If you’re considering Cyber Essentials Plus UK certification for your business, you’ve probably already come across standard Cyber Essentials too. They sound similar and cover the same ground – but they’re not the same thing, and choosing the right one matters.
Here’s a plain-language breakdown of what each one is, what it involves, and how to know which is right for your organisation.
What is Cyber Essentials?
Cyber Essentials is a UK Government-backed certification scheme designed to help businesses protect themselves against the most common cyber threats. It focuses on five core technical controls that, when properly implemented, significantly reduce your exposure to the vast majority of internet-based attacks.
The certification is annually renewable and is recognised across the public and private sector as a credible baseline of cyber security.
Cyber Essentials is a mandatory requirement for any organisation bidding for UK Government contracts that involve handling personal data or providing certain technical products and services. If you’re looking to work with the public sector, you’ll need it. Find out more at NCSC.gov.uk.
What does it cover?
The five technical controls are:
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
How does it work?
Cyber Essentials is a verified self-assessment. You complete an online questionnaire answering questions about how your organisation has implemented each of the five controls. The answers are reviewed by a certification body – and if they meet the required standard, you receive your certificate.
It’s straightforward, fixed-price, and achievable for businesses of any size.
What is Cyber Essentials Plus UK?
Cyber Essentials Plus covers exactly the same five controls – but instead of a self-assessment, it includes an independent technical audit carried out by a qualified assessor. Your systems are actually tested, not just described.
This means you’re not only telling someone your controls are in place – you’re proving it.
Cyber Essentials Plus includes internal and external vulnerability scanning, on-site or remote device assessment, and malware protection testing. It’s the same framework as Cyber Essentials, but independently verified – which provides a significantly higher level of assurance to customers, partners, and supply chain stakeholders.
What does the audit involve?
A Cyber Essentials Plus assessment typically includes:
- Internal vulnerability scanning across your devices and network
- External vulnerability testing of your internet-facing systems
- Verification of user accounts and access privileges
- Testing of malware protection across endpoints
- Remote or on-site device assessment depending on your setup
Important: you must hold a valid Cyber Essentials certificate before you can achieve Cyber Essentials Plus.
What’s the difference in cost?
Cyber Essentials is fixed-price, set by IASME:
| Organisation size | Price |
|---|---|
| Micro (0–9 employees) | £320 + VAT |
| Small (10–49 employees) | £440 + VAT |
| Medium (50–249 employees) | £500 + VAT |
| Large (250+ employees) | £600 + VAT |
Cyber Essentials Plus is not fixed-price. The cost depends on the number of users, devices, sites, and the complexity of your network. Contact us for a tailored quote.
Which one do you need?
For most small businesses with no specific contractual requirements, Cyber Essentials provides a solid, credible baseline that demonstrates you take cyber security seriously.
Cyber Essentials Plus is worth considering if:
- You work with government departments or public sector bodies
- Your contract specifically requires it
- You handle sensitive or confidential client information
- You are part of a defence or government supply chain
- You want independently verified confirmation of your security controls
Cyber Essentials Plus is increasingly being specified as a requirement in defence supply chain contracts – particularly as the Ministry of Defence rolls out its Defence Cyber Certification (DCC) scheme. DCC Level 2 and above require Cyber Essentials Plus as a prerequisite. You can read more about DCC on our Defence Cyber Certification page.
Not sure which applies to you?
If you’re unsure which level is right for your organisation – or whether you’re ready to start the process – Base3 can help. As an approved certification body for Cyber Essentials Plus in the UK, we support businesses through the entire process, from initial readiness through to certification.
Get in touch and we’ll point you in the right direction.