CERTIFICATION BASICS
Cyber Essentials vs Cyber Essentials Plus — what is the difference and which do you need?
Both certifications cover the same five technical controls. The difference is how compliance is verified — and that difference has significant implications for cost, timeline, and the evidence you can provide to clients.
The same five controls
Both Cyber Essentials and Cyber Essentials Plus are based on the same five technical control areas: firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management. The standard itself does not change between the two levels — what changes is how your compliance is assessed.
How Cyber Essentials works
Cyber Essentials is a self-assessed certification. You complete a detailed questionnaire describing how your organisation implements each of the five controls. The questionnaire is reviewed by an accredited Certification Body, and if your answers demonstrate compliance, you are certified.
The Certification Body does not independently verify your answers. They assess whether what you have described meets the requirements — not whether what you have described is accurate. This makes Cyber Essentials faster and less expensive than CE Plus, but it also means the assurance level is lower.
How Cyber Essentials Plus works
Cyber Essentials Plus adds independent technical verification to the process. After you have achieved Cyber Essentials, an accredited assessor conducts hands-on testing of your systems — including external vulnerability scanning, internal configuration checks, and verification that the controls you described in your questionnaire are actually in place.
This means CE Plus provides a higher level of assurance. It is not just your word that you have the controls in place — an independent assessor has verified it. For buyers who need confidence that their supply chain is genuinely secure, CE Plus provides evidence that Cyber Essentials alone does not.
Which one do you need
If a client or contract has asked for "Cyber Essentials", they may mean either level — or they may specifically mean one or the other. The first step is to clarify exactly what is required. Get it in writing.
If the requirement is coming from a UK Government contract, NHS Supply Chain, or a defence prime contractor, CE Plus is increasingly the standard being specified. If the requirement is from a private sector client with no specific public sector exposure, Cyber Essentials alone may be sufficient.
When in doubt, CE Plus is the safer choice — it satisfies any requirement that asks for Cyber Essentials, and it provides stronger evidence of your security posture.
CE PLUS REQUIRES CE FIRST
You cannot skip straight to Cyber Essentials Plus. The process requires you to achieve Cyber Essentials first, then proceed to the independent technical verification. Plan your timeline accordingly — the combined process typically takes six to ten weeks.
NOT SURE WHICH LEVEL YOU NEED?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.