cyber-essentials-vs-cyber-essentials-plus-explained
  • Cyber Essentials
  • 14th Jul 2026
  • 1 min read

Cyber Essentials vs Cyber Essentials Plus Explained

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short..
  • Cyber Essentials Plus is an extension of the same certification: it adds an independent technical audit on top of the same self-assessment, and you can't hold Plus without first certifying at the basic level.
  • The cost gap is substantial: basic certification is a fixed IASME fee starting at £320+VAT, while Plus is priced individually by assessors and commonly runs £1,500 to £3,000 or more for SMEs.
  • Government contracts drive most Plus requirements: PPN 014 ties the requirement to risk factors, such as personal data or OFFICIAL-classification ICT systems, rather than a fixed contract value, and MOD suppliers face their own parallel cyber risk regime under DEFCON 658.
  • Plus tests what self-assessment can’t: the audit checks firewalls, patching, malware defences, multi-factor authentication, and account separation directly, instead of relying on your own answers to a questionnaire.

Cyber Essentials Plus is an extension of Cyber Essentials: an added layer of independent technical audit on top of the same self-assessment questionnaire. You need a valid Cyber Essentials certificate before an assessor can run the Plus audit, and both levels assess the same five control areas (firewalls, secure configuration, user access control, malware protection, and patch management). The real decision is whether your contracts, sector, or risk appetite justify going beyond self-assessment to independently verified assurance. This guide sets out exactly what changes between the two levels: cost, timing, testing, and contractual requirements.

Expert View

 

Matthew-Davies-768x511-Dec-11-2023-11-07-31-4613-AM

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

What our experts say about choosing between Cyber Essentials levels

 

"Most organisations treat Plus as a bigger version of the same form. It's a different exercise. The audit tests what your assessor can observe on sampled devices that day, a harder bar than policy documents alone can meet. Get your device sample genuinely representative before you book it."

What Is the Difference Between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a UK government-backed certification scheme, developed by the National Cyber Security Centre (NCSC) and delivered through IASME, the NCSC's official Cyber Essentials delivery partner. It covers five technical control areas: firewalls, secure configuration, user access control, malware protection, and patch management. Both certification levels assess exactly these five areas; the difference sits entirely in how that assessment happens.

 

Cyber Essentials: Self-Assessment With Assessor Review

 

The basic level uses a self-assessment questionnaire. From April 2026, IASME's Danzell Question Set (the current self-assessment question set, which replaced the previous Willow set) applies to every newly created assessment account. Your organisation completes the questionnaire, a senior signatory confirms the answers are accurate, and a licensed assessor reviews the submission. The assessor checks your answers rather than testing your systems directly, and issues certification once the required controls are demonstrated.

 

This is a declaration of compliance, and it carries real weight, particularly for smaller organisations, based on self-reported answers rather than an independent technical check.

 

Cyber Essentials Plus: Independent Technical Audit

 

Cyber Essentials Plus builds directly on the basic level. Once you hold Cyber Essentials, your assessor conducts a hands-on technical audit of your environment, covering:

  1. External vulnerability scans of every internet-facing system: any exploitable vulnerability scoring 7.0 or above on the CVSS scale is an automatic fail
  2. Authenticated internal scans of a representative sample of devices and servers: checking patch levels, configuration, and account separation
  3. Multi-factor authentication (MFA) verification: now a mandatory pass or fail check across every cloud service in scope
  4. Email and browser-based malware defence tests: using simulated malicious attachments and downloads

The assessor tests whether your controls work in practice, a materially harder bar than whether your policy documents describe them correctly. That gap between self-declared and independently verified assurance is the core distinction between the two levels, and it's why Plus carries more weight with government buyers, defence primes, and cyber insurers, exactly as the NCSC's Cyber Essentials Plus Test Specification defines it. SureCloud's Cyber Essentials resource hub covers the wider scheme if you're still deciding whether either level applies to you.

