TL;DR

Cyber Essentials is a verified self-assessment: you answer the questionnaire under declaration, an assessor reviews it. Cyber Essentials Plus is the same five controls, but an assessor technically tests your systems to prove they are actually in place. Get standard CE if you need a credible baseline or a contract asks for it. Get Plus if your clients, insurers or supply chain demand evidence, or if you want the controls verified rather than declared. Plus must be completed within three months of your CE certificate.

Both certifications cover the same ground: the five controls (firewalls, secure configuration, security update management, user access control, and malware protection). The difference is not what is checked. It is how anyone knows the answers are true.

5controls, identical in both certifications
3 monthswindow to complete Plus after your CE certificate
80%of common attacks blocked by the five controls (NCSC)

What standard Cyber Essentials involves

You complete a self-assessment questionnaire covering all five controls, and a board member signs a declaration that the answers are accurate. A licensed assessor reviews the responses and either certifies you or comes back with questions.

Nobody logs into your systems. Nobody scans anything. The assessment stands on your answers, which is why the declaration matters: knowingly wrong answers are not a paperwork problem, they are a signed false statement.

Standard CE tests whether you know your environment well enough to answer honestly. Plus tests the environment itself.

Standard CE is priced in tiers based on organisation size, set by IASME (the scheme operator). For most Kent SMBs it is a modest fixed cost, and the real work is the remediation before you apply, not the certificate itself.

What Cyber Essentials Plus adds

Plus starts with the same questionnaire, then an assessor verifies it technically. That typically means:

  • Vulnerability scans of a sample of your devices and servers, checking patch levels against the update-management requirement.
  • An external scan of your internet-facing systems.
  • Hands-on device checks: malware protection working, unsupported software absent, standard users unable to run what they should not.
  • Email and browser tests: proving that malicious attachments and downloads are actually blocked, not just that a policy says they should be.

If the scan finds a machine three patches behind, the questionnaire answer that said “all updates within 14 days” does not survive contact. That is the point of Plus: it removes the gap between declared and true.

The timing rule people miss

Plus must be achieved within three months of the standard CE certificate it builds on. Leave it longer and you are redoing the questionnaire first. If you know you want Plus, plan both as one project.

Which one do you need?

Standard CE is the right call when:

  • You want a credible, government-backed security baseline and a public signal that the basics are done.
  • A contract or framework asks for “Cyber Essentials” without specifying Plus.
  • Budget matters and the alternative is doing nothing.

Plus is the right call when:

  • A client, framework or supply chain requirement names it specifically. MOD contracts and an increasing number of enterprise procurement lists do.
  • Your cyber insurer offers better terms for verified controls, or asks pointed questions at renewal.
  • You handle data sensitive enough that “we declared it” is not a comfortable answer to give anyone.

The honest framing: standard CE proves intent and self-knowledge. Plus proves implementation. Neither makes you unhackable, and both expire after a year, because an environment certified in January can rot by August.

What it costs, in practice

Standard CE certification fees are tiered by organisation size on the IASME scale, and remediation is where the real budget goes (see our breakdown of the six things that fail most assessments).

Plus pricing depends on how many devices and locations are in scope, which is why nobody publishes a flat rate for it. We price CE Plus as a monthly service rather than a one-off, covering the ongoing compliance checks that keep you passing, because the certificate is annual but the requirements are continuous.

The honest summary

If you are choosing between standard CE and nothing, choose CE. If someone in your supply chain has named Plus, the choice is already made. And if you are choosing freely between the two, ask one question: do you want to declare that your controls work, or know it?

How we run it

Same process for both: gap audit against all five controls first, remediation second, assessment last. For Plus we schedule the technical audit inside the three-month window so nothing gets redone. Most businesses go from audit to certificate in 4 to 8 weeks.

Related service: Cyber Essentials →

Want certification handled start to finish?

We run the gap audit, fix what it finds, and manage the assessment for both CE and CE Plus. Fixed price for standard CE, agreed before any work begins.

Most calls answered within 4 rings  ·  ENQUIRIES 020 3822 0899  ·  SUPPORT 01622 586 001