The Difference Between Cyber Essentials and Cyber Essentials Plus

read time

2 minute read


Sam Jones Jul 4, 2019

In 2014 the UK government's Department for Business, Innovation and Skills released a government-endorsed scheme called Cyber Essentials, to help businesses adopt good practices in information security, ensuring the protection of data, and for companies to understand how that data can be used, secured, or compromised. At a basic level the scheme ensures that data is protected from common cyber threats online.

The goal of the certification is to protect company information from internet threats. However, Cyber Essentials is a basic level of investigation from which to build on – it is not a comprehensive cyber security strategy. Organisations can gain one of two Cyber Essentials accreditations:

So, what is the difference between Cyber Essentials and Cyber Essentials PLUS?

Cyber Essentials

The scheme is mostly aimed at business who do not have their own dedicated IT teams working 24/7 to monitor threats.

The UK government reports that cyber-attacks cost companies considerable amounts of money and long periods of disruption and company downtime. For example, if you suffered a ransomware attack and you couldn’t access your business data or email, would you have a plan on how to stay operational? If not, you’d benefit from Cyber Essentials certification - if only to identify existing security weaknesses you have.

Cyber criminals don’t only target large organisations - because they are able to invest in protection – often they target smaller businesses, exploiting weaknesses in IT infrastructure and software. Cyber Essentials addresses the basics and shows you how to protect against the most common attacks.

Organisations who have the capacity within their own IT departments can conduct their own Cyber Essentials certification, or they can hire a certified external, third-party to do the checks for them.

Before completing the Cyber Essentials assessment the third party assessor will do a security vulnerability scan of your IT infrastructure. The information gathered will guide any remedial actions, ensuring your company will meet the five technical controls (Firewall, Secure Configuration, User Access Control, Malware Protection, Patch Management) to demonstrate good practice of information governance.

Cyber Essentials PLUS

Cyber Essentials can be completed by an organisations own IT department or a certified, external third party if they don’t have the capacity or technical expertise in-house. The organisation completes a self-assessment questionnaire and the responses are independently reviewed by an external certifying body.

Cyber Essentials PLUS has the same requirements of Cyber Essentials, except the system tests are carried out by an external certifying body, using tools and techniques which an in-house team may not have access.

Independent auditors, those who offer Cyber Essentials PLUS, quite simply know what they are doing - and have the experience of working with multiple comparable organisations, going through the same process.

However, it’s important to remember that Cyber Essentials and Cyber Essentials Plus only provide you with a “point in time” assessment of your organisation. Only an ongoing managed security service can provide you with daily peace of mind, not only that your system and data are protected, but also that should an event occur, you will we will be covered in terms of incident response, investigation, process definition and protection.

Still have unanswered questions? Check out our Ultimate Guide to Cyber Essentials which will answer every question you've ever had around Cyber Essentials.

Download your FREE copy of The Ultimate Guide to Cyber Essentials Now!

The Ultimate Guide to Cyber Essentials

Topics: IT, Bristol, Compliance, England, UK, Cyber, Security, Business security, Cyber attack, Business, MSSP, Managed security services


More by Sam Jones