Cyber Essentials vs Cyber Essentials Plus: Which Level Does Your Business Actually Need?
You have decided your business needs Cyber Essentials certification. You have read about the five controls, you understand the assessment process and you are ready to get started.
Then you notice there are two levels, Cyber Essentials and Cyber Essentials Plus and suddenly the decision feels more complicated than it needs to be.
It is not. The difference between the two levels is straightforward. Which one your business needs depends on three things: what your clients require, what your risk profile looks like and how much independent verification you want behind your certification.
This post gives you everything you need to make the right call.
What both certifications have in common
Both Cyber Essentials and Cyber Essentials Plus test exactly the same five security controls: firewalls, secure configuration, user access control, malware protection and patch management.
There is no difference in what you need to implement. A business that passes Cyber Essentials and a business that passes Cyber Essentials Plus have both implemented the same five controls to the same standard. The difference is entirely in how that implementation is verified.
Both certifications are valid for 12 months and must be renewed annually. IASME administers both on behalf of the NCSC. Your certification appears on the official IASME register where clients and partners can verify your status at any time. And both include the free £25,000 cyber liability insurance cover for UK businesses turning over under £20 million.
The one difference that matters
Cyber Essentials is a verified self-assessment. Your organisation completes an online questionnaire about its security controls. An IASME-accredited assessor reviews your answers. If your answers satisfy the requirements, you receive certification.
The key word is self-assessment. You are attesting that your controls are in place. The assessor reviews your answers for completeness and plausibility. Nobody actively tests your systems to verify the controls are actually working in practice.
Cyber Essentials Plus adds an independent technical audit on top of the self-assessment. An external assessor actively tests your controls through vulnerability scanning and on-site or remote technical testing to verify they work in practice, not just on paper.
You must pass basic Cyber Essentials before you can go for Plus. Once you pass the basic assessment you have three months to complete the Plus audit. Miss that window and you need to start the basic assessment again.
That three month window is important. If you know from the outset that you want Plus certification, plan for both assessments in sequence rather than treating them as separate projects.
What the Plus audit actually involves
Understanding what the Plus audit involves helps you decide whether it is appropriate for your business and how to prepare for it.
An IASME-licensed assessor conducts the Plus audit remotely or on-site. They run vulnerability scanning across your in-scope devices and network, actively test your security controls to verify they function correctly and check that the controls you attested to in the self-assessment questionnaire are genuinely in place.
Specifically the assessor will test:
– That MFA is actually enforced on cloud services – not just that you said it was. They will attempt to access services without MFA to confirm the enforcement is real.
– That devices are genuinely running current, patched software – not just that you reported they were. They will scan devices directly.
– That firewall rules are configured correctly – not just that a firewall exists. They will probe for unnecessarily open ports and services.
That malware protection is active and correctly configured across the fleet.
Standard Cyber Essentials gives you two days to fix issues and resubmit at no additional cost if you fall short. Plus offers no such safety net, a failed technical audit means paying the full fee again from scratch. This is the single most important reason to prepare thoroughly before committing to the Plus audit.
This is the single most important reason to prepare thoroughly before submitting for Plus rather than testing your luck.
What each level costs
Cyber Essentials:
The IASME assessment fee for Cyber Essentials in 2026 is £330 plus VAT for micro organisations of 1 to 9 employees, £400 plus VAT for small organisations of 10 to 49 employees, £450 plus VAT for medium organisations of 50 to 249 employees and £500 plus VAT for large organisations of 250 or more employees.
These are the baseline IASME fees. Certification bodies may add their own fees for support, guided submission and consultancy. Most UK businesses pay between £400 and £800 all in for standard Cyber Essentials.
Cyber Essentials Plus:
Cyber Essentials Plus costs £1,500 to £4,250 plus VAT depending on the size and complexity of your environment. The main cost driver is assessor time for the hands-on technical audit. Larger organisations with more devices, more cloud services and more complex network environments pay towards the higher end of that range.
The hidden cost both levels share:
The assessment fee is not the whole cost. The real cost for most businesses is the remediation work required before submitting. If your controls are not yet in place, if MFA is not enforced across all cloud services, if devices are not enrolled in MDM, if patching is not within the 14-day window – you need to address those gaps before the assessment. That remediation cost varies from nothing for a well-prepared business to several thousand pounds for a business starting from scratch.
