You are probably aware that Cyber Essentials is now a common requirement. Customers ask for it. Tenders expect it. Insurers reference it. Yet despite how often it comes up, the difference between Cyber Essentials and Cyber Essentials Plus is not always clear
Many organisations are simply told they “need Cyber Essentials”, with little explanation beyond that. You may be trying to meet a customer requirement, keep a project moving, or stay eligible for a tender, while quietly wondering what level of assurance is needed.
This blog explains the difference between the two, so you can decide based on risk and confidence, not just on meeting the minimum requirement.
The Core Issue: Cyber Security Expectations Are Increasing
Cyber Security expectations are increasing across supply chains. Clients, insurers, and partners want more than written policies. They want reassurance that security controls are in place and doing what they are supposed to do.
As a result, organisations are being asked more questions about how they manage cyber risk. Security questionnaires are more detailed. Assurance requirements are more thorough. There is often pressure to demonstrate good security practice without much time or internal support.
Cyber Essentials and Cyber Essentials Plus are practical ways of responding to this. The challenge is understanding what each one proves, and how that lines up with your organisation’s level of risk.
What Is the Cyber Essentials Certification Self-Assessment?
Cyber Essentials is a self-assessment certification, and it is always the starting point.
Before you can achieve Cyber Essentials Plus, you must complete the Cyber Essentials self-assessment. There is no route to Plus without it.
In practical terms, the self-assessment is a questionnaire. You answer a defined set of questions about your organisation’s security practices and how you manage key technical controls. Your answers describe what you believe is in place in your environment.
The Cyber Essentials checklist assessment focuses on five areas:
- Firewalls – how network access is controlled
- Security Update Management – how systems and software are kept up to date
- Malware Protection – what controls are in place to prevent malicious software
- User Access Control – how access is restricted and managed
- Secure Configuration – how systems are set up securely
There is no technical testing at this stage. Certification is awarded based on the information provided in the questionnaire. It confirms what has been stated, not what has been independently tested.
For many organisations, this provides a clear and recognised baseline.
Why Being Cyber Essentials Certified Is Sometimes the Only Requirement
In some cases, organisations are only asked to complete Cyber Essentials because their risk as a supplier is considered lower. That might be because of the type of work they do, the data they handle, or the systems they have access to.
As requirements become more demanding, expectations usually increase. Organisations that handle more sensitive data or play a more critical role are more likely to be asked for higher levels of assurance, such as Cyber Essentials Plus.
This approach is about proportionality. The requirement reflects the level of risk the customer sees, not a judgement on how seriously you take security.
Why the Minimum Requirement Isn’t Always the Right Stopping Point
Being told to complete Cyber Essentials does not automatically mean it is the best place to stop.
Because it is a self-assessment:
- Answers can be interpreted differently
- Controls may exist but not behave as expected
- Issues can go unnoticed without testing
Cyber Essentials was designed to set a baseline, not to prove that everything works perfectly. Meeting the requirement may satisfy a contract, but it does not automatically reduce your risk to the lowest possible level.
That is why some organisations choose to look beyond the minimum, even when they are not required to.
What Cyber Essentials Plus Requirements Adds
Cyber Essentials Plus is built on the same requirements as Cyber Essentials. The difference is how those requirements are checked.
With Plus, an independent assessor carries out technical testing to confirm that the controls described in the self-assessment are in place and working.
This typically includes:
- External vulnerability testing
- Internal device checks
- Verification of patching and supported software
- Testing of malware protection
- Review of cloud security and authentication
All required controls must pass before certification is awarded.
This testing provides a higher level of confidence that security controls are doing what you expect them to do in real-world conditions.
IASME Cyber Essentials vs Cyber Essentials Plus Certification: Making a Practical Choice
The difference between Cyber Essentials and Cyber Essentials Plus is not really about cost. It is about confidence.
Cyber Essentials provides a recognised starting point and is often enough where risk is lower. Cyber Essentials Plus provides stronger, independently tested assurance.
Being asked to complete Cyber Essentials does not mean you should not consider Plus. It simply means you have been given a minimum requirement, not a full risk assessment.
How to Decide What’s Right for You
If you are deciding which route to take, it helps to keep the decision grounded in reality rather than just in requirements.
Cyber Essentials can make sense if you need a baseline quickly, if you already have strong internal processes for testing your controls, or if budget constraints leave very little flexibility. In those situations, the self-assessment provides a recognised starting point.
However, it is worth being honest about what you are relying on. Without independent testing, gaps in basic controls can go unnoticed. That can leave organisations exposed in areas they assumed were covered.
Cyber Essentials Plus is often a sensible choice if you want confidence that the basics are genuinely in place and working. While it requires more effort and investment up front, that investment is small when compared to the disruption, cost, and reputational impact of a security incident caused by a missed control or misconfiguration. For many organisations, Plus is less about exceeding requirements and more about reducing avoidable risk.
There is no wrong answer. The right choice is the one that reflects your risk, your appetite for uncertainty, and how confident you want to be that your security controls will hold up when it matters.
Looking for a Trusted Cyber Essentials Assessor?
If you are looking for a trusted assessor, Equilibrium Security is an established Cyber Essentials assessor that has supported hundreds of organisations through both Cyber Essentials and Cyber Essentials Plus.
We are highly rated on Google and known for taking a practical, supportive approach that focuses on helping organisations get this right, not just get it done. If you would like a quote or want to find out which option makes sense for you, reach out to the team or learn more.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
