Cyber Essentials Plus is the higher-assurance version of the UK government’s Cyber Essentials scheme, using the same baseline security controls but adding hands-on technical testing by an independent assessor. It is designed to provide stronger evidence that an organisation’s controls are not only documented but are also operating effectively in real environments.
What Cyber Essentials Plus is
Cyber Essentials Plus still focuses on the five core control areas (firewalls, secure configuration, user access control, malware protection, and security update management) but tests them through real-world checks rather than relying solely on a questionnaire. An external assessor typically performs activities such as vulnerability scanning, configuration review and simulated attack paths against sample user devices and systems to confirm that controls work in practice.
Where basic Cyber Essentials is a verified self‑assessment, Cyber Essentials Plus is described by IASME and others as a higher level of assurance because it validates that the organisation’s implementation matches what is declared on the form.
Typical benefits of Cyber Essentials Plus
Holding Cyber Essentials Plus can give stronger assurance to customers, boards and regulators that security controls have been independently tested rather than just self-declared. For organisations that already need Cyber Essentials for government or supply‑chain requirements, upgrading to Plus can help differentiate in bids and demonstrate a more mature security posture.
Because the Plus assessment often uncovers misconfigurations or gaps that would not appear in a questionnaire, it can materially improve technical defences and reduce the likelihood of common, commodity attacks succeeding. Having Cyber Essentials Plus can support cyber insurance discussions and stakeholder confidence by evidencing that controls have been tested under independent scrutiny.
Key differences: CE vs CE Plus
The table below sumarises the differences between Cyber Essentials (CE) and Cyber Essentials Plus (CE+)
| Aspect | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment method | Verified self‑assessment questionnaire, reviewed by a licensed certification body | Includes the same questionnaire plus an independent technical audit of systems and devices by an external assessor |
| Evidence required | Answers to control questions and management attestations; evidence is largely documentary | Hands‑on testing such as vulnerability scans, configuration checks and simulated attack scenarios on sample endpoints and infrastructure |
| Level of assurance | Baseline assurance that key controls are defined and claimed to be in place | Higher assurance that controls are correctly implemented and effective in practice |
| Scope of technical testing | No mandatory on-site or remote technical testing; assessment is form‑based | Technical testing against in‑scope systems, often including internal and external testing on sampled devices |
| Typical use case | Organisations starting their security journey or needing to meet basic security requirements | Organisations with higher risk, complex environments, or customers who demand stronger independent validation |
| Dependency between levels | No dependency | Cannot be held without a valid CE; Has to be done within 90 days of getting CE |
| Relative cost and effort | Lower cost and effort; typically quicker to achieve | Higher cost and internal effort due to planning, testing and performing any remediation |