Last Updated July 2026
Cyber Essentials and Cyber Essentials Plus are built around the same core controls, but they’re assessed differently.
This guide explains the difference, what each option covers and how to choose the right route for your business.
If you’ve been asked to get Cyber Essentials or Cyber Essentials Plus, it might not be immediately obvious which route is right for your business. Whether the requirement comes from a tender, client contract or as part of a supplier process, certification is increasingly expected to show you take cyber security seriously.
So, what’s the difference, how do you know which one is right for your business – and what do each of them cover?
Why Cyber Essentials matters
A common misconception of cyber attacks is that they mainly target large organisations. But smaller businesses – which tend to have fewer resources, IT support and security controls – are often the most vulnerable.
If personal data is involved, as it often is for businesses handling customer, patient, employee, financial or supplier information, you may also need to work out whether the breach needs to be reported and who needs to be told.
Looked at this way, cyber security is part of keeping your business running uninterrupted. It helps make sure your team can keep working, your customers can keep relying on you and a preventable issue does not turn into a much bigger disruption.
What does Cyber Essentials cover?
Cyber Essentials was launched in 2014 to give organisations a clear, practical way to protect themselves against common online threats. It’s now overseen by the National Cyber Security Centre and is applicable to organisations of all sizes, like SMEs, sole traders, charities and large businesses.
Some of these controls may already be familiar to you, but they’re worth revisiting ahead of assessment:
- Firewalls
Firewalls help create a protective barrier between your network and the internet, controlling what traffic is allowed in and out. - Secure configuration
Systems, software and devices should be set up securely, with unnecessary accounts, services and settings removed or restricted. - User access control
People should only have access to the systems and data they need to do their job. Admin access should be limited and properly managed. - Malware protection
Devices and systems should have proper protection in place to detect, block or prevent malicious software. - Security update management
Software, operating systems and devices need to be supported and kept up to date, with security updates applied promptly.
While these give a broad overview of common risks, they’re not exhaustive. Here's a more in-depth look at the Cyber Essentials Controls.
Cyber Essentials Plus builds on these controls with independent technical testing.
Who needs Cyber Essentials most?
Cyber Essentials is useful for any business, but it becomes especially important if you handle sensitive data, work in a regulated sector or need to prove cyber security standards to customers, suppliers or public sector buyers.
It’s often mandatory for government contracts involving personal or financial data, as well as defence suppliers, where Cyber Essentials can form part of MoD and Defence Cyber Certification requirements.
Professional services firms, finance businesses, healthcare providers, IT suppliers and organisations working in larger supply chains may also find that certification helps them to support tenders and reassure clients that the right basic protections are in place.
Cyber Essentials vs Cyber Essentials Plus: what is the difference?
Some people refer to Cyber Essentials and Cyber Essentials Plus interchangeably, but they are best understood as complementary layers of cyber protection.
Both are based on the same five core controls, but they are assessed in different ways. Cyber Essentials is a verified self-assessment, where your answers are reviewed by an accredited Certification Body. Cyber Essentials Plus builds on this with independent technical testing to check those controls are working in practice.
Cyber Essentials
For Cyber Essentials, your organisation completes a questionnaire about your IT systems, devices, software, cloud services and security controls. Your answers are then reviewed by an accredited assessor.
Some organisations choose to complete the questionnaire themselves, which is ideal for companies with their own IT team or working cyber-security knowledge. But more often than not, the questionnaire can be complex for SMEs, solo traders and non-technical teams, who don’t have the staff or resources to complete assessment alone.
You may already have the correct controls in place, but without an expert to help you interpret the questionnaire or to clarify what evidence is needed, it can become a minefield for time-strapped businesses.
Guided certification can make things move quicker (and easier.) Cyber Tec can talk you through the questions, check your answers and flag anything that needs attention before submission.
Cyber Essentials Plus
Cyber Essentials Plus goes further. It still uses the same five controls, but includes independent technical testing to check that those controls are working in practice.
This can include external technical testing, vulnerability scanning and checks across a sample of relevant devices, services and systems. The aim is to provide a higher level of confidence that the security controls declared in the self-assessment are actually implemented properly.
Cyber Essentials Plus is often more appropriate where customers, tenders, frameworks or regulators want stronger assurance. It can also be useful for businesses that want independent validation rather than relying on self-assessment alone.
Comparing Cyber Essentials and Cyber Essentials Plus
|
Cyber Essentials |
Cyber Essentials Plus |
|
A good first step if you need a recognised cyber security certification. |
The stronger option if a customer, tender or framework specifically asks for Plus. |
|
Best suited to businesses that want to show they have the basic controls in place. |
Best suited to businesses that need those controls independently tested. |
|
A practical route for SMEs, sole traders and organisations starting their cyber security journey. |
Useful for organisations handling sensitive data or working in higher-risk supply chains. |
|
Helps you understand where common security gaps may exist and what needs to be improved. |
Gives extra confidence that your cyber security measures are working in practice, not just written down. |
|
Often enough if your customer or tender requirement only asks for Cyber Essentials. |
A logical next step if you already have Cyber Essentials and want a higher level of assurance. |
Essentially, Cyber Essentials helps you put a solid foundation in place, while Cyber Essentials Plus checks everything’s actually working in action.
Cyber Essentials is a baseline, not a complete strategy
Cyber Essentials is a good starting point, but it won’t keep you covered indefinitely. If you want to build on that baseline, Cyber Essentials Plus is the logical next step, and will give you much more assurance.
It is important to remember, though, that certification reflects your business at the time of assessment. After that, things can change. You might add new devices, change software, move more services into the cloud, take on new staff or find that older systems need updating.
That is why ongoing cyber hygiene matters after you are certified. At a minimum, Cyber Essentials should be reviewed every year as part of your renewal. Between assessments, it is also sensible to keep checking the basics: applying updates, reviewing user access, checking configurations and making sure you know what to do if something goes wrong.
Regular cyber health checks can help you spot issues before they become bigger problems. Vulnerability assessments, monitoring, patching support and incident response planning all help you maintain stronger protection beyond the certificate.
How Cyber Tec supports the process
Cyber Tec helps you choose the right certification route and gives you one-to-one support through the process, so you are not left trying to work out the details yourself.
For Cyber Essentials, that can mean talking you through the questionnaire and checking your answers are an accurate reflection of how your business operates. If something needs fixing before submission, we’ll explain what needs to change clearly before you roll it out.
For Cyber Essentials Plus, we can help you prepare for the technical assessment with vulnerability scanning, remedial guidance and practical support before the test begins. If issues are found, we’ll explain what they mean and what needs to happen next, as well as who should ideally action it – be it you, your IT provider or your team.
Close guidance like this is especially useful for SMEs, sole traders and or any non-techy businesses that don’t have in-house expertise or the time and resources to do it alone. You still get a structured certification process, but with guidance from people who have professional experience and can help you adapt their knowledge to your own setup.
What happens after certification?
Certification isn’t the end of the process. While it gives you a clear position at the time of assessment, your cyber security still needs to be maintained throughout the year.
The good news is that this does not have to mean an unmanageable amount of extra work. It’s often a simple case of keeping good habits going, like applying updates when they arise, reviewing your teams’ access and making sure any changes to your systems are properly managed.

