SecurSentry
← All notes
Cyber Essentials

Cyber Essentials vs. Cyber Essentials Plus: Which One Do You Actually Need?

You've decided Cyber Essentials is on your to-do list — good. Now comes the question every SME reaches: do you go for the standard certification or step up to Plus? Here's how to decide without second-guessing yourself.

The short version

If you have already read up on what Cyber Essentials is, you know it is the UK government-backed certification covering five essential security controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. The question is no longer whether to get certified. It is which tier is right for you right now. That depends on who is asking for it, what your budget is, and how quickly you need to move. This guide to Cyber Essentials vs Cyber Essentials Plus will help you make that call.

Cyber Essentials vs Cyber Essentials Plus: what is the difference?

Cyber Essentials is a self-assessed questionnaire reviewed by a Certification Body; Cyber Essentials Plus adds an independent technical test where an assessor checks your controls actually work in practice.

Both certifications cover identical security controls. The difference is entirely in how those controls are verified.

With standard Cyber Essentials, you answer a questionnaire about your technical controls and submit it to an accredited Certification Body (CB), the organisation licensed to assess and award the certificate. The CB reviews your answers. There is no hands-on testing of your systems. It is rigorous, and assessors will push back on vague or unsupported answers, but the verification is documentary rather than technical.

With Cyber Essentials Plus, you complete standard CE first, then an assessor from your CB connects to your systems and tests them directly: checking that your patch management is current, that your malware protection catches real samples, and that your network boundary does what you say it does. A CE Plus certificate states that your controls were tested, not just described.

How do the cost and effort compare?

Standard Cyber Essentials typically costs £300–£600 and a few weeks’ preparation; CE Plus adds a technical assessment that commonly brings total costs to £1,500–£3,000 or more.

Cyber EssentialsCyber Essentials Plus
AssessmentQuestionnaire + CB document reviewCE questionnaire + technical test
Who verifiesCB reviews your answersCB tests your live systems
Typical cost£300–£600£1,500–£3,000+
Timescale2–6 weeks prepCE timeline + 1–3 weeks
Government contractsYes, mostSome (higher-assurance only)
Right for most SMEs?Yes, start hereOnly if required

The cost of CE Plus varies with the size of your organisation, the complexity of your IT environment, and your CB: larger networks with more devices take longer to test, so the price reflects that.

Mind the timeline

CE Plus requires your standard Cyber Essentials to be complete first. Budget the full CE preparation period plus the technical assessment window, and do not leave it until the week before the tender closes.

When is Cyber Essentials Plus worth it?

CE Plus is worth pursuing when a specific client, contract or regulatory obligation requires it, or when you are deliberately signalling maximum assurance to enterprise or regulated-sector buyers.

There are three scenarios where CE Plus is the right call.

A contract or client explicitly requires it

This is the most common reason SMEs pursue CE Plus. Defence supply-chain contracts, NHS supplier requirements, and some large enterprise procurement processes specify CE Plus rather than standard CE. If your contract documents name CE Plus, that is your answer.

You operate in a regulated or high-assurance sector

Businesses in defence, healthcare, critical national infrastructure supply chains, or any sector where data sensitivity is particularly high will find CE Plus carries more practical weight. The technical verification shows your controls hold up under real conditions, not just on paper.

You want the strongest possible signal to enterprise buyers

Even when CE Plus is not contractually required, some SMEs pursue it because it differentiates them. If your growth depends on winning enterprise clients who run formal procurement processes, a CE Plus certificate says something a standard CE does not.

When should you start with Cyber Essentials and progress later?

Implementing these controls for the first time, moving fast, or on a tight budget? Start with standard Cyber Essentials. The work carries forward to CE Plus later.

You need certification quickly

Procurement timelines are rarely generous. If a contract requires Cyber Essentials and you have six weeks, standard CE is achievable. CE Plus in the same window is a stretch for most organisations not already in strong shape.

You are implementing the controls for the first time

If MFA (multi-factor authentication, a second login step beyond your password) is not yet rolled out everywhere, or your patching is informal, you have real work to do first. Operational controls like access reviews, patch cycles and incident response take genuine time and need a named owner. Policies and documentation come together more quickly. Either way, the technical controls must be properly in place before either assessment. Start with CE, embed everything, then treat CE Plus as the natural next step.

Budget is a real constraint

There is no shame in that. A valid Cyber Essentials certificate is far more useful than an abandoned CE Plus attempt. Certify at the right level for now, and upgrade when it makes commercial sense.

“The best certification is the one you can achieve honestly and maintain — not the most impressive-sounding one on a page.”

Here is the reassuring part. The work you do for standard Cyber Essentials does not disappear when you progress to Plus. Your evidence, policies and documented controls carry forward, so you build on a foundation you have already laid.


This article provides general educational information about Cyber Essentials certification tiers. For advice specific to your organisation’s circumstances, contract requirements or sector obligations, consult an accredited Certification Body or professional compliance adviser.


SecurSentry is launching soon to guide UK SMEs through Cyber Essentials preparation step by step, and when you progress to CE Plus, the work you have already done carries forward. Join the waitlist to be first to know when we open the doors.

Frequently asked questions

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment questionnaire reviewed and verified by a Certification Body. Cyber Essentials Plus includes everything in the standard certification but adds an independent technical test, where a real assessor verifies your controls work in practice. CE Plus costs more and takes longer, but carries significantly more weight with enterprise and regulated-sector clients.

Is Cyber Essentials Plus worth it for a small business?

For most small businesses, standard Cyber Essentials is the right starting point. It satisfies the majority of government and commercial contract requirements at a fraction of the cost. CE Plus becomes worth it when a specific client, contract or regulated sector explicitly requires it. It is also worth it when you want the strongest possible assurance signal to enterprise buyers.

How long does Cyber Essentials Plus take compared to standard Cyber Essentials?

Standard Cyber Essentials typically takes two to six weeks of preparation before submission and review. CE Plus adds a technical assessment stage on top of that, usually extending the overall timeline by a further one to three weeks. Your preparation time for CE counts in full towards CE Plus, so you are not starting again.

Do I need Cyber Essentials Plus for UK government contracts?

Most UK government contracts require standard Cyber Essentials rather than Plus. CE Plus is required for a smaller subset of higher-assurance contracts, particularly in defence, critical national infrastructure, and roles involving more sensitive data. Always check the specific contract requirements before deciding which tier to pursue.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.