Cyber Essentials · 1 July 2026
Cyber Essentials vs Cyber Essentials Plus: what's the difference?
Cyber Essentials and Cyber Essentials Plus are two levels of the same UK government-backed scheme. They protect against the same threats and cover exactly the same five technical controls — the difference is entirely in how your compliance is verified. One is a self-assessment; the other adds an independent, hands-on technical audit. This guide explains what each involves, how they differ, and how to choose.
What each one is
Both certifications are built on the five core controls defined by the National Cyber Security Centre (NCSC) and delivered through IASME, the scheme’s official partner. Those five controls — firewalls, secure configuration, security update management, user access control, and malware protection — guard against the most common internet-based attacks. Our guide to the five Cyber Essentials controls walks through each one.
Cyber Essentials is a self-assessment. You complete a questionnaire describing how your organisation meets the five controls, a senior person signs it off, and an IASME-appointed certification body reviews and marks your answers. If they pass, you receive your certificate. It is quick, affordable and a solid baseline. Learn more on our Cyber Essentials service page.
Cyber Essentials Plus starts from a valid Cyber Essentials self-assessment and adds an independent technical audit. A qualified assessor tests a sample of your devices and systems directly — checking patching, configuration and malware protection, and often running simulated attacks such as testing whether a malicious email attachment could execute. It is the same five controls, but verified in practice rather than by declaration. See our Cyber Essentials Plus service page for detail.
Side-by-side comparison
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Controls covered | The five NCSC controls | The same five NCSC controls |
| Verification | Self-assessment questionnaire | Independent hands-on technical audit |
| Who checks it | IASME certification body reviews answers | Qualified assessor tests your systems |
| Evidence | Your declared answers | Tested devices and simulated attacks |
| Assurance level | Good baseline | Higher, independently verified |
| Effort required | Lower | Higher — audit access and scheduling |
| Cost | Lower fee | Higher fee (audit included) |
| Prerequisite | None | A valid Cyber Essentials certification |
| Validity | 12 months | 12 months |
The key differences
The single defining difference is independent verification. With Cyber Essentials, you tell the certification body that your controls are in place; with Cyber Essentials Plus, an assessor comes and checks that they genuinely are. That hands-on testing is why Cyber Essentials Plus carries more weight where higher assurance is needed.
The two also differ in effort and cost. Cyber Essentials is faster and cheaper because there is no on-site or remote technical audit to arrange. Cyber Essentials Plus takes more coordination — the assessor needs access to a representative sample of your devices and users — and the fee is higher because it includes that audit work.
What does not differ is the security bar itself. Both require the same five controls to the same technical standard. Cyber Essentials Plus does not ask for more controls; it asks for proof that the controls already claimed are working.
There is also a difference in how it feels to prepare. For the self-assessment, the main task is understanding your own environment well enough to answer the questionnaire accurately — which devices are in scope, how they are configured, and how access is managed. For the Plus audit, you additionally need to make a representative sample of devices and user accounts available to the assessor and arrange a suitable time for the testing. Neither is onerous, but the Plus level involves a little more logistics because a real person is checking real systems rather than reviewing a written declaration.
Which do you need?
For many small organisations, Cyber Essentials is the right starting point. It gives you a recognised certificate, demonstrates good baseline hygiene, and satisfies a wide range of customers and some public-sector requirements.
You should look at Cyber Essentials Plus when:
- a contract or tender specifically asks for it — some public-sector and larger commercial buyers now require the Plus level;
- you handle sensitive data and want the higher assurance that independent testing provides;
- you want the confidence of an external audit confirming your controls really work, not just that they were declared.
Because the Plus audit builds directly on the self-assessment, the usual route is to achieve Cyber Essentials first and then progress to the Plus audit within three months, while the same evidence is fresh.
Can you need both — and how they relate?
In practical terms you do not hold two separate certifications: Cyber Essentials Plus includes and extends Cyber Essentials. You cannot obtain the Plus level without first passing the standard self-assessment, so achieving Plus means you have effectively done both. Think of it as one scheme with two levels of assurance rather than two competing products.
This makes the decision less about “either/or” and more about “how far”. Start with the baseline self-assessment to get your controls in order, then decide whether the independent audit is worth the extra step for your customers and risk profile.
It is also worth understanding where Cyber Essentials sits in the wider picture. It maps neatly onto the cyber sections of the DSPT, so care providers often find it makes their toolkit submission easier. For organisations wanting a broader, risk-based framework, Cyber Essentials is a natural stepping stone towards IASME Cyber Assurance or full ISO 27001 certification — a progression we explore in our guide on Cyber Essentials vs ISO 27001. If any terms are unfamiliar, the glossary explains them plainly.
Not sure which you need?
Whether the self-assessment is enough or an independent audit is worth the extra step depends on what your customers ask for and how sensitive your data is. We are happy to look at your requirements and recommend the right level through a straightforward, fixed-fee engagement, supporting you through the assessment either way. For a friendly, no-obligation chat, get in touch.