater assurance.
- Companies needing rapid compliance before pursuing Cyber Essentials Plus later can use Cyber Essentials as an interim step, then progress to the full assessment within the 90-day window.
- Internal testing of readiness before a full Cyber Essentials Plus audit is another legitimate use case. Some organisations complete Cyber Essentials first to identify gaps in their understanding, then address those issues before committing to the more rigorous Cyber Essentials Plus assessment.
However, for every organisation with meaningful customer data, supply chain responsibilities or operational risk, Cyber Essentials Plus is the appropriate level of assurance. The question isn’t whether you can afford Cyber Essentials Plus, but whether you can afford not to have it.
Making the right choice for your organisation
The distinction between Cyber Essentials and Cyber Essentials Plus ultimately comes down to verification.
For organisations serious about protecting their operations, reputation and stakeholder trust, Cyber Essentials Plus represents the smart default. The additional cost is modest compared to breach remediation expenses, and the independent verification provides tangible value beyond the certificate itself.
Contact us today to find out how we can help you achieve Cyber Essentials Certification to protect your business, meet your stakeholders’ needs and provide peace of mind.
