Cyber Essentials vs Cyber Essentials Plus comes down to one question: do you need someone to check your word, or test your systems?
After helping UK businesses through both certifications, I see the same confusion every time. Someone mentions certification. Maybe it's an insurer, a customer contract, or a government tender. Now you need to work out which level you actually need.
Here's what most people get wrong: they assume Plus is "better" and waste money on testing they don't need. Or they get basic certification, then discover a key contract requires Plus. Either way, they're paying twice.
Key Facts (December 2025)
- ✓95%+ of businesses fail Cyber Essentials Plus on first attempt
- ✓80% of common cyber attacks blocked by Cyber Essentials controls
- ✓£300-£500 for basic vs £1,500-£4,000+ for Plus
- ✓12 months validity for both (annual renewal required)
Cyber Essentials vs Cyber Essentials Plus: The Real Difference
Both certifications check the same five security controls. The only difference is how someone verifies you've implemented them.
Cyber Essentials is self-assessment. You complete a questionnaire about your IT systems. A certification body reviews your answers.
Cyber Essentials Plus adds hands-on testing. A qualified assessor scans your systems, checks your devices, and verifies your controls actually work.
Think of it this way: basic Cyber Essentials is telling someone you locked all the doors. Plus is having them walk around and test each lock.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment Type | Self-assessment questionnaire | Self-assessment + technical audit |
| Verification | Based on your answers | Assessor tests your actual systems |
| Technical Testing | No | Yes - vulnerability scans, device checks |
| Pass Standard | Can pass with minor issues | Must fix all issues to pass |
| Cost (typical) | £300-£500 | £1,500-£4,000+ |
| Timeline | 1-2 weeks | 2-9 weeks |
| Validity | 12 months | 12 months |
What Changed in April 2025
The scheme updated to version 3.2 (the "Willow" question set) in April 2025. Key changes include:
- ✓Passwordless authentication now recognised (biometrics, digital certificates)
- ✓Vulnerability fixes expanded beyond patches to include configuration changes
- ✓Remote working explicitly covers cafes, hotels, and shared spaces
- ✓72-hour notice before Plus assessments (within 30-day window)
These changes affect both certification levels. If you're renewing, check the updated Cyber Essentials requirements before starting.
The Five Security Controls Both Certifications Check
Whether you choose basic or Plus, you're assessed against the same five technical controls. These aren't arbitrary requirements. They're practical defences that block the majority of common cyber attacks.
1. Firewalls and Internet Gateways
Your first line of defence. Firewalls control what traffic can enter and leave your network. They block unauthorised access and stop attackers reaching your systems directly.
Key requirements include blocking unnecessary inbound connections, securing administrative interfaces with MFA or IP whitelisting, and removing unused firewall rules.
2. Secure Configuration
Devices and software must be set up securely from the start. This means changing default passwords, disabling unnecessary services, and removing unused applications.
Most attacks exploit easy weaknesses. A server running with default settings is an open invitation. Proper secure configuration removes these low-hanging fruit.
3. User Access Control
People should only access what they need for their job. Admin rights must be kept separate from day-to-day accounts. Multi-factor authentication is required for all internet-facing services.
The 2025 update requires either 12-character passwords or 8-character passwords with technical controls against common weak passwords.
4. Malware Protection
Every device needs protection against viruses, ransomware, and other malicious software. This means up-to-date antivirus or endpoint protection with real-time scanning enabled.
During Plus assessments, assessors test whether your malware protection actually catches threats. They send test emails and check if your systems block them.
5. Security Update Management
Critical and high-severity vulnerabilities must be patched within 14 days. This applies to operating systems, applications, firmware, and browser extensions.
This is where most Plus certifications fail. One outdated application on one device can fail your entire assessment. Proper security update management is essential.
| Control | What It Protects Against | Common Failures |
|---|---|---|
| Firewalls | Direct attacks from the internet | Exposed services, open admin ports |
| Secure Configuration | Exploitable default settings | Default passwords, unnecessary services |
| Access Control | Stolen credentials, insider threats | Users running as admin, no MFA |
| Malware Protection | Viruses, ransomware, trojans | Outdated definitions, disabled scanning |
| Security Updates | Known vulnerabilities | Unpatched systems, outdated software |
When Standard Cyber Essentials Is Enough
Most UK businesses should start with basic Cyber Essentials. It satisfies common requirements without the extra testing cost and complexity.
Here's when standard certification makes sense:
Insurance Requirements
Your insurer asked about cyber security measures. They want proof you have basic protections in place. Standard Cyber Essentials satisfies most cyber insurance requirements and can reduce your premiums.
Customer Confidence
Clients need evidence of security practices. They didn't specifically ask for independent verification. They want to see you take security seriously.
Supply Chain Requests
Larger companies are checking their suppliers. They asked for "Cyber Essentials" without specifying Plus level. Check the exact wording before assuming you need the higher certification.
First-Time Certification
You're sorting security properly for the first time. Starting with basics makes sense. You can always upgrade to Plus later if requirements change.
