Cyber Essentials vs Cyber Essentials Plus: Understanding Your Baseline Defence
If you've been looking into Cyber Essentials, you'll already know there are two levels of certification. What's less clear for most businesses is which one they actually need — and whether the extra investment in Plus is justified.
This is a conversation we have regularly. The honest answer requires understanding what the two levels actually do differently, rather than treating one as simply the 'premium' version of the other.
The core difference in plain terms
Cyber Essentials is a self-assessed certification. You implement the five control areas — firewalls, secure configuration, user access control, malware protection, and patch management — and you answer a questionnaire confirming you've done so. An accredited certification body reviews your answers. If everything looks correct, you get the certificate.
No one comes to check. No one tests whether your firewall rules actually work. No one scans your systems from the outside to see what an attacker would find. You're attesting to compliance, and the assessment takes that attestation at face value.
Cyber Essentials Plus keeps all of that and adds independent verification. A certified assessor conducts external vulnerability scanning of your internet-facing systems to see what's exposed. They conduct an internal technical assessment of your network to check whether your controls are actually working as claimed. And they verify your configurations, not just your answers.
The practical difference is significant: Cyber Essentials is what you claim; Cyber Essentials Plus is what's been independently confirmed.
What the Plus assessment actually involves
If you've not been through a Cyber Essentials Plus assessment, it helps to understand what the assessor is actually doing.
External vulnerability scanning involves the assessor probing your internet-facing infrastructure from the outside — the same perspective an attacker has when they're looking for a way in. They're checking for open ports you didn't know were exposed, outdated software with known vulnerabilities, weak or default credentials on external services, and firewall misconfigurations. You'll receive a report detailing findings, and critical issues must be remediated before certification.
Internal technical assessment goes deeper. The assessor connects to your internal network and systematically checks patch levels, configurations, user account management, and endpoint protection across your device estate. This is where things you assumed were fine sometimes turn out not to be — legacy systems running outdated software, patch management processes that miss certain device types, admin accounts that were set up years ago and never reviewed.
Remediation and sign-off is the final stage. Critical findings are fixed, the assessor verifies, and the certificate is issued. The whole process typically takes a few weeks, depending on your organisation's size and how many issues are found.
Who needs Cyber Essentials?
Cyber Essentials is a meaningful baseline for a very small business with straightforward IT, no regulatory requirements, and no supply chain exposure to larger organisations. If you're a sole trader or a micro-business with minimal client data and no public sector work, it can be a reasonable starting point.
But even then, be clear about what you're claiming. Self-assessed compliance is only as good as the honesty and technical knowledge of the person doing the assessment. If you implement the five controls genuinely, you get genuine security value. If you're ticking boxes without understanding the technical requirements, you're creating a false sense of security.
Who needs Cyber Essentials Plus?
For most West Sussex businesses we work with, Cyber Essentials Plus is what's appropriate. Here's a direct checklist:
• You work in a regulated sector — healthcare, financial services, legal. Your clients and regulators expect independently verified controls, not self-reported compliance.
• You supply to larger organisations or the public sector. Supply chain security requirements are increasing, and Plus is what larger buyers are increasingly asking for.
• You hold sensitive customer or business data. The external and internal assessments identify weaknesses an attacker would find — weaknesses that self-assessment might miss.
• Your insurer requires it. Cyber insurance providers are increasingly making Plus a condition of cover for regulated businesses and those handling sensitive data.
• You want actual evidence that your controls work. This is the fundamental point of Plus — it turns a claim into a verified fact.
The misconception we encounter most often
Some businesses achieve Cyber Essentials and treat it as job done. They've got the certificate, they've ticked the box, and they move on without much further thought about security.
The problem is that Cyber Essentials is a minimum baseline for five specific technical controls. It doesn't address what happens when an attacker gets inside your network. It doesn't cover threat detection and response. It doesn't require incident response planning. It doesn't include monitoring for active threats.
Cyber Essentials Plus, through its vulnerability assessment requirements, at least forces you to look at your actual security posture rather than just your answers to a questionnaire. But even Plus is a foundation, not a complete security programme.
We tell organisations: aim for Plus, then build on it. Managed endpoint detection and response, email security, identity monitoring, and security awareness training are the additional layers that turn a certified baseline into real operational security.
Making your decision
If you're not sure which level is right for your business, start with these questions:
Do any of your clients, contracts, or insurers specifically ask for Cyber Essentials Plus? If yes, that answers it.
Do you operate in healthcare, financial services, or legal? Aim for Plus.
Are you part of a supply chain that serves larger organisations or government? Assume Plus will be required sooner rather than later.
Do you want to know that your security controls actually work, rather than just believing they do? Plus gives you that evidence.
If you're still unsure, the best starting point is understanding your actual security posture before committing to either. Book a free security audit with us. We'll tell you where you stand, which certification level makes sense for your business, and what you need to do to achieve it.