Cyber Essentials vs Cyber Essentials Plus: Side-by-Side Comparison

Dimension

Cyber Essentials

Cyber Essentials Plus

Assessment type

Self-assessment questionnaire (Danzell Question Set)

Self-assessment plus independent technical audit

Technical testing

None; assessor reviews answers only

External and internal vulnerability scans, MFA checks, malware defence tests

Typical cost

£320-£600+VAT (IASME flat rate, by organisation size)

£1,500-£3,000+ for SMEs; more for complex environments

Typical timeline

2-4 weeks once preparation is complete

6-10 weeks total from scratch (audit adds 4-6 weeks)

Government contracts (PPN 014)

Minimum requirement for in-scope central government, NHS, and public body contracts

Required for higher-risk contracts, for example those involving OFFICIAL-classification ICT or sensitive personal data

Insurance impact

Free cyber liability insurance up to £25,000 for orgs with turnover under £20m

Preferred by insurers for higher levels of cover

Annual renewal

Yes

Yes

 

Both levels require annual renewal. If your Plus certification lapses, you'll need to requalify at both levels; see our guide to Cyber Essentials renewal for timelines and what changes between cycles. The £25,000 cyber liability insurance benefit applies to the whole organisation and is arranged automatically through IASME on certification, provided turnover is under £20m and the organisation opts in.

Cost Breakdown

Cyber Essentials: IASME Flat-Rate Pricing

 

IASME sets fixed fees for the basic level, tiered by organisation size:

 

Organisation size

IASME fee

Micro (0-9 staff)

£320+VAT

Small (10-49 staff)

£440+VAT

Medium (50-249 staff)

£500+VAT

Large (250+ staff)

£600+VAT

 

These fees cover the assessment only. Preparation work, remediation, and the internal time spent completing the questionnaire sit outside IASME's published pricing, which is why our Cyber Essentials cost guide walks through what organisations most often spend on top of the certification fee itself.

 

Cyber Essentials Plus: Assessor-Priced

 

There's no fixed fee for the Plus level. Assessors price the technical audit based on the size and complexity of your environment. As a general guide, SMEs most often pay £1,500 to £3,000 or more, while mid-market and enterprise costs rise significantly with device count, network complexity, and the number of sites in scope.

 

If you already know you'll need Plus, budget for the total cost upfront rather than treating the basic fee as a down payment. But the audit phase is where most of the cost sits.

Contractual Requirements: What PPN 014 Actually Says

Procurement Policy Note 014 (PPN 014) is the Cabinet Office guidance (see the full PPN 014 text on GOV.UK) that makes Cyber Essentials or Cyber Essentials Plus a contractual requirement across central government departments, non-departmental public bodies, and NHS bodies. The requirement is risk-based, tied to specific contract characteristics rather than a fixed contract value.

 

In-scope buyers must require certification where a contract involves personal data belonging to citizens or government staff, ICT systems handling data at the OFFICIAL classification level, or information related to core government business, defence, security, or public finances. PPN 014 explicitly warns against a blanket approach: buyers must apply the requirement only where it's proportionate and necessary to that specific contract's risk.

 

Beyond central government, several sectors carry their own requirements. MOD suppliers fall under DEFCON 658, the contract condition for the Ministry of Defence's own Cyber Security Model. Under the current version of that model, compliance is verified through the MOD's own Supplier Assurance Questionnaire and Defence Cyber Certification (delivered via IASME) rather than a standalone Cyber Essentials Plus certificate, though many MOD contracts carry a parallel Cyber Essentials or Cyber Essentials Plus requirement under general government procurement rules as well.

 

NHS digital service contracts increasingly expect Plus for suppliers of business-critical systems, particularly following the DTAC v2 update in April 2026. Many private-sector organisations, especially in financial services and critical infrastructure, now build Plus into their own supplier due diligence, independent of any government contract.

 

If you supply into any of these categories, or expect to, treat Plus as the baseline you're building towards now.

Which Level Do You Need?

Use these four scenarios to work out which level fits your organisation.

 

You Need to Bid for Central Government Contracts

 

If you supply central government and your contracts involve personal data, OFFICIAL-classification ICT systems, or core government business, you need Cyber Essentials as a minimum. Where a contract's risk characteristics point to Plus (higher classification, larger data volumes, or defence and security content) plan for the technical audit before your next tender or renewal cycle. Start with basic certification to establish the baseline, then schedule the Plus audit once your risk profile is clear.

 

You Work With MOD, NHS, or Handle Sensitive Personal Data

 

MOD suppliers face their own cyber risk regime under DEFCON 658 and the Cyber Security Model, alongside any Cyber Essentials Plus requirement that applies through general government procurement rules. NHS digital service contracts are moving the same way for business-critical systems, increasingly expecting Plus. If you're in scope for Plus specifically, the practical work is scoping your device sample and clearing remediation before the audit date, which is exactly what our Cyber Essentials Plus audit preparation guide walks through.

