Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Cyber Essentials vs. Cyber Essentials Plus: Key Differences

Published 11/26/2024

Cyber Essentials vs. Cyber Essentials Plus: Key Differences

Originally published by Vanta.


If you wish to fortify your organization’s cybersecurity posture, obtaining a Cyber Essentials certification is a good idea. It enables IT managers to be more aware of the cybersecurity risks in their environment and take actionable steps to mitigate them. Before you pursue it, though, you should decide between two certification levels: Cyber Essentials and Cyber Essentials Plus.

While both are cybersecurity assurance schemes, Cyber Essentials Plus offers a greater level of assurance. Still, the main reason why many organizations weigh these options carefully is the price difference.

‍In this guide, you’ll learn about the difference between the two schemes and what to expect with each. Here’s what we’ll cover:

  • Basic differences in the certification process between Cyber Essentials and Cyber Essentials Plus.
  • The pricing structure of both certification levels.
  • Other factors you should consider when making a decision.

Basic certification level: Cyber Essentials

Cyber Essentials is a U.K. government-owned cybersecurity assurance scheme—although organizations can apply for certification regardless of their geographic location. The first certification level aims to provide organizations with simple controls for implementing fundamental cybersecurity measures.

More specifically, this assurance scheme involves an online assessment revolving around the following five controls:

  1. Firewalls: Your organization should either set up a firewall boundary or a software firewall, depending on your network and hardware specifics.
  2. Secure configuration: You need to replace the default configuration of networks and devices with stronger alternatives to prevent unauthorized access, internal or external.
  3. User access control: Cyber Essentials requires a transparent process for account creation and management that ensures all data is accessible on a need-to-know basis.
  4. Malware protection: You need to invest in a robust antivirus solution to shield your devices and data from common malicious programs.
  5. Security updates: You should either set up automatic software updates or a standardized process for manual periodic updates, preferably every 14 days.

You’ll have to complete a self-assessment questionnaire to confirm that you’ve implemented the relevant controls. Once you submit it, IASME (Information Assurance for Small and Medium Enterprises), the official government partner for managing the scheme, will review the questionnaire. If you pass, you’ll be issued a Cyber Essentials certificate valid for 12 months. You need to renew it annually to maintain your cybersecurity posture.

The Cyber Essentials certification process is relatively straightforward once you know your organization’s cybersecurity posture and update your controls. If you wish to upgrade to Cyber Essentials Plus, you’ll need to go through a more complicated procedure.


Advanced certification level: Cyber Essentials Plus

The Cyber Essentials Plus scheme is built around the same baseline controls and questionnaire requirements as the Cyber Essentials scheme. The main difference is that Cyber Essentials Plus also includes a separate technical audit of your systems and devices performed by an independent auditor.

The assessment includes various security checks, most notably:

  • IP address testing: An external scan of your organization’s public IP addresses will be performed to determine if there are any vulnerabilities or open services that warrant more rigorous access controls.
  • Comprehensive vulnerability scanning: The assessor scans a sample of your organization’s devices to ensure they support all the installed software and that the necessary vulnerability patches have been completed in the past two weeks.
  • Malware protection testing: The devices protected by anti-malware software are tested through manual configuration and malware checks to assess the software’s behavior.
  • Cloud service testing: The connected cloud services are checked for multi-factor authentication to determine account security.

‍With these multi-level assessment layers and rigorous benchmarks, Cyber Essentials Plus provides a higher degree of assurance and confidence in your cybersecurity posture.

‍In terms of difficulty, the version demands more resources and consideration to achieve certification. While you can pass a base-level Cyber Essentials assessment with a non-compliance or two, you can’t get a Cyber Essentials Plus certificate unless you pass the assessment in full.

Cyber Essentials vs. Cyber Essentials Plus: Pricing

The cost of both Cyber Essentials certification levels depends on your organization’s size. The base-level certification price is shown in the following table:

Organization sizeCyber Essentials cost
Micro organizations (0–9 employees)£320 + VAT
Small organizations (10–49 employees)£440 + VAT
Medium organizations (50–249 employees)£500 + VAT
Large organizations (250+ employees)£600 + VAT

‍Organizations pay for Cyber Essentials to access the many benefits of getting certified. Besides having the peace of mind knowing that your organization has strong cybersecurity measures in place, you can also demonstrate your security posture to customers, investors, and other stakeholders. Additionally, Cyber Essentials qualifies you to bid for specific government contracts in the U.K.

‍You’ll need to pay significantly more for Cyber Essentials Plus, considering all the additional assessments that need to be performed. While the pricing structure is quote-based (depends on your network size and complexity) and can be obtained by contacting IASME, you can use the following table as a reference point:

Organization sizeCyber Essentials Plus cost
Micro organizations (0–9 employees)£1,499 + VAT
Small organizations (10–49 employees)£1,999 + VAT
Medium organizations (50–249 employees)£2,499 + VAT
Large organizations (250+ employees)£2,999 + VAT

‍It’s worth mentioning that you can’t get Cyber Essentials Plus as a standalone certificate—you must first get certified for Cyber Essentials. You can either complete the two certifications consecutively or apply for Cyber Essentials Plus within three months of obtaining a Cyber Essentials certificate.


Which certification should you pursue?

Compared to the basic version, the benefits of Cyber Essentials Plus are more strategic in nature. The upgraded certification helps harden your organization’s cyber defenses and attract more lucrative partnerships—all of which reflect on your ROI in the long term. When deciding between Cyber Essentials and Cyber Essentials Plus, here are some other factors you can consider:

  • Budget: Considering the price difference alone, your first consideration should be your budget. While the higher tier’s cost is justified, the base framework should be sufficient if you’re on a budget but still want to strengthen your cybersecurity.
  • Certification purpose: For small and growing organizations that want an entry-level way to enhance their cybersecurity, Cyber Essentials may work. Cyber Essentials Plus is better suited for those chasing higher-level goals like improving revenue and quality of clients.
  • Network size and complexity: If you have an extensive cybersecurity network, Cyber Essentials Plus might be a better option due to the expanded attack surface.
  • Volume and sensitivity of stored data: Organizations that store or process high amounts of sensitive data (credit card information, PHI, etc.) should consider Cyber Essentials Plus to build more trust with their stakeholders.

Share this content on your favorite social network today!