Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Cyber Essentials vs. Cyber Essentials Plus: Key Differences

Published 11/26/2024

Home
Industry Insights
Cyber Essentials vs. Cyber Essentials Plus: Key Differences

Originally published by Vanta.


If you wish to fortify your organization’s cybersecurity posture, obtaining a Cyber Essentials certification is a good idea. It enables IT managers to be more aware of the cybersecurity risks in their environment and take actionable steps to mitigate them. Before you pursue it, though, you should decide between two certification levels: Cyber Essentials and Cyber Essentials Plus.

While both are cybersecurity assurance schemes, Cyber Essentials Plus offers a greater level of assurance. Still, the main reason why many organizations weigh these options carefully is the price difference.

‍In this guide, you’ll learn about the difference between the two schemes and what to expect with each. Here’s what we’ll cover:

  • Basic differences in the certification process between Cyber Essentials and Cyber Essentials Plus.
  • The pricing structure of both certification levels.
  • Other factors you should consider when making a decision.

Basic certification level: Cyber Essentials

Cyber Essentials is a U.K. government-owned cybersecurity assurance scheme—although organizations can apply for certification regardless of their geographic location. The first certification level aims to provide organizations with simple controls for implementing fundamental cybersecurity measures.

More specifically, this assurance scheme involves an online assessment revolving around the following five controls:

  1. Firewalls: Your organization should either set up a firewall boundary or a software firewall, depending on your network and hardware specifics.
  2. Secure configuration: You need to replace the default configuration of networks and devices with stronger alternatives to prevent unauthorized access, internal or external.
  3. User access control: Cyber Essentials requires a transparent process for account creation and management that ensures all data is accessible on a need-to-know basis.
  4. Malware protection: You need to invest in a robust antivirus solution to shield your devices and data from common malicious programs.
  5. Security updates: You should either set up automatic software updates or a standardized process for manual periodic updates, preferably every 14 days.

You’ll have to complete a self-assessment questionnaire to confirm that you’ve implemented the relevant controls. Once you submit it, IASME (Information Assurance for Small and Medium Enterprises), the official government partner for managing the scheme, will review the questionnaire. If you pass, you’ll be issued a Cyber Essentials certificate valid for 12 months. You need to renew it annually to maintain your cybersecurity posture.

The Cyber Essentials certification process is relatively straightforward once you know your organization’s cybersecurity posture and update your controls. If you wish to upgrade to Cyber Essentials Plus, you’ll need to go through a more complicated procedure.


Advanced certification level: Cyber Essentials Plus

The Cyber Essentials Plus scheme is built around the same baseline controls and questionnaire requirements as the Cyber Essentials scheme. The main difference is that Cyber Essentials Plus also includes a separate technical audit of your systems and devices performed by an independent auditor.

The assessment includes various security checks, most notably:

  • IP address testing: An external scan of your organization’s public IP addresses will be performed to determine if there are any vulnerabilities or open services that warrant more rigorous access controls.
  • Comprehensive vulnerability scanning: The assessor scans a sample of your organization’s devices to ensure they support all the installed software and that the necessary vulnerability patches have been completed in the past two weeks.
  • Malware protection testing: The devices protected by anti-malware software are tested through manual configuration and malware checks to assess the software’s behavior.
  • Cloud service testing: The connected cloud services are checked for multi-factor authentication to determine account security.

‍With these multi-level assessment layers and rigorous benchmarks, Cyber Essentials Plus provides a higher degree of assurance and confidence in your cybersecurity posture.

‍In terms of difficulty, the version demands more resources and consideration to achieve certification. While you can pass a base-level Cyber Essentials assessment with a non-compliance or two, you can’t get a Cyber Essentials Plus certificate unless you pass the assessment in full.

Cyber Essentials vs. Cyber Essentials Plus: Pricing

The cost of both Cyber Essentials certification levels depends on your organization’s size. The base-level certification price is shown in the following table:

Organization sizeCyber Essentials cost
Micro organizations (0–9 employees)£320 + VAT
Small organizations (10–49 employees)£440 + VAT
Medium organizations (50–249 employees)£500 + VAT
Large organizations (250+ employees)£600 + VAT

‍Organizations pay for Cyber Essentials to access the many benefits of getting certified. Besides having the peace of mind knowing that your organization has strong cybersecurity measures in place, you can also demonstrate your security posture to customers, investors, and other stakeholders. Additionally, Cyber Essentials qualifies you to bid for specific government contracts in the U.K.

‍You’ll need to pay significantly more for Cyber Essentials Plus, considering all the additional assessments that need to be performed. While the pricing structure is quote-based (depends on your network size and complexity) and can be obtained by contacting IASME, you can use the following table as a reference point:

Organization sizeCyber Essentials Plus cost
Micro organizations (0–9 employees)£1,499 + VAT
Small organizations (10–49 employees)£1,999 + VAT
Medium organizations (50–249 employees)£2,499 + VAT
Large organizations (250+ employees)£2,999 + VAT

‍It’s worth mentioning that you can’t get Cyber Essentials Plus as a standalone certificate—you must first get certified for Cyber Essentials. You can either complete the two certifications consecutively or apply for Cyber Essentials Plus within three months of obtaining a Cyber Essentials certificate.


Which certification should you pursue?

Compared to the basic version, the benefits of Cyber Essentials Plus are more strategic in nature. The upgraded certification helps harden your organization’s cyber defenses and attract more lucrative partnerships—all of which reflect on your ROI in the long term. When deciding between Cyber Essentials and Cyber Essentials Plus, here are some other factors you can consider:

  • Budget: Considering the price difference alone, your first consideration should be your budget. While the higher tier’s cost is justified, the base framework should be sufficient if you’re on a budget but still want to strengthen your cybersecurity.
  • Certification purpose: For small and growing organizations that want an entry-level way to enhance their cybersecurity, Cyber Essentials may work. Cyber Essentials Plus is better suited for those chasing higher-level goals like improving revenue and quality of clients.
  • Network size and complexity: If you have an extensive cybersecurity network, Cyber Essentials Plus might be a better option due to the expanded attack surface.
  • Volume and sensitivity of stored data: Organizations that store or process high amounts of sensitive data (credit card information, PHI, etc.) should consider Cyber Essentials Plus to build more trust with their stakeholders.
ComplianceCyber Incident SharingEnhancing cloud security strategyRisk Management

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Bringing the Security vs. Usability Pendulum to a Stop

Published: 11/26/2024

What Can We Learn from Recent Cloud Security Breaches?

Published: 11/26/2024

How the Alert Readiness Framework Supports Augmented Cybersecurity

Published: 11/25/2024

What Are the ISO 42001 Requirements?

Published: 11/25/2024