Budget Constraints
You need certification but can't justify £2,000+ for Plus testing yet. Basic certification costs £300-£500 and still demonstrates commitment to security.
Check Requirements Before You Start
I see this mistake constantly: businesses assume basic Cyber Essentials satisfies everyone. Then a key customer specifically needs Plus level. Now they're paying for certification twice.
Always ask clearly which level someone needs. Get it in writing if it's for a contract or tender.
Business Types That Usually Need Only Basic
- ✓Professional services - accountants, consultants, marketing agencies
- ✓Retail and hospitality - shops, restaurants, hotels
- ✓Manufacturing - unless supplying to defence or public sector
- ✓Construction - unless handling sensitive project data
- ✓Small businesses - establishing baseline security practices
The Cyber Essentials guide for SMEs covers the full process for smaller organisations.
When You Need Cyber Essentials Plus Certification
Some situations require independent technical verification. Plus certification proves your controls actually work through hands-on testing.
UK Government Contracts
Under PPN 014, many public sector contracts require Cyber Essentials certification. Higher-risk contracts handling sensitive data often specifically mandate Plus level.
Ministry of Defence suppliers and their supply chains require Plus certification. Crown Commercial Service contracts increasingly specify the higher level too.
Sensitive Data Handling
If you process significant volumes of personal data, financial information, or health records, Plus certification provides stronger assurance. Your clients want proof that an independent expert verified your security controls.
Regulated Industries
Finance, healthcare, and legal sectors often have stricter compliance requirements. Plus certification demonstrates the higher level of assurance these sectors expect.
Enterprise Client Requirements
Large enterprise buyers increasingly require Plus certification from their suppliers. They won't accept self-assessment for vendors handling their data.
Competitive Advantage
In competitive tenders, Plus certification can differentiate you. It shows you're willing to have your security independently verified, not just self-declared.
What the Plus Audit Actually Tests
- ✓External vulnerability scans - testing all your public IP addresses
- ✓Device sampling - checking representative devices across all OS types
- ✓Malware protection testing - sending test emails, checking AV response
- ✓Patch verification - confirming updates applied within 14 days
- ✓Configuration review - verifying secure settings on sampled devices
Business Types That Usually Need Plus
| Business Type | Common Driver |
|---|---|
| IT service providers | Customer requirements, supply chain position |
| Government contractors | Tender requirements, PPN 014 |
| Healthcare providers | Patient data protection, NHS requirements |
| Financial services | Regulatory compliance, client trust |
| Legal practices | Client confidentiality, SRA expectations |
| Defence suppliers | MoD mandate, supply chain requirements |
The Plus assessment includes credentialed vulnerability scanning that checks your systems more thoroughly than basic external scans.
How Much Does Each Certification Cost?
Cost is often the deciding factor between these certification levels. Here's what you'll actually pay.
Standard Cyber Essentials Pricing
Basic certification has standardised pricing set by IASME:
| Organisation Size | Standard CE Cost |
|---|---|
| Micro (0-9 employees) | £300 + VAT |
| Small (10-49 employees) | £400 + VAT |
| Medium (50-249 employees) | £450 + VAT |
| Large (250+ employees) | £500 + VAT |
Cyber Essentials Plus Pricing
Plus certification has no standardised pricing. Costs vary based on your organisation size, network complexity, and chosen certification body.
| Organisation Size | Typical CE Plus Range |
|---|---|
| Micro (0-9 employees) | £1,499 - £1,650 + VAT |
| Small (10-49 employees) | £1,999 - £2,250 + VAT |
| Medium (50-249 employees) | £2,499 - £3,250 + VAT |
| Large (250+ employees) | £2,999 - £4,250+ VAT |
Hidden Costs to Budget For
The certification fee is just part of the cost. Budget for these too:
- ✓Pre-assessment consultancy - £1,000-£1,500 (optional but recommended for Plus)
- ✓Remediation work - £500-£5,000+ if you need new hardware or configuration changes
- ✓Staff time - preparing documentation, coordinating with assessors
- ✓Annual renewal - both certifications expire after 12 months
The Real Cost of Plus Failure
If you fail the Plus audit, you have 30 days to fix issues and retest. Some certification bodies charge additional fees for retesting.
With 95%+ failing first time, a pre-assessment scan to identify gaps before the official audit is money well spent.
Is Plus Worth the Extra Cost?
Compare the cost to what you're protecting against:
- ✓Average UK SME data breach cost: £15,300
- ✓Average enterprise breach cost: £3.2 million
- ✓Lost contract value if you don't have required certification: potentially unlimited
If your contracts require Plus, or you handle sensitive data, the £1,500-£4,000 investment is straightforward to justify.
Why 95% of Businesses Fail Plus on First Attempt
Over 95% of businesses fail their Cyber Essentials Plus assessment the first time. Understanding why helps you avoid the same mistakes.
1. Unpatched Vulnerabilities
This is the most common failure. Any vulnerability with a CVSS score of 7.0 or higher causes automatic failure if a patch has been available for more than 14 days.
