Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
Cyber Essentials and Cyber Essentials Plus cover the same five security controls. The difference is how they are checked. Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent, hands-on audit of your live systems. Choose Plus when a contract requires it, or when you hold data sensitive enough that proof matters more than a declaration.
Layer 7 has been an IASME-licensed Certification Body since the scheme launched in 2014, and we deliver both levels in-house. Here is how to pick the right one.
Cyber Essentials vs Cyber Essentials Plus at a glance
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| What it is | Verified self-assessment | Self-assessment plus an independent audit |
| How it is verified | We review your answers | We test a sample of your live systems |
| Technical testing | None | Hands-on: vulnerability scan, MFA and patch checks, endpoint sampling |
| Evidence level | Declaration | Proven, tested compliance |
| Typical cost | Priced by organisation size | From around £900 plus VAT, by scope |
| Validity | 12 months | 12 months |
| Prerequisite | None | A current base Cyber Essentials certificate |
| Free cyber insurance | Yes, if eligible | Via the base certificate |
| Best for | First certification, lighter-touch supply chains | Contracts that mandate it, higher assurance |
In short: both certifications cover the same five controls and last 12 months. Cyber Essentials is a self-assessment; Cyber Essentials Plus adds an independent audit that proves those controls work, which is why higher-assurance contracts specify Plus.
The one real difference: self-assessment vs hands-on audit
Both levels assess the same five controls: firewalls, secure configuration, security update management, user access control and malware protection.
With Cyber Essentials, you complete the question set and a Certification Body reviews and certifies it. With Cyber Essentials Plus, an assessor goes further and independently tests that the controls genuinely work on your live systems. Plus is proof, not self-declaration. That is the whole distinction, and it is why Plus carries more weight with the organisations that ask for it.
Self-assessment, verified
Hands-on technical audit What the Cyber Essentials Plus audit actually involves
On a Cyber Essentials Plus audit, an assessor works through a representative sample of your systems and checks the controls in practice. That usually means:
- An authenticated vulnerability scan of a sample of devices, looking for missing patches and risky configuration.
- A check that multi-factor authentication is enforced on your cloud services.
- A test of malware protection and that critical updates are applied in time.
- A look at how user accounts and admin rights are set up.
The most common reasons organisations fail are avoidable: unsupported software still in use, critical updates left beyond the deadline, and multi-factor authentication not switched on everywhere it should be. We help you find and fix these before the formal audit, so the audit confirms what we already know.
How much does each cost?
Cyber Essentials is priced by organisation size. Cyber Essentials Plus is priced on the size and complexity of your environment, and starts from around £900 plus VAT. Plus costs more because of the hands-on audit. For a full breakdown, see our guide to Cyber Essentials Plus cost.
Which do you need? A simple decision framework
Work through these in order:
- Does a contract, tender or customer specify Cyber Essentials Plus? If yes, you need Plus. The requirement decides it.
- Do you handle sensitive personal data, or other people’s data, at scale? If yes, lean towards Plus. Proof reassures the people trusting you with it.
- Are you in a regulated or public-sector supply chain? If yes, expect Plus to be asked for sooner or later.
- None of the above, and you need a recognised baseline? Base Cyber Essentials is likely enough for now, and you can step up later.
Which certification does your sector require?
The level you need is usually set by your sector and your customers, not by you. This is where most comparisons stop short. Here is how it tends to fall out.
