Home / Blog / General / Cyber Essentials vs Cyber Essentials PLUS: What’s the difference?

October 17, 2017

In order to adopt good practices in information security, the UK government Department for Business, Innovation and Skills released a government-endorsed scheme called Cyber Essentials in 2014.


Cyber Essentials was developed in collaboration with industry partners such as the Information Security Forum, the Information Assurance for Small and Medium Enterprises Consortium, and the British Standards Institution.

On a very basic level, the goal of the certification is to protect company information from internet threats, but it’s important to note that Cyber Essentials is a basic level of ‘due diligence from which to build on – not a comprehensive cyber security strategy.

So, what is the difference between Cyber Essentials and Cyber Essentials PLUS?

We’ll break it down for you.

Why has Cyber Essentials been introduced by the Government?

The Cyber Essentials scheme was introduced to ensure the protection of data, and for companies to understand how that data can be used, secured, or compromised. The scheme ensures that data is protected from common cyber threats online.

Organisations can gain one of two Cyber Essentials badges, and it’s backed by the Federation of Small Businesses, the CBI, and many insurance companies who offer incentives to businesses.

Cyber Essentials logo Cyber Essentials PLUS logo
Cyber Essentials logo Cyber Essentials PLUS logo

The UK government launched this scheme on 5 June 2014. By October 2014, the Cyber Essentials certification was required for any suppliers to the UK government who handled any sensitive and personal information. Any companies bidding for government contracts needed this certification (and still need it), and insurance companies have typically lowered premiums for any companies who are certified.

The scheme is mostly aimed at business who do not have their own dedicated IT teams working around the clock to monitor threats. It’s important to note that even large organisations have faced oversights on security, such as when the NHS was hacked by the WannaCry ransomware in 2017. After this incident, the government realised something more had to be done to protect sensitive data.

But am I really in danger of Cyber Attacks?

The government reports that cyber attacks cost companies thousands of pounds and long periods of disruption and downtime.

For example, if you suffered a ransomware attack and you couldn’t access your business data or email, would you have a plan on how to stay operational? If not, you’d benefit from Cyber Essentials certification – if only to identify existing security weaknesses you have.

Cyber criminals don’t just target large corporations or banks – they go after smaller businesses on an industrial scale, exploiting any weaknesses in IT security, infrastructure and software.

Cyber Essentials addresses the basics and shows you how to protect against the most common attacks. The scheme isn’t designed to scaremonger or to be intimidating; the government has made it easy for you to become protected by following their steps.

The Cyber Essentials certification process requires that there are five technical controls in your company, and in order to pass the certification your organisation must meet all of the requirements:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

Organisations who have the capacity within their own IT departments can conduct their own Cyber Essentials certification, or you can hire a certified external, third-party body to do the checks for you.

Beyond the obvious advantages having the above in good working order, adding a trust badge to your site to show your compliance builds trust amongst your customer and client base. It’s not mandatory, but it’s highly recommended.

The two levels of certification

The two levels of certification are Cyber Essentials, and Cyber Essentials PLUS.

1. Cyber Essentials

Cyber Essentials is the DIY version. An organisation completes a self-assessment questionnaire and the responses are independently reviewed by an external certifying body.

For this reason, while it is a step in the right direction, it should not be viewed that Cyber Essentials certification provides a direct improvement in cyber security defences – but more of a starting framework for small businesses.

2. Cyber Essentials PLUS

Cyber Essentials PLUS has exactly the same as requirements of Cyber Essentials (where they must show they have met the requirements of the 5 technical security controls).

However, the critical difference is that Cyber Essentials PLUS requires an independent assessment of your security controls, to verify that you do indeed have the 5 technical security controls in place.

The Cyber Essentials assessment involves a vulnerability scan, which will identify unpatched, or unsupported software, open ports, incorrect firewall configuration etc.

Learn: What is a vulnerability scan and does my company need one?

For this reason, Cyber Essentials PLUS certification can be difficult to achieve without the correct preparation and assessment.

BUT (and this is the important part), since there is an objective analysis of your existing security controls, there is a real improvement in your cyber defences – and you get certified!

As a result, Cyber Essentials PLUS has become a much more highly regarded certification, suitable for small and large businesses who are looking for a real improvement in their existing cybersecurity controls.

Download:View the Cyber Essentials documents here.

Self-assessment vs. Independent auditor

If you have a dedicated IT team within your company, then self-assessment may be a practical option for you, particularly if you have an existing vulnerability management and software patching programme in place.

Independent assessors, those who offer Cyber Essentials PLUS, have the experience of working with multiple comparable organisations, going through the same process.

Vulnerability scans

Before an independent auditor completes the Cyber Essentials assessment, they will do a security vulnerability scan of your IT infrastructure.

Download: Sample vulnerability scan report

The information gathered will guide any remedial actions, ensuring your company will meet the five technical controls to demonstrate good practice of information governance. As the external body works through your certification, you will have to supply evidence to ensure you meet all requirements.

When performing vulnerability scans, we find that the majority of organisations have known critical vulnerabilities – an automatic certification fail when completing the Cyber Essentials certification.

Once I’m certified, is that it?

The purpose of Cyber Essentials is to improve your organisation’s cyber-readiness. Annual certification is required – and an opportunity to make sure that your security is ready to defend against the common attacks we all too frequently see today.

FREE Cyber Essentials PLUS guide

Download our FREE Cyber Essentials PLUS readiness guide – a step-by-step programme to get your organisation Cyber Essentials PLUS certified. Or read the Cyber Essentials questionnaire guidelines to see the questions you will need to answer.

Further reading