Cyber Essentials vs Cyber Essentials Plus: the real difference.
Cyber Essentials and Cyber Essentials Plus cover the same five technical controls. The difference is verification: standard Cyber Essentials is a self-assessment you fill in, while Cyber Essentials Plus adds an independent, hands-on audit that proves the controls are actually working. Which one you need usually comes down to what your contract or insurer demands.
- Same five controls in both — the difference is self-assessed vs independently audited.
- Cyber Essentials Plus adds an external scan plus on-device tests on a sample of your devices.
- Plus costs more and takes longer: roughly £1,400–£3,000+ vs the £320–£600 assessment fee.
- Your contract or cyber-insurance wording usually decides which one you actually need.
What both certifications cover
Cyber Essentials is a UK government-backed scheme, run by IASME, built around five technical controls every organisation should have:
- Firewalls — boundary and device firewalls configured to block unwanted traffic.
- Secure configuration — remove defaults, disable what you don’t use, change default passwords.
- Security update management — patch supported software, with high and critical fixes applied within 14 days.
- User access control — least privilege, MFA, and admin rights kept to the few who genuinely need them.
- Malware protection — effective anti-malware on every in-scope device.
Both certifications assess you against exactly these. Neither asks for more controls than the other — the difference is purely in how the controls are checked.
The audit: the one thing that separates them
Standard Cyber Essentials is a self-assessment. You complete the IASME questionnaire, a certification body marks your answers, and if you pass you’re certified for 12 months. It relies on you answering honestly and accurately.
Cyber Essentials Plus takes those same answers and independently verifies them. A qualified assessor runs an external vulnerability scan and carries out hands-on tests on a sample of your devices — checking patch levels, malware protection, account configuration and more. It’s the difference between telling someone your controls are in place and having them confirm it for themselves.
Cyber Essentials says “we meet the standard.” Cyber Essentials Plus says “and someone independent checked.”
Cost and effort, side by side
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| How it’s verified | Self-assessment questionnaire | Self-assessment + independent audit |
| Independent testing | No | External scan + on-device tests |
| Typical cost (ex VAT) | £320–£600 assessment fee | ~£1,400–£3,000+ |
| Typical effort | Days to a few weeks | Above, plus audit scheduling |
| Validity | 12 months | 12 months |
| Assurance to clients | Good baseline | Independently proven |
For a full breakdown of the numbers, including the IASME fee tiers and the remediation costs that don’t appear on the quote, see our guide to Cyber Essentials cost.
The three-month window
You can’t go straight to Plus. You must achieve standard Cyber Essentials first, then complete Cyber Essentials Plus within three months of that certification. That window matters for planning: if you’re targeting Plus for a contract deadline, work backwards from the audit date and make sure the self-assessment is done in good time. Our Cyber Essentials Plus guide walks through exactly what the audit looks for so there are no surprises on the day.
Which one do you actually need?
Start with the paperwork, not the technology. Many UK government contracts — and some cyber-insurance policies — explicitly require Cyber Essentials Plus; others are satisfied with standard Cyber Essentials. Read the exact wording of the contract or policy you’re trying to meet, because that requirement decides it for you.
If nothing forces your hand:
- Choose standard Cyber Essentials if you want a credible, affordable security baseline and a certificate to show clients — and you’re happy to self-attest.
- Choose Cyber Essentials Plus if a buyer or insurer requires it, or if you want independent proof that your controls hold up — which is also genuinely reassuring internally.
Either way, the controls are the same, so the work you do for standard Cyber Essentials is never wasted — it’s the foundation Plus is built on. If you want a hand deciding and getting certified, that’s exactly what our Cyber Essentials service is for.
Questions we get asked.
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Both cover the same five controls: firewalls, secure configuration, security update management, user access control and malware protection. Cyber Essentials is a self-assessment questionnaire. Cyber Essentials Plus is the same controls plus an independent, hands-on technical audit — an external scan and on-device tests on a sample of devices — to verify the controls are really in place.
Which one do I need?
It usually comes down to what your contract or cyber-insurance policy specifies. Many UK government contracts and some insurers explicitly require Cyber Essentials Plus; others accept standard Cyber Essentials. Check the wording. If nothing mandates Plus, standard Cyber Essentials is a solid baseline and you can step up later.
How much more does Plus cost and take?
Standard Cyber Essentials is just the IASME assessment fee (£320–£600 ex VAT by size) and can be done in days to weeks if your controls are ready. Plus adds the audit, so the total typically runs £1,400–£3,000+ ex VAT for a small business, plus audit scheduling — more cost, more effort, more assurance.
Do I have to do Cyber Essentials before Plus?
Yes. You must achieve standard Cyber Essentials first, then complete Cyber Essentials Plus within three months of that certification. Plus independently verifies the self-assessment, so the self-assessment has to come first.
Where we help.
We’ll tell you
which you need.
Book 30 minutes. Send us your contract or insurance wording and we’ll tell you honestly whether standard Cyber Essentials is enough or you need Plus — then get you certified.