The comparison
Cyber Essentials vs Cyber Essentials Plus
Same five controls, very different assurance. Basic Cyber Essentials is a self-assessment your business signs; Cyber Essentials Plus adds an independent audit that tests your devices. Which one you need depends almost entirely on who is asking for the certificate.
| Factor | Cyber Essentials (basic) | Cyber Essentials Plus |
|---|---|---|
| How it is assessed | Self-assessment questionnaire, signed off by your board and marked by an assessor | Everything in basic, plus an independent hands-on technical audit of your systems |
| What gets tested | Your answers about the five control areas | A sample of your actual devices: patching, configuration, malware defences, MFA and account separation |
| Level of assurance | A declaration: you say the controls are in place | Independent evidence: an assessor verified the controls work |
| Typical effort | Days: answer the questionnaire accurately and fix anything it exposes | Weeks: readiness, remediation and an audit day, inside three months of the basic assessment |
| Cost | Fixed by IASME: £320 to £600 + VAT depending on company size | Market rate by company size; see our published bands |
| Who accepts it | A reasonable baseline for many commercial relationships | The level increasingly demanded by government frameworks, MOD supply chains, insurers and enterprise procurement |
| Validity | Twelve months | Twelve months |
Exact figures for both levels, including what is bundled into our Plus bands, are on the cost page.
The decision, by situation
Which level your situation actually requires
Most comparison pages stop at the definitions. The useful question is what the people asking for your certificate will accept.
Bidding for government work
Procurement policy requires Cyber Essentials for central government contracts involving personal data or certain services, and buyers often specify Plus. Check the tender wording: if it says independently assessed, that means Plus.
In a defence supply chain
MOD-related work flows certification requirements down to suppliers, with the audited level expected where sensitive information is involved. If your customer supplies the MOD, expect the requirement to reach you.
Satisfying insurers and enterprise customers
Security questionnaires and cyber insurance applications increasingly distinguish between the levels. Plus answers the question with evidence rather than assertion, which shortens procurement conversations.
Just want the baseline done properly
If nobody is demanding a certificate yet, basic Cyber Essentials is the fastest way to force the hygiene fundamentals. The three month upgrade window means you can step up to Plus when a contract asks for it.
The short version
If anyone external needs to trust the certificate, get Plus. If the certificate is for your own discipline, basic gets the same controls in place for less, and the scheme's three month window lets you upgrade to Plus on the same self-assessment when a contract demands it. Either way, do the basic level accurately: a wrong answer on the questionnaire becomes a failed check at the Plus audit.
Quick answers
Basic or Plus, answered
Is Cyber Essentials Plus worth it over basic Cyber Essentials?
It depends who you need to convince. If a framework, customer or insurer requires independent assurance, only Plus satisfies it. If nothing external demands a certificate, basic Cyber Essentials still forces the same five controls into place at lower cost, and you can upgrade within three months.
Can I go straight to Cyber Essentials Plus?
No. The basic self-assessment is a prerequisite, and the Plus audit must be completed within three months of it. In practice this is not a burden: most businesses run both as a single engagement, which is how our service works.
Do both levels cover the same controls?
Yes. Firewalls, secure configuration, security update management, user access control and malware protection apply at both levels. The difference is purely in assurance: basic takes your word for it, Plus verifies a sample of devices.
How much more does Plus cost than basic?
Basic Cyber Essentials is fixed by IASME at £320 to £600 plus VAT depending on company size. Plus adds the independent audit and typically runs into four figures across the UK market. Our cost page publishes both levels side by side.
Still deciding?
Tell us who is asking for your certificate
A free 45 minute discovery call settles which level your contracts actually require and what it will cost. No obligation, no hard sell.