Cyber Essentials is a UK government-backed self-assessment certification covering five security controls. Cyber Essentials Plus adds independent technical verification through vulnerability scanning and on-site testing by a licensed assessor. Cyber Essentials costs £500 to £2,000, while Cyber Essentials Plus costs £2,000 to £15,000 depending on organisation size. Choose Cyber Essentials for baseline compliance and Cyber Essentials Plus when contracts, insurance, or risk profile require independent assurance.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both certifications test the same five security controls. The difference is how that testing happens.
Cyber Essentials is a self-assessment. Your organisation completes an online questionnaire about its security controls, and IASME (the NCSC-appointed scheme administrator) reviews the answers. Approximately 10-15% of submissions are randomly sampled for a desktop review of evidence, but there is no technical testing.
Cyber Essentials Plus is an independent audit. A licensed assessor conducts vulnerability scanning of your internet-facing and internal systems, then performs on-site testing including live checks of device configurations, firewall rules, and user access controls.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment type | Self-assessment questionnaire | Independent third-party audit |
| Technical testing | None | Vulnerability scanning + on-site verification |
| Cost | £500 to £2,000 | £2,000 to £15,000+ |
| Duration | 1 to 4 weeks | 4 to 12 weeks |
| Pass rate (first attempt) | ~85-90% | ~70-75% |
| Independence | Self-declared | Verified by licensed assessor |
| Government contracts (PPN 014) | Required for all central government suppliers | Required for higher-risk contracts |
| Insurance impact | Meets most baseline requirements | Preferred by underwriters for higher cover |
| Validity | 12 months | 12 months |
| Prerequisite | None | Must hold current Cyber Essentials |
NCSC data shows that organisations with Cyber Essentials certification experience 75% fewer breaches than non-certified organisations.
What are the five Cyber Essentials controls?
Both Cyber Essentials and Cyber Essentials Plus assess the same five technical controls, updated in the Willow release (October 2024) to cover modern threats including cloud configuration and MFA.
- Firewalls. Internet-facing devices must have a properly configured firewall with a default-deny inbound policy.
- Secure configuration. Devices must not use default passwords, and unnecessary services must be disabled.
- User access control. Users should operate with standard (non-admin) accounts. Admin privileges must be restricted. MFA is now required for admin accounts and remote access.
- Malware protection. Anti-malware software must be installed, active, and kept up to date on all in-scope devices.
- Security update management. Critical and high-severity patches must be applied within 14 days of release. End-of-life software that no longer receives updates must be removed or isolated.
For a detailed breakdown of each control, see our Cyber Essentials requirements guide.
How much does Cyber Essentials cost vs Cyber Essentials Plus?
Costs depend on organisation size and whether you use external consultancy for preparation.
Cyber Essentials: The IASME assessment fee starts at approximately £500 for micro and small organisations. If you engage a consultancy to help prepare your questionnaire responses and review your controls beforehand, expect to pay £500 to £2,000 in total.
Cyber Essentials Plus: Assessor fees range from £2,000 to £5,000 for small organisations (under 50 employees), £5,000 to £10,000 for medium organisations, and £10,000 to £15,000+ for large or complex environments with multiple sites, extensive cloud infrastructure, or significant BYOD use. Annual renewal typically costs 50-70% of the initial assessment.
If your organisation fails the Cyber Essentials Plus assessment, remediation and re-testing adds £500 to £2,000+ to the total cost. There is no mandatory waiting period before re-assessment, but all identified issues must be resolved.
How long does each certification take?
Cyber Essentials is self-paced. Most organisations complete the questionnaire within one to two weeks. IASME processing and any sampling checks take an additional five to ten days. Total: one to four weeks.
Cyber Essentials Plus requires scheduling with a licensed assessor. The process includes scoping (one to two weeks), remote vulnerability scanning (one week), on-site testing (one to two days), and reporting (one to two weeks). Allow four to twelve weeks from initial engagement to certification, depending on assessor availability and the complexity of your environment.
Cyber Essentials Plus requires a current Cyber Essentials certificate as a prerequisite. Factor in the Cyber Essentials timeline if you do not already hold it.
What does the Cyber Essentials Plus technical assessment involve?
The Cyber Essentials Plus assessment has two stages, both conducted by a licensed assessor.
Stage 1: Remote vulnerability scanning. The assessor scans your internet-facing systems and a sample of internal devices for vulnerabilities. The scan checks for unpatched software, exposed services, weak configurations, and open ports. Any vulnerability with a CVSS v3.0 score meeting the criteria of network attack vector, low complexity, and high exploit maturity will cause a failure.
Stage 2: On-site testing. The assessor visits your premises (or conducts secure remote testing in exceptional cases) and performs hands-on verification:
- Device configuration checks on a sample of 10-20% of in-scope devices
- Firewall rule verification against the deny-all inbound policy
- User account review confirming admin privilege restrictions
- MFA verification on admin accounts and remote access
- Malware protection testing, including simulated threats
- Evidence review of patching logs, policies, and configuration records
Both stages must pass with zero critical failures. If issues are found, you have three months to remediate and request a re-test.
