Key Difference
Both certifications assess exactly the same five security controls. The main difference is that Cyber Essentials Plus includes independent technical verification through vulnerability scanning and device testing, providing enhanced assurance.
Understanding the Two Levels
Cyber Essentials offers two certification levels, both managed by IASME and backed by the National Cyber Security Centre (NCSC). While both assess your organisation against the same five fundamental security controls, they differ significantly in their assessment methods and the level of assurance they provide.
Cyber Essentials
Foundation level certification based on self-assessment questionnaire with expert review.
- Self-assessment questionnaire
- Expert assessor review
- Fast 24 hour turnaround
- Cost-effective from £320
- Suitable for all organisation sizes
Cyber Essentials Plus
Premium certification with independent technical verification through vulnerability scanning and device testing.
- All CE benefits included
- Vulnerability scanning
- Device testing & inspection
- Enhanced business credibility
- Independent technical validation
Detailed Comparison
Here's a comprehensive comparison of both certification levels across all key factors:
Note: Rows highlighted in yellow show the key differences between the two certification levels.
What Cyber Essentials Plus Includes
Cyber Essentials Plus includes everything from the standard certification, plus additional technical testing:
External Vulnerability Scanning
- Network perimeter scanning for open ports and services
- Web application vulnerability assessment
- SSL/TLS configuration analysis
- DNS and mail server security evaluation
Internal Network Assessment
- Internal network vulnerability scanning
- Sample device configuration review
- Operating system security assessment
- Application and service configuration testing
Device Sampling and Testing
- Remote inspection of sample devices (majority of assessments) or physical inspection where required
- Configuration verification against security standards
- Software inventory and security assessment
- User access control validation
Which Should You Choose?
The choice between Cyber Essentials and Cyber Essentials Plus depends on several factors:
Choose Cyber Essentials if:
- • You're new to cybersecurity certification and want to start with the basics
- • Budget is a key consideration (starting from £320)
- • You need rapid certification (24 hours typical turnaround)
- • You have confidence in your current security controls
- • Your customers or partners only require basic Cyber Essentials
- • You want to establish a foundation before upgrading to CE+
Choose Cyber Essentials Plus if:
- • You want the highest level of assurance and credibility
- • Your customers or partners specifically require CE+
- • You handle sensitive data or operate in regulated industries
- • You want independent verification of your security controls
- • You're willing to invest more time and budget for enhanced certification
- • You want to identify and address vulnerabilities proactively
Can You Upgrade Later?
Yes, you can upgrade from Cyber Essentials to Cyber Essentials Plus at any point. However, if you plan to upgrade, you must gain CE+ certification within 3 months of gaining your CE basic certification. Many organisations start with CE to get certified quickly, then upgrade to CE+ when they have more time and budget available.
Upgrading requires going through the full CE+ assessment process, including vulnerability scanning and device testing. It's not simply an add-on to your existing certificate, but a comprehensive technical verification of your security controls.
Industry Recommendations
Different industries and use cases may favour one certification level over another:
- Small businesses and startups: Often start with Cyber Essentials for cost-effectiveness and speed
- Government contractors: May require CE+ for higher-value or sensitive contracts
- Financial services: Often choose CE+ for enhanced credibility with regulators and customers
- Healthcare organisations: May prefer CE+ when handling patient data
- Technology companies: Often choose CE+ to demonstrate technical competence to clients
- Supply chain partners: Requirements vary depending on the client's risk tolerance
Making Your Decision
Both certifications are valuable and provide genuine cybersecurity benefits. The key is choosing the level that aligns with your organisation's current needs, budget, timeline, and stakeholder requirements.
Consider starting with a free consultation to discuss your specific situation. Many certification bodies can help you assess which level is most appropriate based on your industry, size, risk profile, and business objectives.
Remember, the goal isn't just to get certified – it's to implement security controls that genuinely protect your organisation while meeting your business requirements.
Get Cyber Essentials
Fast, cost-effective certification from £320. Perfect for getting started with cybersecurity certification.
Start from £320Get Cyber Essentials Plus
Premium certification with technical verification from £1,200. Maximum assurance and credibility.
Start from £1,200Related Articles
What is Cyber Essentials? A Complete Guide
Everything you need to know about the UK government's cybersecurity certification scheme, from basics to business benefits.
Mastering Secure Configuration
Learn how to implement secure configuration practices that will help you pass your Cyber Essentials assessment.