Cyber Essentials vs. Essentials Plus: What’s Right for You?
Cyber Essentials vs. Essentials Plus: What’s Right for You?
What is Cyber Essentials?
Cyber Essentials is a UK government-backed cybersecurity framework, designed to help organisations implement essential cyber hygiene. It’s overseen by the National Cyber Security Centre (NCSC) and administered by IASME. The certification helps protect against the most common internet-based threats. To achieve it, you complete a self-assessment questionnaire, demonstrating that you have the following five technical controls in place:
- Boundary firewalls and internet gateways
2. Secure configuration of devices and systems
3. Access control
4. Malware protection
5. Patch management
- Your responses are reviewed by a qualified assessor, and support is available to help you complete the assessment accurately. Pricing typically starts at around £250 + VAT.
What is Cyber Essentials Plus?
Cyber Essentials Plus builds on the same five controls but adds an essential layer of trust: independent technical verification.
This includes:
- External vulnerability scans of public-facing systems
- On-site or remote audits of sample devices (e.g. desktops, laptops, mobile devices, servers)
- Multi-Factor Authentication (MFA) checks for cloud and remote access services
Unlike the basic level, Plus certification requires remediation of any gaps found during testing—usually within 30 days—before certification can be issued.
Costs typically range from £1,500 to £3,000 + VAT, depending on the size and complexity of your organisations IT environment.
Why Upgrade to Plus?
- Greater assurance. With real testing of your systems, you’re not just saying you’re secure and you’re proving it.
- Required for certain contracts and insurance policies. Public sector contracts (including NHS and local authorities) often require Cyber Essentials Plus.
- Improved cyber posture. Independent audits can uncover misconfigurations or risks you may not detect internally.
- Professional credibility. Demonstrates to partners, stakeholders, and clients that cybersecurity is more than a checkbox, it’s a business priority.
Which One Should You Choose?
Here’s a quick decision guide:
| Company needs | Plan |
|---|---|
| Small organisation with basic IT needs | Cyber Essentials |
| Handles sensitive data or complex infrastructure | Cyber Essentials Plus |
| Bidding for UK public sector work | Cyber Essentials Plus |
| Stronger insurance or client trust | Cyber Essentials Plus |
How to Prepare
- Conduct a risk assessment. Understand your vulnerabilities and where to focus.
- Implement the five key controls. Firewalls, configuration, access, malware protection, and updates.
- Complete the Cyber Essentials questionnaire. Ensure all answers reflect real, working policies.
- For Plus certification. Engage a licensed certification body to conduct audits and scans.
- Close any gaps. You’ll need to fix vulnerabilities within 30 days to pass.
- Maintain momentum. Certification is annual. Consider managed security services to stay protected year-round.
Summary
- Cyber Essentials provides a solid foundation at a low cost and is ideal for small organisations or those just getting started.
- Cyber Essentials Plus delivers higher confidence through independent testing and is often required for regulated or sensitive sectors.
- Choose the level that matches your budget, risk profile, and contractual or regulatory obligations.
- Most importantly, treat certification as part of an ongoing cybersecurity journey not just a tick-box exercise.
Need Help?
At Cranborne Tech, we’ve supported organisations across care, financial services, and retail to achieve Cyber Essentials and Cyber Essentials Plus. Whether you’re preparing for certification or want to strengthen your cyber resilience overall, we’re here to help.
Get in touch to book a free discovery call.