Why do organisations fail Cyber Essentials Plus?
Approximately 50% of organisations fail their first Cyber Essentials Plus on-site assessment. The most common failure reasons, based on IASME and NCSC data from 2024, are:
Secure configuration (40% of failures). Default passwords not changed, unnecessary services running, and exposed administrative interfaces. This is the single most failed control.
Malware protection (30% of failures). Anti-malware not running on all devices, outdated signature databases, or endpoint protection that fails simulated bypass tests.
Patching gaps. Critical and high-severity patches not applied within the 14-day window. End-of-life operating systems (Windows 10 21H2, macOS 11, iOS 14, Android 10) still in use. Third-party applications like Zoom, .NET, and browser plugins left unpatched.
MFA and access control. MFA not enabled on admin accounts or remote access points. Users routinely operating with administrator privileges, particularly common in macOS environments and smaller IT teams.
BYOD devices. Personal mobile devices accessing corporate email or data without endpoint management, running unsupported operating systems, or lacking device-level firewall configuration.
Organisations that prepare by running internal vulnerability scans and verifying each control against the assessment criteria before booking a Cyber Essentials Plus assessment have a substantially higher first-time pass rate. For a full breakdown of how vulnerability scanning compares to manual penetration testing, see our guide to vulnerability assessment vs penetration testing.
Which level do government contracts require?
Procurement Policy Note 014 (PPN 014) sets the baseline. All suppliers to UK central government contracts that involve handling information on internet-connected devices must hold Cyber Essentials certification as a minimum.
Cyber Essentials is sufficient for lower-risk contracts: those under £5 million that do not involve personal data, sensitive government information, or critical service delivery.
Cyber Essentials Plus is required for higher-risk contracts: those exceeding £5 million, involving personal or sensitive data, or supporting critical government services. Ministry of Defence suppliers, NHS digital service providers, and Home Office system integrators typically require Cyber Essentials Plus.
Beyond central government, approximately 80% of public sector tenders now specify at least Cyber Essentials. Local authorities, NHS trusts, and arms-length bodies increasingly follow PPN 014 even where not formally required.
For private sector organisations, Cyber Essentials is not legally mandatory but is frequently required as a contractual condition by larger clients, particularly in financial services, healthcare supply chains, and critical infrastructure.
How do you decide which level your organisation needs?
Start with three questions:
1. Do any of your contracts require it? Check existing and target contracts for specific certification requirements. If a contract specifies Cyber Essentials Plus, the decision is made. If it specifies Cyber Essentials without further qualification, the basic certification is sufficient for that contract.
2. What data do you handle? If your organisation processes personal data, health records, financial information, or government-classified material, Cyber Essentials Plus provides independent assurance that your controls actually work. Self-assessment alone may not satisfy your clients, regulators, or insurers.
3. What is your risk tolerance? Cyber Essentials certifies that you claim to have the controls in place. Cyber Essentials Plus certifies that an independent assessor has verified those controls work. If a breach would cause significant financial, reputational, or operational damage, the independent verification of Cyber Essentials Plus is worth the additional investment.
A practical decision framework:
- You are a small business with no government contracts and limited sensitive data: Cyber Essentials is the right starting point.
- You bid on public sector work or handle client data under contract: Cyber Essentials is the minimum, and Cyber Essentials Plus strengthens your bid.
- You are an MSP, IT provider, or process sensitive data for regulated clients: Cyber Essentials Plus is the expectation. Your clients need independent assurance of your security controls.
- You want the best available cyber insurance terms: Cyber Essentials Plus is preferred by most underwriters for higher coverage limits.
Frequently asked questions
Is Cyber Essentials Plus mandatory? Cyber Essentials Plus is not legally mandatory for any sector. It is contractually required for higher-risk UK government contracts under PPN 014 and is increasingly expected by NHS trusts, financial services firms, and large enterprise clients as a supply chain requirement.
Can I go straight to Cyber Essentials Plus without doing Cyber Essentials first? No. Cyber Essentials Plus requires a current Cyber Essentials certificate as a prerequisite. You must pass the self-assessment before booking the independent audit.
How often do I need to renew? Both certifications are valid for 12 months. You must recertify annually, and each renewal requires a fresh assessment against the current version of the requirements.
What happens if I fail Cyber Essentials Plus? You receive a report identifying the specific failures. You have three months to remediate the issues and request a re-test. The re-test fee is typically £500 to £2,000. There is no limit on re-test attempts within the three-month window.
Does Cyber Essentials help with cyber insurance? Yes. NCSC data indicates that organisations with Cyber Essentials controls experience significantly fewer successful attacks. Most UK cyber insurers recognise Cyber Essentials as a baseline requirement, and Cyber Essentials Plus certification can reduce premiums or unlock higher coverage limits.