CYBER ESSENTIALS VS CYBER ESSENTIALS PLUS: WHAT IS THE DIFFERENCE?

THE SIMPLE ANSWER

Cyber Essentials is self-assessed - you answer a questionnaire about your security controls and an IASME-approved assessor reviews your answers. Cyber Essentials Plus is independently verified - a qualified assessor conducts a technical audit to confirm your controls are actually working in practice.

Both certifications cover exactly the same five core controls. The difference is the level of assurance, the assessment method, and - in some cases - which level a contract or client specifically requires.

CYBER ESSENTIALS - SELF-ASSESSMENT

Standard Cyber Essentials uses an online questionnaire. You answer questions about how your organisation implements each of the five controls - firewalls, secure configuration, user access control, malware protection, and patch management. An IASME Approved Certification Body, like Vincent Cyber Defence, reviews your answers and, if everything is in order, issues your certificate.

• Self-assessed - you complete the questionnaire with assessor guidance
• Remote - no site visits required
• 12-month validity - renewal required annually
• Certificate + digital badge - listed on the IASME public register
• Free cyber insurance included - for eligible UK organisations under £20m turnover

CYBER ESSENTIALS PLUS - INDEPENDENT VERIFICATION

Cyber Essentials Plus adds an independent technical audit on top of the self-assessment. An IASME-approved assessor remotely tests your systems to verify that the controls you described are correctly implemented and actually working. This includes scanning for vulnerabilities, testing device configurations, and checking MFA enforcement across cloud services.

• Independently audited - by an IASME Approved Certification Body
• Technical verification - remote audit of devices, network, and cloud services
• Stricter under Danzell - MFA and patch enforcement checked across all user accounts, not just admins
• 12-month validity - same as standard CE
• Higher assurance - preferred by government, enterprise, and defence supply chains

WHICH LEVEL DO YOU NEED?

• Standard Cyber Essentials if your contract or client specifies "Cyber Essentials" without further qualification, or if you are certifying for the first time and want to build from a solid baseline
• Cyber Essentials Plus if your government contract specifically requires Plus, your enterprise clients require independently verified assurance, or you are in the MOD supply chain and want the highest credibility
• Both - in one process - CE Plus incorporates the self-assessment as its first stage, so you achieve both levels together

KEY DIFFERENCES AT A GLANCE

THE 2026 DANZELL UPDATE AND CE PLUS

Under the Danzell question set (live from 27 April 2026), Cyber Essentials Plus assessments are stricter. MFA must now be enforced for all users on all cloud services - not just administrators. The audit process has also been tightened: you cannot materially amend your self-assessment answers once Plus testing has begun, and device sampling is more rigorous. If you are planning CE Plus, ensure your answers are accurate and complete before the audit stage starts.

Two time limits govern the CE Plus process that are worth planning around from the start. Once you pass Cyber Essentials basic, you have 90 days (3 months) from that certification date to complete and pass CE Plus. If issues are found during the audit, you have 30 days from the date the assessment started to remediate and have checks revisited. Both windows run simultaneously - whichever expires first is the binding deadline. If either closes before CE Plus is passed, your Plus application closes and you must re-certify at CE basic level before restarting, incurring an additional cost. This makes thorough preparation before the audit essential.