Cyber Essentials vs Cyber Essentials Plus: Choosing the Right Certification
Understanding how to protect your business from digital threats is critical. When reviewing your options, you will likely encounter two prominent UK government-backed cybersecurity assurance schemes: Cyber Essentials and Cyber Essentials Plus.
Both schemes share a clear purpose. They help organisations defend against common cyber attacks by implementing fundamental cybersecurity measures. Whether you run a small local firm or a large national enterprise, these certifications provide a framework to secure your IT infrastructure.
Both the basic certification and the advanced certification level require annual renewal to ensure your security posture remains strong against evolving threats. However, deciding which path to take depends heavily on your budget, the level of assurance you need, and the specific demands of your clients. This guide breaks down the cyber essentials certification process to help you choose the right fit.
The Five Technical Controls
Both Cyber Essentials and Cyber Essentials Plus share the same baseline controls. To achieve certification, your organisation must successfully implement five core technical controls. These act as the foundation of your organisation's cyber defences.
1. Firewalls and Internet Gateways
Firewalls create a buffer between your internal IT systems and the public internet. The certification requires you to correctly configure firewalls on all devices, including routers and individual computers. This blocks unauthenticated connections and stops attackers from accessing your network through open services.
2. Secure Configuration
Computers and software often come with default settings that leave them vulnerable. Secure configuration involves changing default passwords, removing unnecessary software, and disabling unused accounts. This minimises the avenues a criminal can use to compromise your systems.
3. User Access Control
Not every employee needs access to all your sensitive data. User access control ensures that staff only have the permissions necessary to do their jobs. The scheme mandates rigorous access controls, particularly regarding administrator functions. You must tightly manage who holds administrative rights to prevent widespread damage if an account is compromised.
4. Malware Protection
Protecting your business from malicious software is a non-negotiable requirement. You must implement robust malware protection across your network. This usually involves deploying approved anti-malware software, keeping it updated, and preventing users from downloading unverified files from the internet.
5. Patch Management
Software vulnerabilities are a primary entry point for opportunistic hackers. Patch management requires you to apply security updates to all installed software and operating systems within 14 days of release. This rapid update cycle closes known security gaps before criminals can exploit them.
Cyber Essentials: The Basic Certification
The basic Cyber Essentials certification revolves around a self-assessment questionnaire. This is an excellent starting point for organisations looking to establish a baseline security posture.
To complete the self-assessment, you will answer detailed questions about your IT environment and how you address the five core controls. A senior board member must sign off on these answers to confirm their accuracy. Once submitted, an accredited certification body reviews your responses.
Because this is a self-assessment, it relies on your internal honesty and technical understanding. It proves that you understand fundamental cybersecurity measures and have put policies in place to stop low-sophistication cyber attacks.
Cyber Essentials Plus: The Technical Audit
Cyber Essentials Plus takes your security assurance to a much higher level. You cannot skip straight to Plus; you must first pass the basic Cyber Essentials certification. Once you hold the basic certificate, you have three months to complete the Plus assessment.
The primary difference here is the introduction of a hands-on technical audit. An independent assessor will visit your site or conduct a remote assessment to verify that your controls actually work. They will perform comprehensive vulnerability scanning, IP address testing, and malware protection testing.
The assessor will attempt to download test files, check your account separation, and verify your patch management schedules. This rigorous technical audit provides clients and partners with independent proof that your security measures are fully operational.
Key Benefits of Achieving Certification
Securing either level of this certification brings immediate commercial and operational benefits to your organisation.
First and foremost, it drastically reduces your vulnerability to the most common cyber threats. By implementing these controls, you block the avenues used in the vast majority of automated, opportunistic attacks.
Furthermore, achieving Cyber Essentials certification is often a mandatory requirement for bidding on UK government contracts. If you want to supply services to the public sector, you generally need the basic certification. If you handle highly sensitive data or bid for Ministry of Defence contracts, you will almost certainly require Cyber Essentials Plus.
Pricing and Common Failure Points
Budget is a major factor when choosing your certification path. The basic level certification price is tiered based on your organisation size. For micro-organisations up to large enterprises, the cost for basic Cyber Essentials ranges from approximately £300 to £600 plus VAT.
Cyber Essentials Plus requires a qualified auditor to spend a day or more testing your network. Because of this, the costs are significantly higher. Depending on the complexity and size of your network, Cyber Essentials Plus typically costs between £1,499 and £2,999 plus VAT.
Why Do Companies Fail?
Passing these assessments is not guaranteed. Many organisations stumble over a few common failure points during the certification process:
-
Mobile Phones: If your staff use mobile phones to access corporate emails or data, those devices fall into the assessment scope. Failing to patch mobile operating systems or missing basic security controls on these devices is a frequent cause of failure.
-
Multi-Factor Authentication (MFA): The scheme requires MFA across all cloud services. Many companies fail because they have not enforced MFA for every single user accessing platforms like Microsoft 365 or Google Workspace.
-
Unsupported Software: Using old, unsupported software that no longer receives security updates from the manufacturer results in an automatic failure.
Frequently Asked Questions
Q: How long does the certification last?
A: Both Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months. You must undergo the recertification process annually to maintain your status.
Q: Can we jump straight to Cyber Essentials Plus?
A: No. The assurance scheme involves a strict progression. You must pass the basic Cyber Essentials self-assessment before you can book your Cyber Essentials Plus technical audit.
Q: Will this stop all cyber attacks?
A: No certification offers 100% protection. However, implementing the five technical controls defends your business against the vast majority of common, unsophisticated cyber attacks.
Actionable Next Steps
Deciding between Cyber Essentials vs Cyber Essentials Plus comes down to your commercial goals and risk appetite. If you simply need to establish a security baseline or meet standard UK government procurement rules, start with the basic certification. If you handle highly sensitive data or face strict client demands, prepare for the Plus audit.
Start your journey today by mapping your current IT infrastructure. Identify all devices, cloud services, and software your company uses. Review your patching schedules and ensure multi-factor authentication is active across all accounts. Once you're ready, contact Global Security Consultancy for expert assistance and personalised guidance on achieving Cyber Essentials or Cyber Essentials Plus certification. Our team will help you navigate the certification process every step of the way.