Cyber Essentials and Cyber Essentials Plus share a name, a badge and a five-question backbone. What they don't share is how that badge gets earned, and that difference matters far more than most businesses assume when they're deciding which one to go for.

In short: Both certifications cover the same five controls, but base Cyber Essentials is self-assessed and desk-verified, while Cyber Essentials Plus adds an independent, hands-on technical audit, vulnerability scans and testing of a sample of your devices by a qualified assessor. Start with base certification; move up to Plus when a contract requires it or you want your controls independently proven rather than self-declared.

We've walked through the base Cyber Essentials self-assessment in detail before, so we won't repeat the five control themes here. This post is about the question we get asked next: once you've got Cyber Essentials, do you actually need Plus too?

What's the same between them?

Both certifications are built on the same five control themes: firewalls, secure configuration, security update management, user access control, and malware protection. The security bar itself doesn't move between the two. Plus isn't a harder or longer version of the questionnaire, and it isn't testing anything additional. It's checking the same fundamentals, just in a different way.

What's actually different

Base Cyber Essentials is a self-assessment. You (or whoever manages your IT) answer a questionnaire about your firewalls, your patching, your access controls and your endpoint protection, and an accredited certification body reviews and verifies those answers. Nobody logs into your systems to confirm what you've said is true.

Cyber Essentials Plus adds an independent technical audit on top of that same questionnaire. A qualified assessor actually tests your environment rather than taking your word for it. In practice that audit includes an authenticated vulnerability scan of a representative sample of your devices, chosen to cover each operating system in scope; a test that malware protection actually blocks known-bad files and downloads (the assessor tries to bring simulated malware in by email and web); a check that your systems aren't running software missing high-severity patches older than 14 days; and a test of MFA on your cloud services. It's the same five controls, proven under test conditions instead of described on a form.

There's also a timing rule worth planning around: Cyber Essentials Plus has to be completed within three months of achieving your base Cyber Essentials certificate. Leave the audit too long after the self-assessment and you can find yourself re-doing the base certification before Plus can proceed, so it pays to line the two up as a single sequence rather than treating them as unrelated projects months apart.

Cyber Essentials vs Cyber Essentials Plus

Cyber EssentialsCyber Essentials Plus
Control themesThe same fiveThe same five
How it's verifiedSelf-assessment, reviewed by a certification bodyIndependent, hands-on technical audit
Your devicesSelf-declared, none testedA representative sample tested by an assessor
Vulnerability scanNot performedAuthenticated scan across each OS in scope
Malware and MFA testingNot performedSimulated malware and cloud MFA both tested
TimingStandaloneMust be completed within 3 months of base
Choose it whenYou need a baseline, or it's your first stepA contract requires it, or you want proof rather than self-declaration

"Base Cyber Essentials is self-declared. Plus is independently proven. That's the whole difference, and it's a bigger one than the shared badge lets on."

Comparison showing a self-assessment shield with a checkmark next to an independently verified shield with an audit magnifying glass
Self-declared versus independently proven, same five control themes underneath.

Why does the difference matter in practice?

This isn't just a certification nicety. Some contracts, tenders and supply chains, particularly in government and enterprise procurement, specifically require Cyber Essentials Plus rather than base certification. The reason is straightforward: base certification can't prove your answers were accurate, only that you gave them in good faith. If a client needs assurance that your firewall rules and patch levels genuinely match what you've claimed, only an independent audit gives them that.

Plus also has a benefit that's easy to overlook, which is what it does for you rather than for whoever's asking to see it. A self-assessment can miss gaps that only show up under real testing, an unpatched device that got left off the list, a firewall rule that quietly drifted, a piece of legacy software nobody flagged. The audit surfaces those before they become a genuine problem, not after.

Which one do you actually need?

If you're newer to formal security certification, start with base Cyber Essentials. Getting the fundamentals genuinely right, not just documented, is the point of that first step, and it's the foundation Plus is built on anyway.

Move to Cyber Essentials Plus when any of the following apply:

  • You're bidding for contracts or tenders that specifically require it
  • You handle more sensitive data, or your supply chain expects stronger assurance
  • You want the independent verification for your own peace of mind, not just a badge

Don't skip the foundation

It's worth being honest about one thing: Plus assumes you're already meeting the five control themes properly. It's not a shortcut past base certification, and treating it as a box-ticking exercise before the "real" audit tends to backfire, gaps found during a Plus assessment cost more time and money to fix under audit pressure than they would have earlier. Treat base Cyber Essentials as the genuine first step, not a formality.

If you haven't got there yet, our Cyber Essentials in 30 days playbook is the place to start. Whichever level your business needs, Systech is an accredited Cyber Essentials provider and our Security Services team guides clients through both, from the initial questionnaire through to the Plus audit itself. If you're not sure which one you need yet, our free assessment will tell you.

SC
Systech Cloud Team

The Systech IT Solutions cloud team, helping UK businesses get more from their Microsoft investment.