The difference between Cyber Essentials and Cyber Essentials PLUS

The difference between Cyber Essentials and Cyber Essentials PLUS

13th March 2019

We are often asked about the differences between the Cyber Essentials and Cyber Essentials PLUS standard, and what level they should choose.

There are some circumstances that will dictate the level you are required to have in tenders, especially with Government contracts, and the level there depends on the risk that they associate with the particular contract. But for everyone else, here’s a brief run down on the two levels of certification.

The Cyber Essentials Scheme

Cyber Essentials is a security standard that is designed to mitigate against the most common cyber attacks, and University of Lancaster research has shown that with Cyber Essentials controls in place 99% of the common attacks they tested against where either fully mitigated (69.2%) or partially mitigated (29.8%). There is a set list of requirements that your organisation is required to meet as published by the National Cyber Security Centre (Part of GCHQ).

The Cyber Essentials (basic) is a self-certification that is assessed by companies such as ours, to validate the answers. This means that you’re asked to supply answers to a questionnaire (with evidence) through our online portal, assessment at this level is simply a pass or fail and feedback given on areas of non compliance.

Cyber Essentials PLUS builds on the self certification questionnaire, as it is an independently audited test of the controls required by the ‘basic’ level, along with an internal and external vulnerability scan. This means that we, as a certification body will visit your offices and perform a test that is in line with the Cyber Essentials requirements. Every certification body will have the same test process, however – the costs may vary.

The vulnerability scan will identify unpatched, or unsupported software, open ports, incorrect firewall configurations – all elements that the basic level will require your own working knowledge of your IT systems to answer.

So what one should I choose?

That can really only be answered by your motivations for gaining the accreditation, are you doing it as we said at the start (as part of a tender requirement) or are you just looking to check your business has the basics in place?

When bidding on a contract/procurement/tender

The tender will specify if PLUS is required, if not, the self certification is the minimum requirement.

Your own internal business reasons

So you want to demonstrate that your organisation is compliant with Cyber Security and takes data protection seriously – then Cyber Essentials PLUS is more likely the route for you. You get the confidence as a business that your own IT department / Outsourced IT Provider are doing the basics to keep you safe and they are not just ‘marking’ their own work, as they might be if helping you complete the self assessment questionnaire.


By using a source outside of the organisation to conduct and certify the level of compliance, you can be sure there are no biased opinions and you don’t risk invalidating your insurance.

You are more likely to reduce premiums with the PLUS standard as well, where as self certification will not.

Can your business recover from Disaster?

Do you have a backup? is it sufficient? when did you last review it, or test it?

Download our free 25 point checklist to help give you peace of mind that you've got the best system in place for your business needs.