Home
About Us Our Green Impact Careers
Managed IT Support Cloud Solutions Cyber Security Network Infrastructure Data Backup & Recovery IT Consultancy AI Solutions Software Development
Unreliable IT Cyber Security Concerns Lack of Strategic IT Direction IT for Growth Compliance & Audits AI Strategy
Blog Knowledge Base Case Studies
Contact Us Live Chat Create Ticket
0118 384 2175 hello@coffeecupsolutions.com
Get Support
Security Intermediate

Cyber Essentials vs Cyber Essentials Plus: Which Does Your Business Actually Need?

Cyber Essentials is self-assessed; Plus adds an independent audit with vulnerability scanning. Here is the difference, what each costs, and which one you need.

8 Apr 2026 5 min read

Here is the short version. Cyber Essentials is a self-assessment you fill in and submit. Cyber Essentials Plus is the same set of controls, but checked independently by a qualified assessor who runs technical tests against your actual devices. Plus is not a tougher standard, it is verified proof that you are doing what you said. Most small businesses should start with basic Cyber Essentials and only go for Plus when a specific contract, client or insurer asks for it.

If a customer or a renewal form has told you to "get Cyber Essentials" and you are now looking at two options wondering which one applies, this should settle it. We will not re-explain the five controls here - our separate article on what Cyber Essentials certification is covers that ground.

The core difference: self-assessed vs independently audited

Both certifications sit on the same five technical controls: firewalls, secure configuration, security update management, user access control and malware protection. What changes between the two is how those controls are checked.

  • Cyber Essentials (basic) - You answer a self-assessment questionnaire about how your systems are set up. A certification body reviews your answers and, if they pass, issues the certificate. Nobody logs in to verify it in person.

  • Cyber Essentials Plus - You start from a valid basic certificate, then an assessor independently tests a sample of your laptops, desktops, servers and mobile devices. They run a vulnerability scan, check patching and configuration, and try a handful of real-world attack techniques such as a simulated malicious email and file.

Think of basic Cyber Essentials as a signed declaration, and Plus as a hands-on inspection that backs that declaration up. The requirements are identical. Plus is the audit of those requirements.

What the Plus audit actually involves

An assessor (licensed through IASME, the body that runs the scheme on behalf of the NCSC) samples your devices rather than testing every single one. On that sample they will usually:

  • Run an authenticated vulnerability scan to confirm no in-scope machine is missing critical updates or running unsupported software

  • Check that user accounts, administrator access and malware protection match what you declared

  • Send test files and emails that mimic common attacks, to confirm your defences block them

  • Review mobile devices and any cloud services that are in scope

The scheme is reviewed each year, and the 2026 update tightened a few things. The big one for everybody: multi-factor authentication is now mandatory. Where a cloud service supports MFA and you have not turned it on, that is an automatic fail, on basic and Plus alike. The April 2026 changes also revised how update management is assessed and brought in a new question set. The practical takeaway is simple - patchy, one-off fixes will not get you through.

What each one costs

Figures move year to year, and Plus in particular is priced by the certification body, so treat these as a guide and confirm current pricing before you budget.

  • Cyber Essentials (basic) - The IASME assessment fee is set by organisation size, from around £320 + VAT for a micro business (under 10 staff) up to roughly £600 + VAT for the largest band. Beyond the fee, it is mostly your own time getting things in order.

  • Cyber Essentials Plus - There is no fixed national price; each certification body quotes on what is in scope. As a rough floor, expect upwards of £1,500 + VAT, and more for additional devices, sites and cloud services. A single small office sits near the bottom; a multi-site setup with servers costs more because there is more to test.

The Plus figure reflects assessor time and tooling, not a harder standard. You are paying for the independent verification, not for stricter rules.

When you genuinely need Plus

Basic Cyber Essentials is enough for most SMEs. Look at Plus when something external requires that extra assurance, which usually means one of these:

  • A government or public-sector contract specifies it - some MOD, central government and NHS-linked work names Cyber Essentials Plus as a condition of bidding

  • A larger client puts it in their supplier or procurement requirements

  • Your cyber insurer offers better terms, or makes a claim conditional, on independent verification

  • You handle sensitive data and want demonstrable proof of your controls rather than a self-declaration

If none of those apply, basic certification gives you the same security improvements and the same recognisable badge for your website and tenders, without the cost of an audit.

You have to hold basic Cyber Essentials first

This one catches people out. You cannot go straight to Plus. You need a valid basic Cyber Essentials certificate first, and the Plus audit has to be completed within three months of that certification date. Let the window lapse and you have to redo the basic assessment before Plus can go ahead. So plan the two as a single piece of work, rather than circling back months later.

Which should you choose? A quick decision guide

  1. Has a contract, client or insurer named Cyber Essentials Plus in writing? If yes, you need Plus.

  2. Were you simply told to "get Cyber Essentials" with no level mentioned? Basic is almost always what is meant. Ask the person who requested it to confirm if there is any doubt.

  3. Not sure whether more work is coming that will demand Plus? Get basic now, keep your systems audit-ready, and step up to Plus later when a contract actually requires it.

How an MSP helps you pass first time

Businesses rarely fail a Plus audit because of some deep security flaw. It is usually missed updates on a forgotten laptop, an unsupported version of Windows, MFA switched off on a cloud app, a default password still in place, or a user sitting on admin rights they never needed. An assessor finds those quickly.

A managed IT provider works through the five controls across every in-scope device before the assessor turns up, runs the same kind of vulnerability scan in advance, and clears the gaps while there is still time to fix them. That turns the audit into a confirmation rather than a gamble, and saves you paying for a re-test. For basic certification, we make sure your self-assessment answers genuinely reflect your systems, because a tidy questionnaire that does not match reality helps nobody.

If you have been asked for Cyber Essentials and are not sure which level fits, the team at Coffee Cup Solutions can look at your setup, tell you honestly whether basic or Plus is the right call, and get you certified without the surprises. Have the request in front of you and we will point you the right way.

Related Services

In This Article

Still Need Help?

Our team of IT experts is ready to assist you with any questions or challenges.

Call 0118 384 2175
Back to Knowledge Base
Expert IT Support

Need hands-on help?

Our team of certified IT professionals is here to help your business with any technology challenge.

Call 0118 384 2175

We use cookies to enhance your experience on our site. By continuing to browse, you agree to our Cookie Policy.