Straight answers
Cyber Essentials Plus, answered
The questions UK businesses ask us most about Cyber Essentials and Cyber Essentials Plus, answered plainly by the practitioners who deliver certification. If your question is not here, bring it to a discovery call and it gets answered the same plain way.
What is Cyber Essentials?
Cyber Essentials is the UK government-backed certification scheme, run by the NCSC and delivered through IASME, that certifies five baseline technical controls: firewalls, secure configuration, security update management, user access control and malware protection. It exists to block the common, commodity attacks that cause most UK breaches.
What is Cyber Essentials Plus?
Cyber Essentials Plus is the audited level of the scheme. It covers the same five controls as basic Cyber Essentials, but an independent assessor tests a sample of your devices to verify the controls genuinely work, rather than relying on your self-assessment answers.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Assurance. Basic Cyber Essentials is a questionnaire your business answers about itself; Plus adds a hands-on technical audit of sampled devices by an independent assessor. Same controls, very different evidence, and contracts increasingly specify which level they will accept.
How much does Cyber Essentials cost?
Basic Cyber Essentials is priced by IASME at £320 to £600 plus VAT depending on your company size. Cyber Essentials Plus adds the independent audit; our all-in bands by company size, covering readiness, remediation support and the assessment, are published in full on the cost page.
How long does Cyber Essentials Plus take?
Typically two to six weeks end to end. The audit itself is around a day; the variable is how much remediation your estate needs first. The Plus audit must also happen within three months of your basic self-assessment, which we schedule as part of the engagement.
How long does the certificate last?
Twelve months at both levels. Renewal means passing the current version of the assessment again, questionnaire and audit included for Plus, so treat the expiry date like an MOT rather than a formality.
What happens if I fail Cyber Essentials Plus?
Assessor time is paid for whether you pass or not, and a fresh assessment means paying again, which is why preparation matters more than the audit itself. Our engagements run every audit check in advance and fix what fails before the assessment is booked, so failure is the exception rather than a budgeted risk.
Who needs Cyber Essentials Plus?
Anyone whose contracts demand independently verified security: suppliers to central government and the MOD, businesses answering enterprise security questionnaires, and organisations whose insurers distinguish between self-assessed and audited controls. If nobody external needs the certificate, basic Cyber Essentials may be enough to start.
What does the assessor actually check?
A sample of your devices is tested for missing patches and vulnerabilities, malware protection is tested with real file downloads and email attachments, and the assessor verifies account separation, screen locks and multi-factor authentication on your cloud services. It all follows the scheme's published test specification.
Does Cyber Essentials Plus include a penetration test?
No. The Plus audit verifies baseline controls against a fixed specification; it does not attempt to break into your systems the way a penetration test does. The two answer different questions, and plenty of businesses sensibly do both.
Who actually issues the certificate?
Certificates are issued through IASME-licensed certification bodies under the NCSC's scheme. CyPro's role is getting you ready, arranging the assessment and supporting you through it; the audit itself is always independent, which is precisely what makes the certificate worth holding.
What does Cyber Essentials not cover?
The scheme certifies preventive basics. It says nothing about whether anyone would notice an attack in progress, how you would respond to an incident, or how your risks are governed. Monitoring, detection, response and strategy sit outside it, which is why we hand every certified client a map of what to consider next.
Are personal phones and home workers in scope?
Usually yes. Devices that access organisational data or services, including BYOD phones and tablets and home working setups, fall inside the scheme's scope rules. Declaring scope accurately at the start avoids the audit-day discovery that half your estate was never assessed.
How do I check whether a company holds Cyber Essentials?
The NCSC publishes a search of current certificates on its website. If a supplier claims certification, the register is the two-minute way to verify the claim and its expiry date.
One question left?
Ask it on a free discovery call
Forty-five minutes, no obligation, and you will leave knowing which level you need and what it will cost either way.