 

Your Enterprise Clients Require It in Supplier Due Diligence

 

Enterprise clients, particularly in financial services, legal, and critical infrastructure, increasingly specify Cyber Essentials Plus in their supplier questionnaires. Basic certification may satisfy today's contract but fall short at the next renewal. If your clients operate in regulated sectors, plan for Plus now rather than waiting for a client to require it.

 

You Want Verified Assurance Rather Than Self-Declared Compliance

 

This is the strategic case, independent of any contractual requirement. Self-assessment tells you what you believe about your controls; the Plus audit tests what's actually true. Organisations that pursue Plus often find gaps between the two that only the hands-on audit surfaces.

 

First-attempt pass rates are consistently lower for Plus than for basic certification. The technical audit surfaces control gaps, misconfigured MFA, unpatched devices, weak account separation, that self-assessment alone doesn't catch. That gap is exactly why Plus carries more weight with government buyers and insurers.

 

If you're not sure which level you need, assume Plus is coming. The scenarios above cover most cases where basic certification is genuinely sufficient long-term. Outside them, the extra rigour of Plus is almost always worth the investment, even before a client or contract demands it.

 

Our complete Cyber Essentials requirements guide walks through the full control set at both levels for organisations building their environment from scratch, while our guide to Cyber Essentials Plus: what it really tests goes deeper on the audit mechanics for anyone who wants to see exactly what an assessor checks before booking one.

See How SureCloud Keeps Certifications Audit-Ready

Gracie AI Agents with Personas and Skills track control evidence continuously across every certification you hold, including Cyber Essentials, keeping audit prep grounded in evidence you've already verified. Customers using SureCloud report a 75% reduction in audit prep time.
Related articles:
  • Cyber Essentials

Cyber Essentials Cost: What UK Organisations Pay

  • Cyber Security
  • Cyber Essentials

Cyber Essentials Plus: How to Operationalise It

  • Cyber Essentials

The 5 Cyber Essentials Controls Explained

Share this article

FAQ’s

Can I skip Cyber Essentials and go straight to Plus?

No, Cyber Essentials Plus isn't sold as a standalone certification. You need a valid Cyber Essentials certificate before your assessor can run the Plus technical audit, and most organisations complete both assessments in a single engagement with the same assessor.

How much does Cyber Essentials Plus cost?

There's no fixed fee, since individual assessors price the Plus audit rather than IASME. For SMEs, expect to pay between £1,500 and £3,000 or more, depending on device count and environment complexity. The basic Cyber Essentials assessment is fixed by IASME at £320 to £600+VAT depending on organisation size.

Is Cyber Essentials Plus mandatory?

It depends on your contracts and sector. Under PPN 014, central government, NHS, and public bodies must require Cyber Essentials or Cyber Essentials Plus where a contract involves personal data, OFFICIAL-classification ICT, or sensitive government business, with Plus reserved for the higher-risk end of that range. MOD suppliers fall under DEFCON 658 and the Ministry of Defence's own Cyber Security Model, which can carry a parallel Cyber Essentials Plus requirement depending on the contract, and NHS digital service contracts increasingly expect it for business-critical systems. Outside these categories, Plus isn't legally mandatory, but enterprise clients in regulated sectors expect it more each year.

How long does Cyber Essentials Plus take?

Basic Cyber Essentials usually takes two to four weeks once your preparation is complete. The Plus technical audit adds a further four to six weeks, so allow six to ten weeks in total if you're starting from scratch. Timelines vary depending on assessor availability and how much remediation your first scan turns up.

What's actually tested during a Cyber Essentials Plus audit?

Your assessor runs an external vulnerability scan of every internet-facing system, an authenticated internal scan of a representative device sample, and dedicated checks for multi-factor authentication and account separation. They also test your malware defences directly, sending simulated malicious files by email and download to confirm your controls catch them. Any exploitable vulnerability scoring 7.0 or above on the CVSS scale is an automatic fail.

Does Cyber Essentials Plus replace ISO 27001 or other frameworks?

No. Cyber Essentials Plus verifies five specific technical controls. ISO 27001, the international standard for information security management systems, covers governance, risk treatment, and a much wider scope of controls. Many organisations hold both, since they answer different questions for different buyers.