Cyber Essentials vs Cyber Essentials Plus

If you are exploring Cyber Essentials for the first time, one of the first decisions you will face is whether to go for the standard certification or the more rigorous Plus level. Both are government-backed schemes administered through the IASME Consortium on behalf of the National Cyber Security Centre (NCSC), and both demonstrate a meaningful commitment to baseline cyber hygiene. The difference lies in how that commitment is verified — and depending on who your customers are, the distinction may not be optional. This guide explains what each level involves, what the audit process looks like, and how to decide which is right for your organisation.

Cyber Essentials: The Self-Assessment Route

Cyber Essentials is the entry-level certification. It covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. To achieve it, you complete an online self-assessment questionnaire through the IASME portal, answering questions about how your organisation addresses each control. Your responses are then reviewed and verified by a certification body — but there is no on-site visit, no independent technical testing, and no auditor looking at your systems directly.

This makes it accessible and fast. Most organisations can complete the questionnaire in a matter of days once they have gathered the relevant information about their systems and configurations. Certification typically follows within a week or two, depending on the certification body’s review turnaround.

Cost is tiered by organisation size through the IASME Consortium. Micro-businesses (fewer than ten employees) benefit from a subsidised rate through the IASME online portal — the NCSC funds a portion of the cost, bringing it down significantly. For small organisations more broadly, standard pricing typically falls in the range of £300 to £500 plus VAT. Medium and larger businesses pay progressively more, reflecting increased scope and complexity.

Cyber Essentials lasts twelve months. You will need to recertify annually to maintain the certification.

Cyber Essentials Plus: The Technical Audit

Cyber Essentials Plus builds directly on the standard certification — you cannot obtain Plus without first holding a valid Cyber Essentials certificate. Once you do, an accredited assessor carries out a hands-on technical audit of your systems to verify that the controls you declared in your self-assessment are genuinely in place and functioning as described.

The Plus audit has several distinct components:

• Remote vulnerability scan of external-facing systems: The assessor scans your internet-facing infrastructure for known vulnerabilities, open ports, and misconfigurations that could expose you to attack.
• Authenticated internal scan: A scan is run from within your network — typically using credentials — to identify patch gaps, software vulnerabilities, and configuration weaknesses on internal devices that would not be visible from outside.
• Sample device inspection: The assessor selects a representative sample of devices (laptops, desktops, mobile devices) and checks that they meet the required security configurations — correct patch levels, malware protection active, access controls applied correctly.
• Phishing simulation and web browsing test: Your email filtering and web browsing controls are tested, typically by sending simulated phishing emails and attempting to access known malicious URLs through your systems. This checks that the technical controls actually block threats rather than simply being configured in theory.

The additional rigour means a longer timeline. Organisations should plan for several weeks from initiation to receiving their Plus certificate — more if remediation is required after initial testing. Cost reflects the assessor’s time and typically runs from £1,500 to £3,000 or more, depending on the size of your organisation, the number of devices in scope, and the complexity of your infrastructure. Like the standard certification, Plus lasts twelve months.

Who Should Choose Each Level?

For many small businesses with no government contracts or regulated supply chain requirements, standard Cyber Essentials is an excellent and entirely sufficient starting point. It demonstrates baseline security hygiene to customers and partners, may be required by certain insurers, and provides a structured framework for getting the fundamentals right. If you are a sole trader, a small professional services firm, or a retailer with no public sector work, this is usually where you begin — and for many organisations, it is all they will ever need.

IT managed service providers, cloud services companies, and businesses operating in the government supply chain are in a different position. Buyers and prime contractors increasingly expect Plus as a minimum, because self-assessment alone cannot verify that controls are actually working. If you are tendering for public sector contracts — particularly those involving sensitive data or critical systems — Plus is often a stated requirement in procurement frameworks.

For Ministry of Defence suppliers, the position is clearer still: Cyber Essentials Plus is frequently mandated, not merely recommended. MOD contracts often specify it explicitly, and without it you may be unable to bid. If defence supply chain work is part of your business — or you are considering entering that market — Plus should be treated as a baseline rather than an aspiration.

The IASME Pricing Structure

Both certifications are priced according to organisation size under the IASME Consortium’s tiered structure. The four bands are micro (fewer than ten employees), small (ten to forty-nine), medium (fifty to two hundred and forty-nine), and large (two hundred and fifty or more). Micro-businesses applying through the IASME online portal for standard Cyber Essentials benefit from NCSC subsidy, making it one of the more cost-effective security investments available to very small organisations. Prices for Plus are set by individual accredited certification bodies and will vary, so it is worth obtaining more than one quote if budget is a consideration.

A Practical Timeline

If you are working towards a contract deadline or renewal window, build in adequate time for each stage. Standard Cyber Essentials can realistically be completed in days to a couple of weeks, provided your systems are already reasonably well configured. Cyber Essentials Plus requires additional planning time to coordinate the assessor’s audit, and if vulnerabilities are identified during testing — which is common — you will need time to remediate and retest before the certificate can be issued. A realistic timeline from first enquiry to Plus certificate is four to eight weeks for a typical small or medium-sized organisation.

Starting the Process

Regardless of which level you are aiming for, the starting point is always the same: Cyber Essentials first. Review the five technical controls against your current configuration, close any obvious gaps, and work through the self-assessment questionnaire via an IASME-accredited certification body. If you know you will need Plus, it is worth engaging a certification body early so they can advise on scope and help you avoid common pitfalls before the technical audit begins. Both certifications are valid for twelve months and must be renewed annually to remain current.