Cyber Essentials vs Cyber Essentials Plus: Which Does Your Business Actually Need?
There are two levels of Cyber Essentials certification — and most small businesses don't need the more expensive one. Here's how to tell which is right for you.
Two levels of certification
When people talk about "Cyber Essentials," they're often not aware that there are actually two distinct levels of certification — Cyber Essentials and Cyber Essentials Plus. They cover the same five control areas, but the verification process is very different, as is the cost and effort involved.
Understanding the difference matters because most small businesses only need the base level — and spending money on Cyber Essentials Plus when it isn't required is unnecessary.
Cyber Essentials — the base level
Cyber Essentials is a self-assessment certification. You complete a detailed questionnaire covering the five control areas — firewalls, secure configuration, access control, malware protection, and patch management — and submit it to an accredited certification body. An assessor reviews your answers and, if they meet the standard, issues a certificate.
The key word here is self-assessment. The assessor reviews your answers but does not independently verify them through technical testing. You are declaring that the controls described are in place.
Cyber Essentials at a glance
- Self-assessment questionnaire reviewed by an accredited assessor
- No technical testing of your systems
- Certificate valid for 12 months
- Cost: from approximately £300 plus VAT
- Time required: half a day to complete the questionnaire
- Suitable for: most small businesses, government contract requirements
Cyber Essentials Plus — the technical verification level
Cyber Essentials Plus includes everything in the base level, plus an independent technical audit of your systems. An accredited assessor will actually test your computers, devices, and network to verify that the controls you've declared are actually in place and working.
This testing typically includes vulnerability scanning, checking software patch levels, testing email filtering, and verifying that MFA is functioning as described. It's conducted remotely or on-site depending on the assessor and the nature of your systems.
Cyber Essentials Plus at a glance
- Everything in Cyber Essentials, plus independent technical testing
- Assessor verifies controls are actually working
- Certificate valid for 12 months
- Cost: typically £1,500 to £3,000 plus VAT depending on organisation size
- Time required: several days including preparation and testing
- Suitable for: organisations handling sensitive government data, defence supply chain, higher-risk sectors
Which do you actually need?
For most small businesses, the answer is Cyber Essentials — the base level. Here's how to tell:
You probably need Cyber Essentials (base level) if:
- You're applying for a government contract that requires Cyber Essentials
- A client has asked you to have Cyber Essentials certification
- You want to demonstrate basic security standards for insurance or due diligence
- You're a typical small business — professional services, trades, retail, healthcare
You may need Cyber Essentials Plus if:
- You're working in the MOD supply chain or on sensitive government contracts
- A specific contract explicitly requires Cyber Essentials Plus
- You handle particularly sensitive personal or commercial data
- Your client or insurer specifically asks for it
Before you apply for either
Whether you're going for the base level or Plus, a self-assessment against the five control areas before you apply is the most useful preparation you can do. It tells you where your gaps are, lets you fix them before the formal assessment, and means you're not paying for an assessment only to fail and have to apply again.
Our assessment tool covers all five Cyber Essentials control areas in plain English, identifies your gaps, and produces a professional report showing your current posture and priority actions. Many businesses use it as a preparation step before pursuing formal certification.
At £49, it costs significantly less than discovering gaps during the formal certification process.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials — suitable for insurance applications and client due diligence.
Start Your Free Assessment →£49 for the full report · No account required