The Difference Between Cyber Essentials and Cyber Essentials Plus

Written by Sam Jones
Jul 4, 2019 - 4 minute read

Cyber threats are ever-growing and businesses are seeking accreditation like Cyber Essentials and Cyber Essentials Plus - but which is right for you?

New call-to-action

In 2014 the UK government's Department for Business, Innovation and Skills released a government-endorsed scheme called Cyber Essentials, to help businesses adopt good practices in information and cyber security and to ensure the protection of their data.

At a basic level, the scheme ensures that data is protected from common cyber threats online.

The goal of the certification is to protect company information from internet threats. However, Cyber Essentials is a basic level of investigation from which to build on – it is not a comprehensive cyber security strategy.

Organisations can gain one of two Cyber Essentials accreditations:

So, what is the difference between Cyber Essentials and Cyber Essentials PLUS?

Cyber Essentials

The scheme is mostly aimed at businesses that do not have their own dedicated IT teams working 24/7 to monitor threats.

Cyber attacks cost companies considerable amounts of money and long periods of disruption and company downtime.

For example, if you suffered a ransomware attack and you couldn’t access your business data or email, would you have a plan on how to stay operational?

If not, you’d benefit from Cyber Essentials certification - if only to identify existing security weaknesses you have.

It's a common misconception that cyber criminals only target large organisations, but often they target smaller businesses, who don't have the budget for hefty cyber defences, exploiting weaknesses in IT infrastructure and software.

Cyber Essentials addresses the basics and shows you how to protect against the most common attacks.

The Basic certification is like a DIY assessment where an organisation will have to complete a questionnaire. This means you're pretty much on your own.

However, some Certification Bodies, like Cyber Tec Security, offer a guided basic certification, meaning they will help check through your answers and dig a little deeper to make sure you know exactly what information you need to be providing. 

Organisations who have the capacity within their own IT departments can conduct their own Cyber Essentials certification, or they can hire a certified external, third-party to do the checks for them.

Cyber Essentials PLUS

Cyber Essentials can be completed by organisations that own an IT department or a certified, external third party if they don’t have the capacity or technical expertise in-house.

The organisation completes a self-assessment questionnaire and the responses are independently reviewed by an external Certification Body.

Cyber Essentials PLUS has the same requirements of Cyber Essentials, but the system tests are actually carried out by an external Certification Body, using tools and techniques which an in-house team may not have access to.

Before completing the Cyber Essentials assessment the third party assessor will carry out this security vulnerability scan of your IT infrastructure.

The information gathered will then guide any remedial actions, ensuring your company meets the five technical controls (Firewall, Secure Configuration, User Access Control, Malware Protection, Patch Management) to be able to achieve the Plus standard.

Independent auditors offering Cyber Essentials PLUS, quite simply know what they are doing and have the experience of working with multiple organisations, similar to your own, that are going through the same process.

Which is right for me?

Cyber Essentials Plus is quickly becoming the de facto standard, if anything because it involves true verification from security specialists. 

It is required for most public sector contracts and we're increasingly seeing organisations in the private sector requiring Cyber Essentials Plus from their suppliers. Professional associations within Industries like the Law Society and the Financial Conduct Authority are also actively endorsing and recommending the certification. Those only requiring the basic standard are predicted to increase this to Plus. 

It makes most sense then, if budgets allow, to achieve the Plus standard, so as not to miss out on business opportunities, stay ahead of competitors and have your security levels officially verified. 



It’s important to remember that Cyber Essentials and Cyber Essentials Plus only provide you with a “point in time” assessment of your organisation.

Only an ongoing managed security service can provide you with daily peace of mind, not only that your system and data are protected, but also that should an event occur, you will we will be covered in terms of incident response, investigation, process definition and protection.

Still have unanswered questions?

Check out our Ultimate Guide to Cyber Essentials which will answer any question you've ever had around Cyber Essentials.


Topics: UK, Cyber Essentials, Cyber Essentials Plus, Business Security, Cyber Attack, Cyber Security, SME


More by Sam Jones

Related articles
The Ever Evolving Role of the MSP!

Discover how Managed Service Providers (MSPs) can strengthen cybersecurity with a proactive approach and Cyber Essentials Certification. Learn about the evolving role of MSPs in safeguarding businesses against cyber threats.

Is ISO an alternative standard to Cyber Essentials?

Comparing ISO and Cyber Essentials for cybersecurity standards, this blog delves into their differences and importance in safeguarding against cyber threats.

Is Your Supplier List Your Weakest Link?

Discover why Cyber Essentials certification should be mandatory for suppliers to strengthen supply chain security and mitigate cyber threats. Safeguard your business and gain a competitive advantage.