- Cyber Essentials
- 14th Jul 2026
- 1 min read
Cyber Essentials vs Cyber Essentials Plus Explained
- Written by
In Short..
- Cyber Essentials Plus is an extension of the same certification: it adds an independent technical audit on top of the same self-assessment, and you can't hold Plus without first certifying at the basic level.
- The cost gap is substantial: basic certification is a fixed IASME fee starting at £320+VAT, while Plus is priced individually by assessors and commonly runs £1,500 to £3,000 or more for SMEs.
- Government contracts drive most Plus requirements: PPN 014 ties the requirement to risk factors, such as personal data or OFFICIAL-classification ICT systems, rather than a fixed contract value, and MOD suppliers face their own parallel cyber risk regime under DEFCON 658.
- Plus tests what self-assessment can’t: the audit checks firewalls, patching, malware defences, multi-factor authentication, and account separation directly, instead of relying on your own answers to a questionnaire.
Cyber Essentials Plus is an extension of Cyber Essentials: an added layer of independent technical audit on top of the same self-assessment questionnaire. You need a valid Cyber Essentials certificate before an assessor can run the Plus audit, and both levels assess the same five control areas (firewalls, secure configuration, user access control, malware protection, and patch management). The real decision is whether your contracts, sector, or risk appetite justify going beyond self-assessment to independently verified assurance. This guide sets out exactly what changes between the two levels: cost, timing, testing, and contractual requirements.
Expert View
|
Matt Davies Chief Product Officer, SureCloud |
What our experts say about choosing between Cyber Essentials levels
"Most organisations treat Plus as a bigger version of the same form. It's a different exercise. The audit tests what your assessor can observe on sampled devices that day, a harder bar than policy documents alone can meet. Get your device sample genuinely representative before you book it." |
What Is the Difference Between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a UK government-backed certification scheme, developed by the National Cyber Security Centre (NCSC) and delivered through IASME, the NCSC's official Cyber Essentials delivery partner. It covers five technical control areas: firewalls, secure configuration, user access control, malware protection, and patch management. Both certification levels assess exactly these five areas; the difference sits entirely in how that assessment happens.
Cyber Essentials: Self-Assessment With Assessor Review
The basic level uses a self-assessment questionnaire. From April 2026, IASME's Danzell Question Set (the current self-assessment question set, which replaced the previous Willow set) applies to every newly created assessment account. Your organisation completes the questionnaire, a senior signatory confirms the answers are accurate, and a licensed assessor reviews the submission. The assessor checks your answers rather than testing your systems directly, and issues certification once the required controls are demonstrated.
This is a declaration of compliance, and it carries real weight, particularly for smaller organisations, based on self-reported answers rather than an independent technical check.
Cyber Essentials Plus: Independent Technical Audit
Cyber Essentials Plus builds directly on the basic level. Once you hold Cyber Essentials, your assessor conducts a hands-on technical audit of your environment, covering:
- External vulnerability scans of every internet-facing system: any exploitable vulnerability scoring 7.0 or above on the CVSS scale is an automatic fail
- Authenticated internal scans of a representative sample of devices and servers: checking patch levels, configuration, and account separation
- Multi-factor authentication (MFA) verification: now a mandatory pass or fail check across every cloud service in scope
- Email and browser-based malware defence tests: using simulated malicious attachments and downloads
The assessor tests whether your controls work in practice, a materially harder bar than whether your policy documents describe them correctly. That gap between self-declared and independently verified assurance is the core distinction between the two levels, and it's why Plus carries more weight with government buyers, defence primes, and cyber insurers, exactly as the NCSC's Cyber Essentials Plus Test Specification defines it. SureCloud's Cyber Essentials resource hub covers the wider scheme if you're still deciding whether either level applies to you.
