Cyber Essentials vs. Cyber Essentials Plus: Which One Do You Actually Need?
You've decided Cyber Essentials is on your to-do list — good. Now comes the question every SME reaches: do you go for the standard certification or step up to Plus? Here's how to decide without second-guessing yourself.
The short version
- CE is the right starting point for most SMEs: it covers the five core control areas, satisfies the vast majority of government and commercial contract requirements, and is achievable without a technical audit.
- CE Plus adds independent testing. A real assessor probes your systems against real attack scenarios, making it significantly more credible to enterprise and regulated-sector buyers.
- Cost and time differ meaningfully: CE typically costs £300–£600 and a few weeks' preparation; CE Plus adds a technical assessment that can push costs to £1,500–£3,000 or more.
- Only pursue CE Plus if specifically required: by a client contract, a regulated-sector obligation, or a deliberate decision to send the strongest possible signal to enterprise buyers.
If you have already read up on what Cyber Essentials is, you know it is the UK government-backed certification covering five essential security controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. The question is no longer whether to get certified. It is which tier is right for you right now. That depends on who is asking for it, what your budget is, and how quickly you need to move. This guide to Cyber Essentials vs Cyber Essentials Plus will help you make that call.
Cyber Essentials vs Cyber Essentials Plus: what is the difference?
Cyber Essentials is a self-assessed questionnaire reviewed by a Certification Body; Cyber Essentials Plus adds an independent technical test where an assessor checks your controls actually work in practice.
Both certifications cover identical security controls. The difference is entirely in how those controls are verified.
With standard Cyber Essentials, you answer a questionnaire about your technical controls and submit it to an accredited Certification Body (CB), the organisation licensed to assess and award the certificate. The CB reviews your answers. There is no hands-on testing of your systems. It is rigorous, and assessors will push back on vague or unsupported answers, but the verification is documentary rather than technical.
With Cyber Essentials Plus, you complete standard CE first, then an assessor from your CB connects to your systems and tests them directly: checking that your patch management is current, that your malware protection catches real samples, and that your network boundary does what you say it does. A CE Plus certificate states that your controls were tested, not just described.
How do the cost and effort compare?
Standard Cyber Essentials typically costs £300–£600 and a few weeks’ preparation; CE Plus adds a technical assessment that commonly brings total costs to £1,500–£3,000 or more.
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Assessment | Questionnaire + CB document review | CE questionnaire + technical test |
| Who verifies | CB reviews your answers | CB tests your live systems |
| Typical cost | £300–£600 | £1,500–£3,000+ |
| Timescale | 2–6 weeks prep | CE timeline + 1–3 weeks |
| Government contracts | Yes, most | Some (higher-assurance only) |
| Right for most SMEs? | Yes, start here | Only if required |
The cost of CE Plus varies with the size of your organisation, the complexity of your IT environment, and your CB: larger networks with more devices take longer to test, so the price reflects that.
Mind the timeline
CE Plus requires your standard Cyber Essentials to be complete first. Budget the full CE preparation period plus the technical assessment window, and do not leave it until the week before the tender closes.
When is Cyber Essentials Plus worth it?
CE Plus is worth pursuing when a specific client, contract or regulatory obligation requires it, or when you are deliberately signalling maximum assurance to enterprise or regulated-sector buyers.
There are three scenarios where CE Plus is the right call.
A contract or client explicitly requires it
This is the most common reason SMEs pursue CE Plus. Defence supply-chain contracts, NHS supplier requirements, and some large enterprise procurement processes specify CE Plus rather than standard CE. If your contract documents name CE Plus, that is your answer.
You operate in a regulated or high-assurance sector
Businesses in defence, healthcare, critical national infrastructure supply chains, or any sector where data sensitivity is particularly high will find CE Plus carries more practical weight. The technical verification shows your controls hold up under real conditions, not just on paper.
You want the strongest possible signal to enterprise buyers
Even when CE Plus is not contractually required, some SMEs pursue it because it differentiates them. If your growth depends on winning enterprise clients who run formal procurement processes, a CE Plus certificate says something a standard CE does not.
When should you start with Cyber Essentials and progress later?
Implementing these controls for the first time, moving fast, or on a tight budget? Start with standard Cyber Essentials. The work carries forward to CE Plus later.
You need certification quickly
Procurement timelines are rarely generous. If a contract requires Cyber Essentials and you have six weeks, standard CE is achievable. CE Plus in the same window is a stretch for most organisations not already in strong shape.
You are implementing the controls for the first time
If MFA (multi-factor authentication, a second login step beyond your password) is not yet rolled out everywhere, or your patching is informal, you have real work to do first. Operational controls like access reviews, patch cycles and incident response take genuine time and need a named owner. Policies and documentation come together more quickly. Either way, the technical controls must be properly in place before either assessment. Start with CE, embed everything, then treat CE Plus as the natural next step.
Budget is a real constraint
There is no shame in that. A valid Cyber Essentials certificate is far more useful than an abandoned CE Plus attempt. Certify at the right level for now, and upgrade when it makes commercial sense.
“The best certification is the one you can achieve honestly and maintain — not the most impressive-sounding one on a page.”
Here is the reassuring part. The work you do for standard Cyber Essentials does not disappear when you progress to Plus. Your evidence, policies and documented controls carry forward, so you build on a foundation you have already laid.
This article provides general educational information about Cyber Essentials certification tiers. For advice specific to your organisation’s circumstances, contract requirements or sector obligations, consult an accredited Certification Body or professional compliance adviser.
SecurSentry is launching soon to guide UK SMEs through Cyber Essentials preparation step by step, and when you progress to CE Plus, the work you have already done carries forward. Join the waitlist to be first to know when we open the doors.