Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
A detailed comparison of Cyber Essentials and Cyber Essentials Plus certification levels. Understand the differences in assessment, cost, credibility, and which level is right for your organisation.
Section 01
Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
Cyber Essentials offers two certification levels: Cyber Essentials and Plus. Both cover the same five core security controls, but they differ significantly in how those controls are verified. Choosing the right level depends on your organisation's requirements, risk profile, and the expectations of your customers and partners.
Section 02
The Core Difference: Self-Assessment vs Third-Party Verification
Cyber Essentials is the self-assessed certification level. Your organisation completes a questionnaire covering five control categories - firewalls, secure configuration, security update management, user access control, and malware protection. An IASME-licensed certification body reviews your answers and issues the certificate if you meet the requirements.
Cyber Essentials Plus adds independent, third-party verification. An external auditor reviews your self-assessment, then conducts a technical audit of your systems. This includes vulnerability scanning of your external-facing infrastructure and verification that the controls you described are actually implemented and working.
Section 03
Side-by-Side Comparison
| Feature | Cyber Essentials | CE Plus |
|---|---|---|
| Assessment type | Self-assessed questionnaire | Third-party technical audit |
| External vulnerability scan | No | Yes |
| On-site or remote audit | No | Yes |
| Certification validity | 12 months | 12 months |
| Time to complete | Under 6 hours (with Fig) | 1-3 working days |
| Starting price (Fig) | £299.99 + VAT | £1,499 + VAT |
| Government contract eligible | Yes (basic requirement) | Yes (preferred for higher-value contracts) |
| Requires Cyber Essentials first | No | Yes (Cyber Essentials is a prerequisite) |
Section 04
When Cyber Essentials Is Sufficient
Cyber Essentials is appropriate when:
- You need certification quickly - Cyber Essentials can be completed in a single day with Fig. If you are facing an urgent tender deadline, it is the fastest route.
- Your clients require Cyber Essentials but do not specify Plus - Many contracts simply require "Cyber Essentials certification" without specifying the level.
- You are a small organisation with a simple IT environment - If you have fewer than 50 employees, a straightforward network, and no complex cloud infrastructure, Cyber Essentials demonstrates adequate controls.
- You want a cost-effective starting point - At £299.99 + VAT, Cyber Essentials is an affordable way to demonstrate commitment to cybersecurity fundamentals.
- You are bidding on standard government contracts - The minimum requirement for most central government contracts is Cyber Essentials.
Section 05
When You Need Plus
Cyber Essentials Plus is the right choice when:
- Your clients or contracts specifically require Plus - Some enterprise customers and government departments mandate Plus for higher-value or higher-risk contracts.
- You want to demonstrate verified controls - Plus carries greater credibility because an independent auditor has confirmed your controls work, not just that you claim they do.
- You handle sensitive data at scale - Organisations processing significant volumes of personal data, financial data, or health data should consider the additional assurance that Plus provides.
- You are building towards ISO 27001 - Plus verification aligns more closely with the independent audit approach used in ISO 27001 certification. It is a natural stepping stone.
- Your insurance provider offers better terms for Plus - Some cyber insurance providers differentiate between Cyber Essentials and Plus when setting premiums.
Section 06
The Assessment Process for Each Level
Cyber Essentials process with Fig:
1. Purchase your Cyber Essentials certification and choose the organisation size
2. Complete the self-assessment questionnaire
3. Submit for review - orders before midday - certified in under 6 hours from self-assessment submission
4. Receive structured feedback if any gaps are identified (up to 3x)
5. Certificate issued on successful completion
Plus process with Fig:
1. Achieve Cyber Essentials certification first (this is a prerequisite)
2. Purchase your Cyber Essentials Plus certification
3. Schedule the third-party technical audit
4. Auditor conducts vulnerability scanning and control verification (1-3 days)
5. Certificate issued on successful completion
Section 07
Can I Start with Cyber Essentials and Upgrade Later?
Yes. Many organisations start with Cyber Essentials to meet an immediate requirement, then upgrade to Plus when the business case demands it. Since Cyber Essentials is a prerequisite for Plus, achieving it first is always the right starting point.
Section 08
Fig's Recommendation
For most organisations, start with Cyber Essentials. It meets the majority of contractual and regulatory requirements, can be achieved same-day, and costs a fraction of Plus. Upgrade to Plus when a specific contract, client, or risk assessment requires it.
If you are unsure which level you need, speak to our team or use our readiness checker to assess your current position.
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ standards.
Request a demoMore from Compliance