Cyber Essentials vs Cyber Essentials Plus: Side-by-Side Comparison
|
Dimension |
Cyber Essentials |
Cyber Essentials Plus |
|
Assessment type |
Self-assessment questionnaire (Danzell Question Set) |
Self-assessment plus independent technical audit |
|
Technical testing |
None; assessor reviews answers only |
External and internal vulnerability scans, MFA checks, malware defence tests |
|
Typical cost |
£320-£600+VAT (IASME flat rate, by organisation size) |
£1,500-£3,000+ for SMEs; more for complex environments |
|
Typical timeline |
2-4 weeks once preparation is complete |
6-10 weeks total from scratch (audit adds 4-6 weeks) |
|
Government contracts (PPN 014) |
Minimum requirement for in-scope central government, NHS, and public body contracts |
Required for higher-risk contracts, for example those involving OFFICIAL-classification ICT or sensitive personal data |
|
Insurance impact |
Free cyber liability insurance up to £25,000 for orgs with turnover under £20m |
Preferred by insurers for higher levels of cover |
|
Annual renewal |
Yes |
Yes |
Both levels require annual renewal. If your Plus certification lapses, you'll need to requalify at both levels; see our guide to Cyber Essentials renewal for timelines and what changes between cycles. The £25,000 cyber liability insurance benefit applies to the whole organisation and is arranged automatically through IASME on certification, provided turnover is under £20m and the organisation opts in.
Cost Breakdown
Cyber Essentials: IASME Flat-Rate Pricing
IASME sets fixed fees for the basic level, tiered by organisation size:
|
Organisation size |
IASME fee |
|
Micro (0-9 staff) |
£320+VAT |
|
Small (10-49 staff) |
£440+VAT |
|
Medium (50-249 staff) |
£500+VAT |
|
Large (250+ staff) |
£600+VAT |
These fees cover the assessment only. Preparation work, remediation, and the internal time spent completing the questionnaire sit outside IASME's published pricing, which is why our Cyber Essentials cost guide walks through what organisations most often spend on top of the certification fee itself.
Cyber Essentials Plus: Assessor-Priced
There's no fixed fee for the Plus level. Assessors price the technical audit based on the size and complexity of your environment. As a general guide, SMEs most often pay £1,500 to £3,000 or more, while mid-market and enterprise costs rise significantly with device count, network complexity, and the number of sites in scope.
If you already know you'll need Plus, budget for the total cost upfront rather than treating the basic fee as a down payment. But the audit phase is where most of the cost sits.
Contractual Requirements: What PPN 014 Actually Says
Procurement Policy Note 014 (PPN 014) is the Cabinet Office guidance (see the full PPN 014 text on GOV.UK) that makes Cyber Essentials or Cyber Essentials Plus a contractual requirement across central government departments, non-departmental public bodies, and NHS bodies. The requirement is risk-based, tied to specific contract characteristics rather than a fixed contract value.
In-scope buyers must require certification where a contract involves personal data belonging to citizens or government staff, ICT systems handling data at the OFFICIAL classification level, or information related to core government business, defence, security, or public finances. PPN 014 explicitly warns against a blanket approach: buyers must apply the requirement only where it's proportionate and necessary to that specific contract's risk.
Beyond central government, several sectors carry their own requirements. MOD suppliers fall under DEFCON 658, the contract condition for the Ministry of Defence's own Cyber Security Model. Under the current version of that model, compliance is verified through the MOD's own Supplier Assurance Questionnaire and Defence Cyber Certification (delivered via IASME) rather than a standalone Cyber Essentials Plus certificate, though many MOD contracts carry a parallel Cyber Essentials or Cyber Essentials Plus requirement under general government procurement rules as well.
NHS digital service contracts increasingly expect Plus for suppliers of business-critical systems, particularly following the DTAC v2 update in April 2026. Many private-sector organisations, especially in financial services and critical infrastructure, now build Plus into their own supplier due diligence, independent of any government contract.
If you supply into any of these categories, or expect to, treat Plus as the baseline you're building towards now.
Which Level Do You Need?
Use these four scenarios to work out which level fits your organisation.
You Need to Bid for Central Government Contracts
If you supply central government and your contracts involve personal data, OFFICIAL-classification ICT systems, or core government business, you need Cyber Essentials as a minimum. Where a contract's risk characteristics point to Plus (higher classification, larger data volumes, or defence and security content) plan for the technical audit before your next tender or renewal cycle. Start with basic certification to establish the baseline, then schedule the Plus audit once your risk profile is clear.
