Cyber Essentials vs Cyber Essentials plus: which certification is right for your business?
Cyber threats continue to grow in frequency and sophistication, affecting organisations of every size. Read our guide on what level of protection your business should have…
Cyber threats continue to grow in frequency and sophistication, affecting organisations of every size.
Demonstrating that your business takes cyber security seriously is no longer optional, it’s expected.
It also plays a critical role in procurement, with many organisations requiring evidence of recognised cyber security standards as part of their due diligence in any tender process.
That’s where Cyber Essentials comes in.
Achieving Cyber Essentials certification is one of the most effective ways to demonstrate that your business takes cyber security seriously.
However, with two certification levels available, Cyber Essentials and Cyber Essentials Plus, many businesses are unsure which one they should pursue.
Having achieved Cyber Essentials Plus ourselves, we understand both the process and the value of independent verification. In this blog, we explain the key differences between the two certifications and help you determine which option is the best fit for your organisation.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification designed to help organisations protect themselves against the most common cyber threats.
Most cyber-attacks are opportunistic. They target businesses through basic security gaps, which could include misconfigured systems, outdated software, human error or weak access controls.
Once achieved, Cyber Essentials certification is valid for 12 months, after which it must be renewed to maintain compliance and protection.
Cyber Essentials assesses the following five cyber security controls:
Firewalls and internet gateways – controlling incoming and outgoing traffic
Secure configuration – reducing unnecessary exposure across devices and systems
Access control – ensuring only the right people have access to the right data
Malware protection – defending against malicious software
Patch management – keeping systems up to date and secure
The Cyber Essentials certification process
Achieving Cyber Essentials involves completing a self-assessment questionnaire that reviews how your organisation implements these five security controls.
The process includes:
Completing the Cyber Essentials questionnaire
Sign-off by a senior member of your organisation
Review by an accredited certification body
If your responses meet the required standards, your organisation will be awarded Cyber Essentials certification.
Organisations generally have six months from the date of application to pass the assessment. In some cases, minor issues may be identified which will need to be addressed to maintain compliance.
For many businesses, Cyber Essentials provides a strong foundation and a clear demonstration of good cyber hygiene. If you would like help creating a roadmap to achieving Cyber Essentials get in touch.
What Is Cyber Essentials Plus?
Cyber Essentials Plus builds on the same five controls as the Cyber Essentials Certification, but has an added independent, hands-on technical verification of your processes and protocols.
Rather than relying solely on a self-assessment, Cyber Essentials Plus involves a detailed audit carried out by accredited cyber security professionals to confirm that your controls are working in practice.
This includes:
External vulnerability scanning of your public-facing systems
Internal testing of devices across your network
Verification of patching and known vulnerabilities
Malware protection testing using controlled scenarios
User privilege checks to prevent unauthorised admin access
Multi-factor authentication (MFA) validation across cloud services
The key difference is simple:
Cyber Essentials tells people you have the right controls in place. Cyber Essentials Plus proves that they work.
Because of this, Cyber Essentials Plus requires full compliance. If any issues are identified, they must be resolved within a strict timeframe before certification is awarded.
What does the Cyber Essentials Plus audit include?
The technical audit typically includes several key tests:
External vulnerability scanning
An organisation’s public-facing IP addresses are scanned to identify potential vulnerabilities that attackers could exploit.
Internal device testing
A sample set of devices within an organisation’s network, including desktops, laptops, servers and mobile devices, are examined to identify high vulnerabilities.
Malware protection testing for browser and email configuration
Anti-malware tools are tested to ensure user environments are protected from and can respond to website and email delivered malware and malicious files.
Mobile Devices
Your mobile device management policy is checked to ensure all devices are secure and meet the required standard.
Vulnerability and patch verification
Auditors check that systems are fully patched and that any critical vulnerabilities have been addressed within the required timeframe.
User privilege checks
Auditors verify that standard users cannot perform administrator-level actions on systems.
Multi-Factor authentication testing
Cloud services are checked to confirm that multi-factor authentication (MFA) is enforced for both standard users and administrators.
Higher compliance requirements
Cyber Essentials Plus has a stricter pass requirement than the standard certification.
While Cyber Essentials may allow limited minor issues, Cyber Essentials Plus requires full compliance.
If any issues are identified during testing, organisations have 30 days to fix them before certification can be awarded.
Cyber Essentials Plus cannot be achieved as a standalone certification; an organisation must first obtain Cyber Essentials certification and then complete the Cyber Essentials Plus assessment within three months.
Alternatively, both stages can be completed consecutively as part of the same project.
Key differences at a glance
Feature
Cyber Essentials
Cyber Essentials Plus
Assessment
Self-assessment
Self-assessment + technical audit
Testing
None
Hands-on verification
Compliance
Some tolerance
Full compliance required
Assurance level
Foundational
High, independently verified
Cyber Essentials is ideal if you:
Want to establish a solid cyber security baseline
Need to meet basic supplier or client requirements
Are at the early stages of your security journey
Are looking for a cost-effective way to demonstrate good practice
Cyber Essentials Plus is the better choice if you:
Work with larger organisations or enterprise clients
Are bidding for government contracts
Handle sensitive or regulated data
Need to stand out in competitive tenders
Want independently verified assurance of your security controls
Why Cyber Essentials Plus matter to Gloucestershire businesses
In today’s environment, trust is everything.
While Cyber Essentials is a strong starting point, Cyber Essentials Plus provides an additional layer of credibility. It shows that your cyber security isn’t just documented—it’s tested, validated, and robust.
That’s exactly why we implemented it ourselves.
Achieving Cyber Essentials Plus allows us to demonstrate, with confidence, that our systems and processes meet a higher standard, giving our clients greater assurance when working with us.
How we help our clients achieve Cyber Essentials
At System 15, we support businesses at every stage of the certification journey.
From initial gap analysis through to implementation and audit preparation, we make the process straightforward and practical, minimising disruption while ensuring full compliance.
Whether you’re starting with Cyber Essentials or aiming for Cyber Essentials Plus, our security team can work with your organisation to help you successfully set out a roadmap to achieve Cyber Essentials certification.
AI is everywhere. It dominates headlines, and excites people with its potential. But with the excitement comes a lot of noise. Bold claims and flashy demonstrations. AI is powerful, but…
