๐Ÿ“ž 01656 521505|โœ‰๏ธ hello@thornetechnology.co.uk
Cyber Security 2025-03-05 ยท By Tyler Thorne ยท 8 min read

Cyber Essentials vs Cyber Essentials Plus โ€” What's the Difference?

Cyber Essentials and Cyber Essentials Plus are UK Government certifications for business cyber security. Here's what each covers, what they cost, and which one your business needs.

If you've looked into cyber security certification for your business, you'll have come across Cyber Essentials. You may also have seen Cyber Essentials Plus and wondered what the difference is, which one you need, and what it actually involves. Here's a clear breakdown.

What is Cyber Essentials?

Cyber Essentials is a UK Government-backed certification scheme run by the National Cyber Security Centre (NCSC). It was created to help businesses of all sizes demonstrate that they have the basic cyber security controls in place to protect against the most common online threats.

The certification covers five key technical controls:

  • Firewalls โ€” ensuring boundary firewalls are properly configured
  • Secure configuration โ€” removing unnecessary software, disabling default passwords, restricting admin access
  • Access control โ€” ensuring only authorised users can access systems and data
  • Malware protection โ€” anti-malware software installed and up to date
  • Patch management โ€” software and operating systems kept up to date with security patches

These five controls protect against an estimated 80% of common cyber attacks, according to the NCSC. Most breaches exploit gaps in exactly these areas.

Cyber Essentials vs Cyber Essentials Plus โ€” the key difference

The difference comes down to self-assessment vs independent verification:

  • Cyber Essentials โ€” you complete a detailed self-assessment questionnaire about your security controls. An independent assessor reviews your answers. If they're satisfied, you're certified.
  • Cyber Essentials Plus โ€” same as above, but additionally, an independent technical expert visits (or connects remotely to) your systems and actually tests the controls are working as described. They run vulnerability scans, test your patch status, and verify your defences hands-on.

Cyber Essentials Plus is significantly more rigorous โ€” and significantly more credible as a result.

Which one should my business get?

For most South Wales SMEs, Cyber Essentials is the right starting point. It's accessible, affordable, and demonstrates a meaningful commitment to security.

You should consider Cyber Essentials Plus if:

  • You work with the UK Government or public sector โ€” many contracts now require CE Plus
  • You're in a regulated industry (financial services, healthcare, legal) where stronger evidence of controls is expected
  • Your clients are larger enterprises that require it from their supply chain
  • You've had a security incident and want independent verification that you're now properly protected
  • You want the strongest possible signal to clients and partners that your security is taken seriously

What does certification cost?

Government certification fees (paid to the certifying body) start from around ยฃ300โ€“ยฃ500 for Cyber Essentials and ยฃ1,500โ€“ยฃ3,000 for Cyber Essentials Plus, depending on your organisation size.

On top of the certification fee, most businesses need some preparation work โ€” ensuring your systems actually meet the requirements before you apply. This is where companies like us come in.

We offer a pre-assessment that identifies any gaps before you submit for certification โ€” so you're not paying for a certification attempt you're not ready for.

Benefits beyond the certificate

Beyond the certificate itself, the Cyber Essentials process has real practical benefits:

  • NCSC Cyber Liability Insurance โ€” certified businesses can access cyber liability insurance through the scheme
  • Government contracts โ€” many public sector contracts require CE certification from suppliers
  • Client trust โ€” it gives clients, particularly larger ones, confidence in your security posture
  • Actual security improvement โ€” the process of achieving the certification forces you to fix things that genuinely need fixing

๐Ÿ›ก๏ธ We're Cyber Essentials certified and help South Wales businesses achieve certification. We can assess your readiness, fix any gaps, guide you through the application process, and manage the ongoing maintenance to keep you certified year after year.

How long does it take?

For a well-prepared organisation, the Cyber Essentials questionnaire takes a few hours to complete. If remediation work is needed first, allow 2โ€“4 weeks. Cyber Essentials Plus adds another 1โ€“2 weeks for the technical verification stage.

Certification is valid for 12 months and needs to be renewed annually.

Get expert IT advice for your business

Free consultation for South Wales businesses. No obligation, no jargon.

Ready to improve your IT?

Free IT audit for South Wales businesses. No obligation.

Get in Touch ๐Ÿ“ž 01656 521505