| Sector | Typical requirement | Notes |
|---|---|---|
| NHS suppliers | Often Cyber Essentials Plus | Under PPN 014, NHS buyers can require Cyber Essentials or Plus based on the nature of the contract. NHS Supply Chain expects suppliers handling its personal data, or supplying IT, to hold Plus. |
| Defence supply chain | CE at Very Low, CE+ from Low upward | Under the MOD Cyber Security Model (CSMv4, Def Stan 05-138 Issue 4), your contract’s Cyber Risk Profile sets the level. Cyber Essentials is the baseline at Very Low; Cyber Essentials Plus is required from the Low profile upward. |
| Legal and legal aid | Base Cyber Essentials | From 1 October 2025, firms holding a Criminal Legal Aid contract must hold a valid Cyber Essentials certificate. Base level satisfies it. Many firms choose Plus for sensitive client data. |
| Manufacturing and supply chain | CE, often Plus for OEMs | Driven commercially by customers and primes rather than regulation. The audited Plus tier is common where a large buyer demands it. |
| General public-sector procurement | Cyber Essentials, sometimes Plus | Required under government procurement rules based on the nature of the contract, not a set contract value. |
The rule of thumb: if an NHS, defence, public-sector or large-customer contract is involved, expect Cyber Essentials Plus to be specified. For everyone else, base Cyber Essentials is usually the right starting point.
A note on a common myth: PPN 014 has no £5m contract-value threshold. Scope is driven by the characteristics of the contract, such as handling personal data or IT services, not by its value. Anyone telling you “only contracts over £5m need it” is repeating an error.
For your sector, see Cyber Essentials for NHS suppliers, for law firms and accountants, for the defence supply chain, and for manufacturers.
When Cyber Essentials alone is enough
Plus is not always the answer. Base Cyber Essentials is genuinely enough when no contract mandates Plus, your data sensitivity is moderate, and you want a recognised baseline that still unlocks the free cyber insurance and answers most client questionnaires. You can always step up to Plus later, and many organisations do, once a customer asks. We will tell you honestly when base level is the right call.
How the April 2026 update (Danzell, v3.3) widens the gap
The Cyber Essentials requirements changed in April 2026. The current question set, “Danzell” on Requirements v3.3, applies from 27 April 2026. Multi-factor authentication on every capable cloud service is now mandatory, and its absence is an automatic fail. Critical updates must be applied within 14 days.
This actually widens the gap between the two levels. With base Cyber Essentials, you self-declare that MFA is enforced. With Cyber Essentials Plus, an assessor independently verifies it across your cloud services. As the controls get stricter, the value of having them tested, rather than just declared, goes up.
How to get certified, both levels, one assessor
We deliver Cyber Essentials and Cyber Essentials Plus in-house, as an IASME Certification Body since 2014. No readiness middleman, no outsourced audit. Tell us where you are and what your contracts ask for, and we will point you to the right level.
Talk to an assessor: hello@layer7.uk or see Cyber Essentials Plus certification.
Cyber Essentials vs Plus FAQs
Is Cyber Essentials Plus mandatory? Not in general. It becomes mandatory when a contract, tender or customer requires it, which is common in government, defence and NHS supply chains. Otherwise it is voluntary and strongly recommended.
Can I get Cyber Essentials Plus without Cyber Essentials first? No. You need a current base Cyber Essentials certificate first, and the Plus audit must be completed within three months of it. We can do both for you.
What is the difference between Cyber Essentials and Cyber Essentials Plus? Cyber Essentials is a verified self-assessment against five controls. Cyber Essentials Plus covers the same controls, then proves them with an independent, hands-on audit of your live systems.
How much more does Cyber Essentials Plus cost? Cyber Essentials is priced by organisation size. Cyber Essentials Plus starts from around £900 plus VAT and is priced on your environment, because it adds a hands-on audit.
Do I need Cyber Essentials Plus for NHS, MOD or legal aid contracts? It depends on the contract. NHS Supply Chain expects Plus from suppliers handling its data; MOD contracts require Plus from the Low Cyber Risk Profile upward; criminal legal aid requires base Cyber Essentials. We help you confirm which applies.
Why do organisations fail Cyber Essentials Plus? Usually unsupported software still in use, critical updates left beyond 14 days, or multi-factor authentication not enabled everywhere. We help you fix these before the audit.
How often do I renew? Both certificates are valid for 12 months, so you re-certify annually.