Cyber Essentials6 min read

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

Cyber Essentials offers two certification levels: the self-assessment Basic level and the independently verified Plus level. Understanding the differences can help you choose the right certification for your organisation's needs.

Key Takeaways

Point Summary
Basic Self-assessment questionnaire, from £300, meets most government contract requirements
Plus Technical audit by assessor, from £1,500+, required for higher-risk contracts
Plus requirements External vulnerability scan, device sampling, configuration verification
Start with Basic Basic certification is required before you can pursue Plus
Choose Plus when Contracts specify it, handling sensitive data, or you want independent verification

Quick Answer: Cyber Essentials Basic (from £300) is a self-assessment that meets most government contract requirements. Plus (from £1,500) adds independent technical verification and is required for higher-risk contracts. Start with Basic; add Plus if your contracts require it or you want stronger assurance.

Overview comparison

Aspect Cyber Essentials (Basic) Cyber Essentials Plus
Assessment method Self-assessment questionnaire Technical audit by assessor
Evidence required Declaration-based Verified on-site or remotely
Technical testing None Vulnerability scans + device tests
Assessor visit No Yes (remote or on-site)
Cost £300-500 £1,500-5,000+
Timeline Varies based on readiness Varies based on readiness
Valid for 12 months 12 months
Prerequisite None Valid CE Basic (within 90 days)

Cyber Essentials (Basic) in detail

What's involved

The Basic certification is a self-assessment process:

The questionnaire:

  • Approximately 90 questions covering all five controls
  • You declare your compliance with each requirement
  • A certification body reviews your responses
  • They may request clarifications on your answers
  • If satisfactory, the certificate is issued

What you're declaring:

  • Your firewalls meet the requirements
  • Your devices are securely configured
  • Your software is up to date and supported
  • Your users have appropriate access levels
  • Your devices have malware protection

Cost considerations

Cost Component Typical Range
Certification fee £300-500
Internal preparation Varies by readiness
Any remediation needed Depends on current state

When Basic is appropriate

Basic certification is typically sufficient when:

  • Government contracts require "Cyber Essentials" without specifying Plus
  • You want to demonstrate baseline security commitment
  • You're starting your compliance journey
  • Budget is constrained
  • You're comfortable with self-declaration

Cyber Essentials Plus in detail

What's involved

Plus builds on Basic with independent verification:

Technical testing includes:

  • External vulnerability assessment of all public IP addresses
  • Internal scanning (if applicable)
  • Device sampling to verify configurations
  • Evidence review and documentation check

What's tested:

  • Are firewalls correctly configured?
  • Are patches actually applied?
  • Is anti-malware running and updated?
  • Are configurations as declared?
  • Are there exploitable vulnerabilities?

Cost considerations

Cost Component Typical Range
Basic certification £300-500
Plus audit fee £1,200-4,500+
Remediation if issues found Depends on findings

Costs vary significantly based on:

  • Number of devices in scope
  • Complexity of your environment
  • Whether remote or on-site audit
  • Your certification body

When Plus is appropriate

Consider Plus when:

  • Contracts specifically require Plus certification
  • You handle particularly sensitive data
  • You want independent verification of your controls
  • Your customers or partners expect it
  • You're in a regulated industry
  • You want the highest level of assurance within the scheme

The 90-day window

An important consideration: Plus certification must be achieved within 90 days of your Basic certification.

Timeline implications:

  • Basic expires before Plus → You need new Basic first
  • Basic certificate date → 90-day countdown starts
  • Plus must complete → Within this window

Planning for both:

  • If you know you'll need Plus, plan accordingly
  • Ensure your environment is ready for technical testing
  • Don't delay Plus once you have Basic

Choosing the right level

Decision framework

Do your contracts specify Plus?

  • Yes → You need Plus
  • No → Basic may be sufficient

Do you handle highly sensitive data?

  • Yes → Plus provides stronger assurance
  • No → Basic may be sufficient

Do your customers expect Plus?

  • Yes → Consider Plus
  • No → Basic may be sufficient

Do you want independent verification?

  • Yes → Plus verifies your controls
  • No → Basic self-declaration may be enough

What's your budget?

  • Limited → Start with Basic, add Plus later if needed
  • Available → Consider going straight to Plus (via Basic)

Common scenarios

Scenario Recommendation
Government contract requiring "Cyber Essentials" Basic is usually sufficient
MoD contract handling sensitive data Plus typically required
NHS contract with patient data Check specific requirements
Enterprise client requesting certification Check which level they require
Starting compliance journey Start with Basic
Maximum assurance needed Plus

Preparing for each level

For Basic certification

Before starting:

  • Review the five controls
  • Assess your current compliance
  • Address any obvious gaps
  • Prepare your device inventory
  • Gather your software list

During the questionnaire:

  • Answer accurately and honestly
  • Provide clear explanations where needed
  • Be ready for clarification questions

For Plus certification

Before Basic:

  • Everything above for Basic
  • Plan for technical audit timeline

Between Basic and Plus:

  • Run your own vulnerability scan
  • Address any findings
  • Verify all devices meet requirements
  • Prepare for assessor access

For the audit:

  • Have IT support available
  • Ensure devices are accessible
  • Be ready to demonstrate configurations

Common questions

Can I go straight to Plus?
No—Plus requires a valid Basic certificate first. The Plus assessment builds on your Basic self-declaration.

How long does each take?
Timeline varies significantly based on your current readiness. Organisations with strong existing controls can move through the process quickly; those needing significant remediation will take longer.

Is Plus much harder than Basic?
Plus verifies that what you declared in Basic is actually true. If your Basic declaration was accurate and you've maintained your controls, Plus should confirm that. Issues typically arise when there's a gap between declared and actual state.

Can I certify just part of my organisation?
Yes—scope can be defined to include specific networks, locations, or business units. Both Basic and Plus allow scoped certification.

What if I fail Plus?
Minor issues can often be resolved during the audit. More significant problems may require remediation and a re-test. Your certification body can advise on next steps.

How Bastion can help

Whether you're pursuing Basic, Plus, or both, we can help streamline the process.

Challenge How We Help
Level selection We assess your requirements and recommend the appropriate level
Preparation Our team helps implement controls correctly the first time
Gap assessment We identify issues before they become certification blockers
Plus readiness We help prepare your environment for technical testing
Ongoing maintenance We support recertification and continuous compliance

Working with a managed service partner means you benefit from experience across many certifications. We know what certification bodies look for and can help you avoid common pitfalls that cause delays or failures.

Need help deciding between Basic and Plus? Talk to our team

← PreviousMalware Protection: Your Last Line of DefenceNext →The Self-Assessment Questionnaire: Completing Cyber Essentials Basic
Back to Cyber Essentials guides