Common culprits: outdated Windows versions, third-party applications, router firmware, browser extensions. Many organisations rely on automated patching but never verify it actually works.
2. Unsupported Operating Systems
Running end-of-life software is an automatic fail. Windows 10 support ends in October 2025. Any device still running it after that date will fail your assessment.
The same applies to outdated macOS versions, mobile operating systems, and network equipment firmware.
3. Malware Protection Issues
Assessors test whether your antivirus actually catches threats. They send test emails and check if your systems block them.
Common failures: outdated virus definitions, disabled real-time scanning, AV not installed on all endpoints, next-gen products not configured correctly.
4. Users Running as Administrators
If your staff use admin accounts for daily work, you'll fail. Admin rights must be separate from day-to-day accounts. Users should only have the access they need for their job.
5. Missing Multi-Factor Authentication
MFA is required for all internet-facing services. Admin accounts on cloud platforms must have MFA enabled. Missing it on even one service can fail your assessment.
6. Mobile Device Problems
If mobile devices access your internal network, they're in scope. One outdated app on one phone can fail your entire assessment. Many businesses don't realise their mobile devices are being tested.
The Single Point of Failure Problem
Plus is a pass/fail assessment. One vulnerable device, one missing patch, one outdated application fails the entire certification. You can't pass with minor issues like basic Cyber Essentials.
Common Decision Mistakes
Beyond technical failures, businesses make strategic errors:
- ✗Not checking requirements first - guessing which level customers want, then finding out later they needed the other one
- ✗Jumping to Plus unnecessarily - spending extra when nobody actually required it
- ✗Treating it as one-time work - both certifications expire after 12 months and need annual renewal
- ✗Rushing the assessment - starting before systems are properly prepared
How to Choose Between Cyber Essentials and Plus
Follow these steps to work out which certification your business actually needs.
Step 1: Check Current Requirements
Ask customers, insurers, and anyone requesting certification. Get specific about which level they need. Don't assume.
Many requests just say "Cyber Essentials" without specifying Plus. That usually means basic is fine.
Step 2: Review Upcoming Contracts
Look at tenders and bids you're planning. Check tender documents carefully for security requirements. Government contracts often specify which level is needed.
Step 3: Assess Your Sector
Find out what's standard in your industry:
- ✓Public sector suppliers - usually need Plus
- ✓IT service providers - Plus increasingly expected
- ✓Healthcare and finance - Plus recommended
- ✓Professional services - basic often sufficient
- ✓Retail and hospitality - basic usually enough
Step 4: Consider Your Data
What information do you handle? Highly confidential data might justify Plus certification regardless of external requirements. It provides stronger assurance to clients.
Step 5: Evaluate Your Readiness
Understand your current IT setup. If you're already doing the five controls properly, either certification becomes easier. If you have significant gaps, start with basic and upgrade later.
Step 6: Plan for Ongoing Compliance
Both certifications expire after 12 months. Budget time and money for annual renewal, not just initial certification.
| Choose Basic If... | Choose Plus If... |
|---|---|
| Requirements don't specify Plus | Contract explicitly requires Plus |
| Budget is limited | Working with government or defence |
| First-time certification | Handling sensitive client data |
| Simple IT environment | Need competitive advantage in tenders |
| Insurance-only requirement | Enterprise clients demand verification |
Timeline Considerations
Factor in how long each takes:
- ✓Basic Cyber Essentials - 1-2 weeks if your controls are in place
- ✓Cyber Essentials Plus - 2-9 weeks depending on readiness and remediation
- ✓Plus must complete within 90 days of passing basic certification
If you have a tender deadline, work backwards to ensure you have time to complete certification.
Getting Started with the Right Certification
Whether you need basic or Plus, preparation makes the difference between passing first time and paying for multiple attempts.
Quick Action Checklist
- ✓Check requirements - ask exactly which level is needed, get it in writing
- ✓Review your systems - identify gaps against the five controls before applying
- ✓Update everything - patch operating systems, applications, and firmware
- ✓Check MFA - ensure multi-factor authentication on all cloud services
- ✓Audit admin access - remove unnecessary admin rights from user accounts
- ✓Consider pre-assessment - for Plus, a gap analysis before official testing is worth it
Comparing to Other Standards
Some businesses wonder how Cyber Essentials compares to other certifications. ISO 27001 is more comprehensive but takes longer and costs more. Many organisations start with Cyber Essentials and progress to ISO 27001 later. The two standards share about 60% overlap in controls.
The Bottom Line
Start with basic Cyber Essentials if nobody has specifically required Plus. It's faster, cheaper, and demonstrates security commitment. Upgrade to Plus when contracts demand it, or when you need independent verification for sensitive work.
The businesses that get this right ask clear questions upfront. They verify requirements in writing. They choose certification based on real needs, not assumptions. When comparing Cyber Essentials vs Cyber Essentials Plus, the right choice depends entirely on your specific situation.
Need Help Choosing the Right Certification?
I help UK businesses work out which Cyber Essentials level they actually need, then guide them through certification first time. No wasted money on the wrong level.
Book a Free Consultation