Cyber Essentials vs Cyber Essentials Plus: What’s the difference? 


The certification body is the I.A.S.M.E. which stands for ‘Information Assurance for Small and Medium Enterprises Consortium’. The assessment for the Cyber Essentials Plus is the same as Cyber Essentials, but it also includes independent validation by an accredited third party. D2NA is one of them. 

CE is aimed at checking you have security measures in place for 80% of low-skilled attack vectors. 

Cyber Essentials: 

This is the initial stage of certification against the Cyber Essentials requirements. If you have your own internal IT team, this may be your best option. First of all, you must familiarise yourself with the requirements of secure IT: 

  • Use a Firewall to secure your Internet connection 
  • Choose the most secure settings for your devices and software 
  • Control access to your data and services 
  • Protect against Viruses and Malware 
  • Keep your devices and software versions up to date 

Cyber Essentials is the minimum certification an organisation needs to implement in order to bid for new public sector contracts which include the transfer of public sector identifiable information. Once your business has found an accreditation body that can fulfil its requirements, it’s fairly easy to get started with Cyber Essentials as your provider will send you a self-assessment questionnaire once you have purchased. 

Cyber Essentials Plus: 

This stage is the more advanced level of certification. You cannot become Cyber Essentials Plus certified without first being Cyber Essentials certified. The five control themes are exactly the same, and must still be met, but the certification process is slightly different. 

Certification is carried out on your premises. We manually test your Anti-Malware practices by sending E-mails and navigating to URLs containing different types of files, and then we monitor how they are able to be accessed by different users. Furthermore, we also carry out an authenticated vulnerability scan on a workstation build. 

As long as no High or Critical vulnerabilities are identified on the internal scan and your antivirus successfully blocks the test files and emails you will be awarded the Cyber Essentials Plus certificate. 

What type of Cyber Essentials should you go for?  

We would recommend you go for Cyber Essentials Plus. The reason is that Cyber Essentials plus certification involves an onsite audit and testing the technical security controls from the Certification body. the certification process ensures that you have the required technical controls in place. Although it costs more to achieve CE Plus certification it is absolutely worth it. 

On the other hand, CE basic is a straightforward exercise where you answer the self-assessment questionnaire from the certification body, and they will evaluate your answers. If all goes well you will pass, and a certificate will be issued. 

In simple terms, Cyber Essentials is you saying you have the security controls in place and Cyber Essentials Plus is the Certification Body auditing the technical controls. 

For more information on how to protect your business from scams and attacks, contact us and we’ll walk you through our industry-leading cyber security options. Click Here to request a Cyber Essentials Quote. 


Iasme. 2022. What are the main differences between Cyber Essentials, Cyber Essentials Plus and IASME Governance? – Iasme. [online] Available at: <> [Accessed 1 July 2022]. 

NCSC. 2022. [online] Available at: <> [Accessed 28 June 2022]. 


500 King Street, Longton, Stoke-on-Trent, ST3 1EZ

Need Help?