Day

July 6, 2026

Cyber Essentials vs Cyber Essentials Plus: Which One Does Your Business Actually Need?

Cyber Essentials and Cyber Essentials Plus sound alike but aren’t the same. Here’s the real difference, and why Plus is getting harder to pass.

Here’s a question we get a lot: “We keep seeing Cyber Essentials and Cyber Essentials Plus mentioned in tenders and insurance forms, what’s actually the difference, and which one do we need?”

Fair question. The names are almost identical, but the two are quite different in practice, and picking the wrong one can either leave you under-protected or land you with a much bigger job than you were expecting. 

Cyber Essentials: the honesty-based check

Think of Cyber Essentials as the “tell us about your homework” version. It’s a UK government-backed scheme, and it looks at five basic areas that stop the vast majority of everyday cyberattacks, not the James Bond stuff, just the boring, common attacks that catch businesses out every single day:

  • Firewalls — is there a proper barrier between your systems and the internet?
  • Secure configuration — are your devices set up safely, not just left on default settings?
  • User access control — do people only have access to what they actually need?
  • Malware protection — is your antivirus doing its job?
  • Patch management — are you actually keeping software updated?

You fill in a questionnaire about how you handle each of these, an independent assessor reviews it, and if it stacks up, you get certified. Nobody visits. Nobody tests anything directly. It’s essentially you saying “here’s what we do,” and being taken at your word.

Most businesses can get there within a few weeks, and it’s often exactly what’s needed to tick the box on a contract or reassure a bigger client you’re taking security seriously.

Cyber Essentials Plus: same questions, but now they check

Plus covers the same five areas. The difference is nobody’s taking your word for it anymore.

An assessor actually comes and tests things. A technical audit of a sample of your real devices, vulnerability scans from outside and inside your network, and genuine verification that your patching, antivirus, and configurations are doing what you said they were. Not documented, actually there.

So if Cyber Essentials is “tell us what you do,” Plus is “prove it.” That’s exactly why it carries more weight with clients, insurers, and public sector procurement teams — it’s proof, not a promise.

Why Plus has gotten harder to achieve

Plus has quietly gotten a lot harder to pass than it used to be. We say this to clients all the time, and it usually gets a raised eyebrow: what sailed through an audit a few years ago won’t necessarily pass one today. As attacks get more sophisticated, the bar for Plus has risen right along with them. A few reasons why:

Everyone works from everywhere now. A few years back, most company devices sat behind one office firewall on one network. Now they’re logging in from home broadband, the local coffee shop, a phone hotspot on the train. Assessors have had to widen what they check to cover all of that — which means more can go wrong, and more ways to technically fail.

MFA isn’t optional anymore. Multi-factor authentication used to be a nice-to-have. Now assessors look hard at it, especially on admin accounts, and they’re not forgiving if it’s missing or half-enforced.

The patching clock has sped up. There used to be more breathing room between a patch coming out and it being applied. That window’s shrunk, so you need consistent, fast patching — not “we’ll get to it next month.”

Cloud has made everything more complicated. Nearly every business now runs a mix of on-site kit and cloud platforms like Microsoft 365. Both need to be configured properly and both are in scope now, which is a lot more to keep straight than one office network used to be.

None of that means Plus is out of reach. It just means it rewards the businesses who already run tight, well-managed IT day to day — not the ones scrambling to look good for one audit and then letting things slip again.

People pointing to cyber threat on laptop

So which one do you need?

Honestly, it depends on what you’re trying to achieve.

Go for Cyber Essentials if:

  • This is your first time doing anything like this and you want a realistic, achievable start
  • A contract or client only asks for the base-level certification
  • You want to build good habits first before taking on something tougher

Go for Cyber Essentials Plus if:

  • You’re handling sensitive client, patient, or financial data
  • You’re chasing public sector, healthcare, or bigger enterprise contracts that specifically ask for it
  • You want real, independent proof for your own peace of mind — not just a box ticked
  • Your insurer’s offering better terms for it, which is becoming more and more common

A lot of the businesses we work with treat Cyber Essentials as step one and Plus as step two, and honestly, that’s a smart way to do it. It gives you time to build the right habits and catch anything a self-assessment would miss, so by the time the technical audit comes around, you’re walking in with confidence instead of crossed fingers.

How can we help?

We’ll say this upfront: we can’t certify you. That has to come from an accredited body, and it should — the whole point of Plus is that it’s independent of anyone with a stake in the outcome.

What we can do is make sure you’re not walking into that audit blind. Most businesses that fail their first Cyber Essentials Plus attempt don’t fail because their security is genuinely bad — they fail because nobody checked, beforehand, whether their firewalls, patching, device setups, and access controls would actually hold up under real testing rather than a questionnaire. That’s where we come in: finding the gaps and helping you close them before an assessor finds them for you.

The real value isn't the certificate

It’s easy to think of Cyber Essentials Plus as a piece of paper you need for a tender document. The more useful way to think about it is as a genuine health check on whether your business would actually hold up against a real attack, because the two things being tested are, more often than not, the same thing.

If you’re not sure which level makes sense for your business, or you want an honest read on how ready your IT actually is for a Plus audit, that’s worth figuring out before you book the assessment, not during it.

Protect Your Business Today

Get in touch to find out more about out cybersecurity solutions!