You Work With MOD, NHS, or Handle Sensitive Personal Data
MOD suppliers face their own cyber risk regime under DEFCON 658 and the Cyber Security Model, alongside any Cyber Essentials Plus requirement that applies through general government procurement rules. NHS digital service contracts are moving the same way for business-critical systems, increasingly expecting Plus. If you're in scope for Plus specifically, the practical work is scoping your device sample and clearing remediation before the audit date, which is exactly what our Cyber Essentials Plus audit preparation guide walks through.
Your Enterprise Clients Require It in Supplier Due Diligence
Enterprise clients, particularly in financial services, legal, and critical infrastructure, increasingly specify Cyber Essentials Plus in their supplier questionnaires. Basic certification may satisfy today's contract but fall short at the next renewal. If your clients operate in regulated sectors, plan for Plus now rather than waiting for a client to require it.
You Want Verified Assurance Rather Than Self-Declared Compliance
This is the strategic case, independent of any contractual requirement. Self-assessment tells you what you believe about your controls; the Plus audit tests what's actually true. Organisations that pursue Plus often find gaps between the two that only the hands-on audit surfaces.
First-attempt pass rates are consistently lower for Plus than for basic certification. The technical audit surfaces control gaps, misconfigured MFA, unpatched devices, weak account separation, that self-assessment alone doesn't catch. That gap is exactly why Plus carries more weight with government buyers and insurers.
If you're not sure which level you need, assume Plus is coming. The scenarios above cover most cases where basic certification is genuinely sufficient long-term. Outside them, the extra rigour of Plus is almost always worth the investment, even before a client or contract demands it.
Our complete Cyber Essentials requirements guide walks through the full control set at both levels for organisations building their environment from scratch, while our guide to Cyber Essentials Plus: what it really tests goes deeper on the audit mechanics for anyone who wants to see exactly what an assessor checks before booking one.
See How SureCloud Keeps Certifications Audit-Ready
FAQ’s
Can I skip Cyber Essentials and go straight to Plus?
No, Cyber Essentials Plus isn't sold as a standalone certification. You need a valid Cyber Essentials certificate before your assessor can run the Plus technical audit, and most organisations complete both assessments in a single engagement with the same assessor.
How much does Cyber Essentials Plus cost?
There's no fixed fee, since individual assessors price the Plus audit rather than IASME. For SMEs, expect to pay between £1,500 and £3,000 or more, depending on device count and environment complexity. The basic Cyber Essentials assessment is fixed by IASME at £320 to £600+VAT depending on organisation size.
Is Cyber Essentials Plus mandatory?
It depends on your contracts and sector. Under PPN 014, central government, NHS, and public bodies must require Cyber Essentials or Cyber Essentials Plus where a contract involves personal data, OFFICIAL-classification ICT, or sensitive government business, with Plus reserved for the higher-risk end of that range. MOD suppliers fall under DEFCON 658 and the Ministry of Defence's own Cyber Security Model, which can carry a parallel Cyber Essentials Plus requirement depending on the contract, and NHS digital service contracts increasingly expect it for business-critical systems. Outside these categories, Plus isn't legally mandatory, but enterprise clients in regulated sectors expect it more each year.
How long does Cyber Essentials Plus take?
Basic Cyber Essentials usually takes two to four weeks once your preparation is complete. The Plus technical audit adds a further four to six weeks, so allow six to ten weeks in total if you're starting from scratch. Timelines vary depending on assessor availability and how much remediation your first scan turns up.
What's actually tested during a Cyber Essentials Plus audit?
Your assessor runs an external vulnerability scan of every internet-facing system, an authenticated internal scan of a representative device sample, and dedicated checks for multi-factor authentication and account separation. They also test your malware defences directly, sending simulated malicious files by email and download to confirm your controls catch them. Any exploitable vulnerability scoring 7.0 or above on the CVSS scale is an automatic fail.
Does Cyber Essentials Plus replace ISO 27001 or other frameworks?
No. Cyber Essentials Plus verifies five specific technical controls. ISO 27001, the international standard for information security management systems, covers governance, risk treatment, and a much wider scope of controls. Many organisations hold both, since they answer different questions for different buyers.
Platform +
Frameworks +
Products +
Industries +
Resources +
Company +
London Office
1 Sherwood Street, London, W1F 7BL, United Kingdom
US Headquarters
6010 W. Spring Creek Pkwy., Plano, TX 75024, United States of America
© SureCloud 2026. All rights reserved.
