CYBER ESSENTIALS VS CYBER ESSENTIALS PLUS: WHICH DO YOU NEED?

THE KEY DIFFERENCE IN ONE SENTENCE

Cyber Essentials is self-assessed — you answer a questionnaire. Cyber Essentials Plus is independently verified — a qualified assessor checks that your controls are actually working.

CYBER ESSENTIALS: SELF-ASSESSMENT

Standard Cyber Essentials uses an online questionnaire. You answer questions about how your organisation addresses each of the five core controls — firewalls, secure configuration, access control, malware protection, and patch management.

An IASME Approved Certification Body reviews your answers and, if everything is in order, issues your certificate. The assessment is remote and can be completed quickly. Use our CE readiness checklist to verify your controls before you submit.

• Who conducts it: You complete the questionnaire; an approved assessor reviews it
• Evidence required: Written responses about your controls
• Technical verification: No independent technical testing
• Certificate validity: 12 months
• Best for: SMEs, first-time certification, commercial supply chain requirements

CYBER ESSENTIALS PLUS: INDEPENDENT VERIFICATION

Cyber Essentials Plus adds an independent technical audit on top of the self-assessment. An IASME-approved assessor remotely tests your systems to verify that the controls you described in your questionnaire are correctly and effectively implemented in practice.

This includes testing sample devices, scanning for vulnerabilities, and checking that your malware protection is functioning correctly.

• Who conducts it: IASME Approved Certification Body (independent)
• Evidence required: Questionnaire plus technical verification
• Technical verification: Yes — remote audit of your systems
• Certificate validity: 12 months
• Best for: Government contracts, enterprise supply chains, higher assurance needs

WHICH LEVEL DO YOU NEED?

The right level depends on your circumstances:

• You need standard CE if: your contract or client requires Cyber Essentials certification without specifying Plus, or if you are certifying for the first time
• You need CE Plus if: your government contract specifies Plus, your enterprise client requires independently verified assurance, or you are working toward higher maturity certifications
• You need both if: Plus includes the self-assessment as a first step — so achieving Plus means you also hold standard CE

CAN YOU DO PLUS WITHOUT DOING CE FIRST?

Yes. The Cyber Essentials Plus process incorporates the self-assessment questionnaire, so you do not need to hold a separate Cyber Essentials certificate first. Our team can guide you through both together in one efficient process.

TIME LIMITS FOR CE PLUS

Two important windows apply to the CE Plus process. Once Cyber Essentials basic is certified, you have 90 days (3 months) from that certification date to complete and pass CE Plus. If issues are identified during the CE Plus audit, you also have 30 days from the date the assessment started to remediate and have checks revisited. Both windows run simultaneously — whichever expires first governs. If either closes before CE Plus is passed, your Plus application closes and you must re-certify at CE basic level before restarting the Plus process, at additional cost. Starting the process promptly and going into the audit well-prepared are the best ways to avoid this. Our CE Plus readiness checklist covers everything you need to verify before the audit begins.

COST DIFFERENCE

Cyber Essentials Plus involves more assessor time due to the independent technical audit, so it costs more than standard Cyber Essentials. However, many organisations find the additional assurance and commercial credibility well worth the investment. Contact us for a fixed-price quote for either level.