Cyber Essentials and Cyber Essentials Plus sound alike but aren’t the same. Here’s the real difference, and why Plus is getting harder to pass.
Here’s a question we get a lot: “We keep seeing Cyber Essentials and Cyber Essentials Plus mentioned in tenders and insurance forms, what’s actually the difference, and which one do we need?”
Fair question. The names are almost identical, but the two are quite different in practice, and picking the wrong one can either leave you under-protected or land you with a much bigger job than you were expecting.
Think of Cyber Essentials as the “tell us about your homework” version. It’s a UK government-backed scheme, and it looks at five basic areas that stop the vast majority of everyday cyberattacks, not the James Bond stuff, just the boring, common attacks that catch businesses out every single day:
You fill in a questionnaire about how you handle each of these, an independent assessor reviews it, and if it stacks up, you get certified. Nobody visits. Nobody tests anything directly. It’s essentially you saying “here’s what we do,” and being taken at your word.
Most businesses can get there within a few weeks, and it’s often exactly what’s needed to tick the box on a contract or reassure a bigger client you’re taking security seriously.
Plus covers the same five areas. The difference is nobody’s taking your word for it anymore.
An assessor actually comes and tests things. A technical audit of a sample of your real devices, vulnerability scans from outside and inside your network, and genuine verification that your patching, antivirus, and configurations are doing what you said they were. Not documented, actually there.
So if Cyber Essentials is “tell us what you do,” Plus is “prove it.” That’s exactly why it carries more weight with clients, insurers, and public sector procurement teams — it’s proof, not a promise.
Plus has quietly gotten a lot harder to pass than it used to be. We say this to clients all the time, and it usually gets a raised eyebrow: what sailed through an audit a few years ago won’t necessarily pass one today. As attacks get more sophisticated, the bar for Plus has risen right along with them. A few reasons why:
Everyone works from everywhere now. A few years back, most company devices sat behind one office firewall on one network. Now they’re logging in from home broadband, the local coffee shop, a phone hotspot on the train. Assessors have had to widen what they check to cover all of that — which means more can go wrong, and more ways to technically fail.
MFA isn’t optional anymore. Multi-factor authentication used to be a nice-to-have. Now assessors look hard at it, especially on admin accounts, and they’re not forgiving if it’s missing or half-enforced.
The patching clock has sped up. There used to be more breathing room between a patch coming out and it being applied. That window’s shrunk, so you need consistent, fast patching — not “we’ll get to it next month.”
Cloud has made everything more complicated. Nearly every business now runs a mix of on-site kit and cloud platforms like Microsoft 365. Both need to be configured properly and both are in scope now, which is a lot more to keep straight than one office network used to be.
None of that means Plus is out of reach. It just means it rewards the businesses who already run tight, well-managed IT day to day — not the ones scrambling to look good for one audit and then letting things slip again.
Honestly, it depends on what you’re trying to achieve.
Go for Cyber Essentials if:
Go for Cyber Essentials Plus if:
A lot of the businesses we work with treat Cyber Essentials as step one and Plus as step two, and honestly, that’s a smart way to do it. It gives you time to build the right habits and catch anything a self-assessment would miss, so by the time the technical audit comes around, you’re walking in with confidence instead of crossed fingers.
We’ll say this upfront: we can’t certify you. That has to come from an accredited body, and it should — the whole point of Plus is that it’s independent of anyone with a stake in the outcome.
What we can do is make sure you’re not walking into that audit blind. Most businesses that fail their first Cyber Essentials Plus attempt don’t fail because their security is genuinely bad — they fail because nobody checked, beforehand, whether their firewalls, patching, device setups, and access controls would actually hold up under real testing rather than a questionnaire. That’s where we come in: finding the gaps and helping you close them before an assessor finds them for you.
It’s easy to think of Cyber Essentials Plus as a piece of paper you need for a tender document. The more useful way to think about it is as a genuine health check on whether your business would actually hold up against a real attack, because the two things being tested are, more often than not, the same thing.
If you’re not sure which level makes sense for your business, or you want an honest read on how ready your IT actually is for a Plus audit, that’s worth figuring out before you book the assessment, not during it.
Get in touch to find out more about out cybersecurity solutions!
