What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both certifications cover the same five technical controls. Cyber Essentials is a self-assessment questionnaire reviewed by an external assessor. Cyber Essentials Plus adds hands-on technical testing of a sample of your devices and accounts by an external assessor — they verify the controls work in practice, not just on paper.

How much more does Cyber Essentials Plus cost?

Cyber Essentials Plus typically costs roughly 3x to 5x more than basic Cyber Essentials. Expect £1,400–£3,000 for the Plus assessment alone, on top of the basic CE fee. MSP support time for remediation is also typically higher.

Do I need Cyber Essentials Plus?

Most UK SMBs only need basic Cyber Essentials. You only need Plus if a buyer specifically requires it — most often UK central government contracts handling sensitive data, some NHS supplier frameworks, and some larger private sector buyers in regulated industries.

How long does Cyber Essentials Plus take?

For a 10–30 user UK SMB starting from a clean basic Cyber Essentials, expect 4–6 weeks for Plus. The technical testing itself takes 1–2 days for the assessor; the rest is preparation and remediation. From a cold start, plan 10–12 weeks for both certifications back-to-back.

What does the Plus assessor actually test?

An IASME-certified Plus assessor verifies your patching status on a sample of devices, runs a basic vulnerability scan, attempts to deliver a malicious file via email to test malware protection, attempts to run unauthorised software to test access controls, and verifies MFA is enforced on cloud services.

Can I skip basic Cyber Essentials and go straight to Plus?

No. Cyber Essentials Plus requires a valid basic Cyber Essentials certificate as a prerequisite. They're typically completed back-to-back, but the basic certification must be in place first.

← All insights

Blog 9 May 2026 6 min read

Cyber Essentials vs Cyber Essentials Plus — which one does my business need?

Same five controls. Different verification methods. Different price tags. Here's how to decide which level your UK small business actually needs — and when paying for Plus is worth it.

By Simon Ball, Technical Director

Editorial illustration of two purple shields side by side — a smaller one with a checkmark next to a larger one being inspected by a magnifying glass.

I get this question every week, usually from a business that's just had a tender land on their desk asking for "Cyber Essentials" or "Cyber Essentials Plus" and they're not sure which one is being asked for or what the difference even is. Here's the plain answer.

Same five controls

Both certifications verify exactly the same things — the five fundamental security controls defined by the National Cyber Security Centre:

Firewalls
Secure configuration
Access control
Malware protection
Security update management

If you want a proper walkthrough of what each one means in practice, we covered them in detail in our Cyber Essentials primer. The short version: the controls don't change between basic and Plus. What changes is how the assessor verifies you actually have them in place.

The real difference: how it gets verified

Cyber Essentials (basic)

Self-assessment. You complete an online questionnaire — about 60 questions covering scope and the five controls. You answer honestly. An IASME-certified assessor reviews your answers and either approves or comes back with remediations. The whole thing is paper-based.

It's a trust-based system. The questionnaire asks "do you enforce MFA on all cloud services?" and you answer yes or no. The assessor doesn't independently verify it.

Cyber Essentials Plus

Same questionnaire plus hands-on testing. An IASME-certified Plus assessor visits (usually remotely now) and:

Picks a representative sample of your devices and verifies their patch status against your declared policy
Runs a basic vulnerability scan against the sample
Attempts to deliver a malicious test file via email to verify your malware protection actually catches it
Attempts to run unauthorised software on a sample device to verify access controls
Verifies MFA is enforced on your cloud services by trying to bypass it
Reviews your account creation and removal evidence

The whole point is to verify that what you said on the questionnaire is what's actually happening on the ground.

Cost comparison (2026 UK pricing)

Item	Basic CE	CE Plus
IASME assessment fee (10–49 employees)	£440 + VAT	+ £1,400–£2,400 + VAT
Typical MSP remediation/support time	£500–£2,000	£1,000–£3,500
Time from start to certificate	4–8 weeks	4–6 weeks (after basic CE)
Total all-in cost	~£1,000–£2,500	~£3,000–£6,000 (additional)

So if you're going for both, you're realistically looking at £4,000–£8,500 all-in for a typical 20-user SMB starting from a reasonable baseline.

Who actually needs Plus?

Most UK SMBs don't. We see Plus genuinely required for:

UK central government contracts handling personal or sensitive data — particularly Cabinet Office and MOD-adjacent work.
Some NHS supplier frameworks — particularly those involving direct patient data or clinical systems.
Large enterprise procurement — particularly defence, financial services, and critical infrastructure suppliers.
Cyber insurance at higher cover levels — some underwriters now require Plus for cover above £2m.

If you're not in one of those buckets, basic Cyber Essentials is genuinely enough. The five controls are the same — you're just paying more for verification.

The honest case for Plus when it isn't required

There's one situation where I do recommend Plus even when no buyer is asking for it: when you suspect your basic CE answers might be more aspirational than accurate.

The Plus assessor will find what your CE questionnaire claimed but didn't deliver — the unpatched device sitting in the cupboard, the local admin account with a weak password, the conditional access policy that was never fully rolled out. If your business genuinely depends on its IT and the questionnaire was answered by someone who wasn't 100% sure about every box they ticked, Plus turns it from a paper exercise into a real audit.

That said — most businesses are better served by a good MSP doing an honest pre-CE gap assessment, fixing the gaps, then going for basic CE with confidence. Cheaper, same outcome.

The order: basic first, always

You cannot skip basic Cyber Essentials and go straight to Plus. Plus requires a valid basic CE certificate as a prerequisite. The standard pattern is to do them back-to-back: basic CE first, then Plus immediately afterwards while the controls are fresh and the documentation is current.

If you're going for both, plan for 10–12 weeks total from a cold start.

What I tell clients in practice

If a tender or buyer requires Plus — go straight for it, no debate. The cost is the cost of doing business with that buyer.

If no one's specifically asked for Plus — start with basic Cyber Essentials. You can always upgrade to Plus next year if a buyer demands it. Most don't.

If you're debating it on the basis that "Plus sounds better" — don't. The marketing benefit of having Plus over basic, if no buyer is asking, is genuinely small. Spend the £3,000 on something more useful — like proper EDR coverage or a tabletop exercise.

If you'd like a straight answer about which level fits your specific situation, drop us a note with what your buyers are asking for. We'll come back with a no-pressure recommendation in 24 hours.

#cyber-essentials#ce-plus#compliance#certification

Need to decide between CE and CE Plus?

We've taken dozens of Manchester SMBs through both certifications. We'll tell you which one you actually need, even if it's the cheaper one.

Talk to a human