Short answer
Cyber Essentials is a self-assessment against a set of core technical controls. Cyber Essentials Plus adds independent technical testing to check that key controls are working in practice.
Both schemes are useful, but they serve slightly different purposes. Cyber Essentials is often the first step. Cyber Essentials Plus provides stronger evidence because an assessor carries out technical checks.
Cyber Essentials
Cyber Essentials is based on a self-assessment questionnaire. The organisation answers questions about how it manages key areas such as access control, secure configuration, malware protection, patching and internet-facing services.
It is useful when you need to demonstrate a recognised security baseline to customers, suppliers, insurers or tendering bodies.
Cyber Essentials can also be a useful internal exercise because it forces the organisation to review how basic controls are actually managed.
Cyber Essentials Plus
Cyber Essentials Plus builds on Cyber Essentials by adding independent testing. An assessor checks a sample of devices and verifies that relevant controls are in place.
This gives a higher level of assurance than self-assessment alone. It is often requested where a customer wants stronger evidence that controls have been implemented, not just described.
Cyber Essentials Plus can also identify practical issues that are easy to miss during self-assessment, such as outdated software, unsupported systems or devices that are not being updated properly.
Which one do you need?
The right choice depends on why you are seeking certification.
Cyber Essentials may be enough if:
- a customer or tender requires the basic certification;
- you want to show a recognised security baseline;
- you are at an early stage of formalising security controls;
- you want to understand your current position before going further.
Cyber Essentials Plus may be more appropriate if:
- a customer or tender specifically requires Plus;
- you need independently tested evidence;
- your organisation wants greater confidence that controls are working;
- you have already completed Cyber Essentials and want to go further;
- certification is part of a wider assurance or security improvement plan.
Common mistake: treating certification as the end point
Certification is useful, but it should not be treated as the whole security programme.
Cyber Essentials and Cyber Essentials Plus are strongest when they form part of wider improvement. The assessment process can highlight gaps in patching, device management, access control, cloud configuration and governance.
Those findings can then feed into a security roadmap, vCISO arrangement, vulnerability assessment or cloud security review.
How to choose a sensible route
If you are not sure which certification is needed, start with the business driver:
- Is this for a specific contract or tender?
- Has a customer asked for a particular level of certification?
- Do you need independent technical verification?
- Are you trying to improve security maturity beyond a certificate?
- Is there a deadline?
The answers will usually make the decision clearer.
How Be Secure Cyber can help
Be Secure Cyber supports organisations preparing for Cyber Essentials and Cyber Essentials Plus. We can help confirm scope, identify likely gaps, support the assessment process and connect certification work to wider security improvement.
View Cyber Essentials support, view Cyber Essentials Plus support or speak to us.