The hands-on, independently audited tier of the UK government's Cyber Essentials scheme - your live systems tested by a qualified assessor, not just a questionnaire you fill in yourself.
Cyber Essentials Plus is the audited level of the UK government's Cyber Essentials scheme.
Both levels are built on the same five technical controls - firewalls, secure configuration, security update management, user access control and malware protection. Get those right and you block the overwhelming majority of common internet-based attacks.
The difference is proof. Standard Cyber Essentials is a self-assessment: you answer the questionnaire and certify your own answers. Cyber Essentials Plus keeps the same questionnaire but adds an independent, hands-on technical audit - an assessor verifies that your controls actually work on your live systems.
Layer 7 is an IASME-licensed certification body. We issue Cyber Essentials and Cyber Essentials Plus directly - the assessment and the certificate come from us, not a reseller.
Same five controls, same questionnaire. What changes at Plus is who checks, and how.
| Aspect | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| How it's verified | Self-assessment questionnaire | Independent hands-on technical audit |
| Who checks | You | A qualified Layer 7 assessor |
| What's tested | Your declared answers | Your live systems and devices |
| Includes | Online questionnaire | Questionnaire plus vulnerability scan and authenticated testing |
| Level of assurance | Good baseline | Independently verified |
| Best for | First step; lower-risk organisations | Contracts, regulated sectors, sensitive data, supply-chain assurance |
You need Cyber Essentials before you can hold Cyber Essentials Plus - and the Plus audit must be completed within three months of your Cyber Essentials certificate. We can guide you through both.
Structured, low-friction and led by the same assessor from start to finish. Here is how it runs.
We agree exactly what is in scope - devices, users, cloud services and locations - so the audit reflects how you really operate.
If you do not yet hold Cyber Essentials, we help you complete the self-assessment. The Plus audit must follow within three months.
Authenticated and unauthenticated scans across a representative sample of your devices to surface missing patches and weak configuration.
We verify real-world resilience on live machines: malicious email and web content, malware protection, secure configuration and patching.
Clear findings, precise remediation guidance and, once you pass, your Cyber Essentials Plus certificate - valid for 12 months.
Free retest if anything needs fixing - at no extra cost.
The Cyber Essentials scheme is reviewed every year so the controls keep pace with how organisations actually work and how attackers actually operate. The April 2026 update refreshes the technical requirements again.
You do not need to track the detail - we are already assessing against the current requirements, so your certification reflects the latest standard from day one.
We've been an IASME-licensed Cyber Essentials certification body since the scheme launched. Very few providers in the UK - and fewer still in the North East - can say the same. That's a decade of certifying organisations to this exact standard.
The audit and the certificate come directly from us. You work with a qualified Layer 7 assessor from scoping to certificate - no hand-offs, no third-party assessor you never meet.
We deliver security to public sector, defence and regulated clients - including MOD-accredited cloud work - through G-Cloud 14, DOS 7 and CCS frameworks. The same rigour goes into every Cyber Essentials Plus audit.
Our testing capability is CREST-accredited. Cyber Essentials Plus sits within a broader security practice spanning penetration testing, ISO 27001 and managed defence - so we see your certification in context, not in isolation.
We're based in the North East and certify organisations across the region and the UK. Local when you want us on site; remote when that's faster.
ISO 27001, ISO 9001 and ISO 14001 certified, with a published Carbon Reduction Plan - we hold ourselves to the standards we ask of others.
Most audits are completed in a single day - same-day turnaround once scope is agreed - and your certificate is valid for 12 months. Pricing is fixed up front, with no hourly surprises, typically from £900, and the retest is free if anything needs fixing.
Get a fixed-price quoteWe certify organisations throughout the North East and across the wider UK. Locally we can be on-site quickly; everywhere else, the whole audit runs fully remotely.
North East businesses pursuing contracts, frameworks and tenders increasingly need Cyber Essentials Plus to qualify - we help you get there and stay there.
Yes. You need a current Cyber Essentials certificate first, and the Plus audit must be completed within three months of it. We can help you with both.
Most organisations complete in a single day - we offer same-day turnaround once scope is agreed, with the timeline confirmed up front so there are no surprises.
It depends on the number of in-scope devices and users. We give you a fixed price once scope is agreed, typically from £900.
We tell you exactly what to fix. Remediate within the assessment period and we re-test the affected controls free of charge - there is no need to start over.
Twelve months. You re-certify annually to keep your Cyber Essentials Plus status current.
Yes. We certify fully remotely, or on-site across the North East - whichever suits your environment.
Cyber Essentials is a self-assessment. Cyber Essentials Plus adds an independent, hands-on technical audit of your live systems. Plus is proof, not self-declaration.
Tell us the shape of your environment and we'll come back with a fixed-price quote and a clear path to your certificate.