Thu. May 30th, 2024
Cybersecurity Services

In an era where cyber threats are becoming more sophisticated and pervasive, securing your organization’s digital infrastructure is paramount. The UK’s Cyber Essentials scheme, backed by the National Cyber Security Centre (NCSC), offers a robust framework designed to guide businesses in protecting themselves against common cyber threats. Within this framework, there are two levels of certification: Cyber Essentials and Cyber Essentials Plus. Understanding the key differences between these two can help organisations decide which certification is most suitable for their needs.

What is Cyber Essentials?

Cyber Essentials is a government-backed cybersecurity certification scheme that sets out a good baseline of cybersecurity suitable for all organisations in all sectors. The scheme addresses five key controls that, when implemented correctly, can prevent around 80% of cyber attacks. These controls are:

  1. Firewalls and routers – ensuring that only safe and necessary network services can be accessed from the Internet.
  2. Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
  3. User access control – ensuring only those who should have access to systems to have access and at the appropriate level.
  4. Malware protection – ensuring that virus and malware protection is installed and is it up to date.
  5. Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

Achieving Cyber Essentials certification involves a self-assessment questionnaire that must be completed by an organisation, which is then verified by an external certification body. This process provides a clear picture of the organisation’s cybersecurity level and is particularly beneficial for smaller organisations looking to manage their cybersecurity risks efficiently.

What is Cyber Essentials Plus?

Cyber Essentials Plus covers the same controls as Cyber Essentials but involves a more detailed assessment of the organisation’s cybersecurity measures. The Plus certification requires an independent assessment of the security controls, where auditors perform tests using a range of tools and techniques. This includes:

  • Internal scan and external scan: Assessors perform vulnerability scans on all internet-facing IP addresses associated with the organisation, as well as internal scans of sample devices.
  • Email and download tests: These tests involve assessing the email and web download protections to check how they handle files that could contain malware.
  • On-site assessment: Unlike the basic level, Cyber Essentials Plus often requires the assessor to visit the organisation’s premises to conduct an on-site assessment.

This hands-on verification provides a higher level of assurance as it demonstrates not only that the organisation’s cybersecurity practices are documented but also effectively applied in practice. For businesses handling more sensitive data or those operating under stricter regulatory requirements, Cyber Essentials Plus offers an additional layer of security assurance.

The Main Differences

  1. Assessment Rigor and Methodology: The primary difference lies in the method of assessment. Cyber Essentials involves self-assessment, while Cyber Essentials Plus requires an external audit conducted on-site. This makes Cyber Essentials Plus more rigorous and thorough, as it validates that the cybersecurity controls are not only in place but are also effective against a variety of actual cyber threats.
  2. Cost and Resource Commitment: Due to the in-depth nature of the assessment, Cyber Essentials Plus is more costly and resource-intensive than Cyber Essentials. Organisations opting for the Plus certification need to be prepared for the direct costs of the audits and the potential indirect costs of addressing any uncovered issues.
  3. Level of Assurance: While both certifications provide a level of trust and assurance to customers, stakeholders, and supply chain partners, Cyber Essentials Plus offers a higher level of assurance due to its external validation process.
  4. Suitability: Cyber Essentials is suitable for all organisations seeking to establish cybersecurity best practices. However, Cyber Essentials Plus is particularly beneficial for those that are at a higher risk of cyber attacks due to the nature of their business or those who want to demonstrate a higher level of cybersecurity commitment to their partners.


Both Cyber Essentials and Cyber Essentials Plus provide valuable frameworks to help secure organisations against cyber threats. Choosing between them depends on your organisation’s specific needs, budget, and desired level of assurance. For many, starting with Cyber Essentials is a great first step in building a cybersecurity defence, potentially moving to Cyber Essentials Plus as the business grows and cybersecurity needs evolve. Regardless of which certification you pursue, the journey towards better cybersecurity practices starts with a commitment to understanding and implementing these essential controls.


Leave a Reply

Your email address will not be published. Required fields are marked *