Working through our Cyber Essentials checklist before submitting is the most effective way to understand your remediation costs upfront.
A direct comparison
| Same five controls | Yes | Yes |
| Self-assessment questionnaire | Yes | Yes |
| Independent technical audit | No | Yes |
| Vulnerability scanning | No | Yes |
| Assessment cost | £330 to £500 plus VAT | £1,500 to £4,250 plus VAT |
| Free retake if you fail | Yes – two days | No – full fee again |
| Free £25,000 cyber insurance | Yes | Yes |
| Valid for | 12 months | 12 months |
| CE prerequisite required | No | Yes |
| Government contract requirement | Standard CE usually sufficient | Required for some contracts |
| Enterprise supply chain requirement | Often sufficient | Increasingly required |
Who should choose Cyber Essentials
Standard Cyber Essentials is the right choice for most UK small and medium businesses.
Choose it if:
– Your clients and contract requirements specify Cyber Essentials without explicitly requiring Plus. Most supplier questionnaires and procurement frameworks accept standard CE.
– First-time certification is almost always best handled at the standard level. Establishing baseline compliance first gives you a solid foundation before considering a higher level of assurance.
– You operate in a sector where Cyber Essentials is expected but CE Plus is not yet mandated, most professional services, creative agencies, tech startups and growing businesses fall into this category.
– You want the free £25,000 IASME cyber liability insurance and the ability to demonstrate credible security posture to clients and insurers without the additional cost of Plus.
– Your security controls are solid but you have not yet been through an independent technical audit and want to understand your current posture before committing to one.
Who should choose Cyber Essentials Plus
Cyber Essentials Plus is the right choice when independent verification carries material weight.
Choose it if:
– Your contracts explicitly require Plus. CE Plus is increasingly preferred for government contracts and enterprise supply chain requirements where third-party verification carries more weight than self-assessment alone. Fundraise Insider
– Businesses handling sensitive data on behalf of enterprise clients or public sector organisations benefit from the higher assurance that independent technical verification provides.
– Regulated sectors, financial services, healthcare, legal increasingly expect CE Plus as evidence that controls are genuinely working rather than self-reported.
– You want to use your certification for cyber insurance purposes and your insurer specifically requests independent technical verification rather than self-assessment.
– You are scaling rapidly and want an independent assessment of whether your security controls are genuinely working as you grow your team and your device fleet.
– Your existing Cyber Essentials certification is up for renewal and you want to take your security posture to the next level with verified rather than self-attested controls.
The Apple fleet consideration
For businesses running Mac, iPhone and iPad, Cyber Essentials Plus has specific implications worth understanding before committing to the audit.
The Plus assessor will actively test your Apple devices. They will check that macOS Application Firewall is genuinely enforced, that FileVault encryption is active, that devices are on a current patched version of macOS and that MFA is enforced on all cloud services accessible from Apple devices.
Without Apple MDM in place, passing the Plus technical audit on an Apple fleet is extremely difficult. You need to demonstrate centrally managed, consistently enforced controls across every device, something that is only reliably achievable through MDM. A manual setup where each Mac is configured individually creates exactly the kind of inconsistency that a technical audit exposes.
Businesses running Jamf Pro or Iru with properly configured compliance policies are well placed for the Plus audit. Jamf and Iru compliance reports provide the evidence the assessor needs and the MDM enforcement means controls are genuinely in place rather than aspirationally reported.
If your Apple fleet is not yet MDM-managed, achieving standard Cyber Essentials first while implementing MDM in parallel is the practical path. Then move to Plus once the MDM environment is established and you have a full audit cycle of compliance data behind you.
The practical path from CE to CE Plus
If you want to achieve both certifications the most efficient approach is:
Start with standard Cyber Essentials. Work through the checklist, remediate any gaps and submit. Do not rush this stage, a well-prepared standard CE submission is the foundation everything else builds on.
Once you pass standard CE, immediately begin preparing for the Plus audit. You have three months. Use that time to verify that your controls are not just documented but genuinely enforced and testable. Run your own internal checks simulating what the assessor will test.
Book the Plus audit with enough time within the three month window. Do not leave it to the last week, if the assessor finds issues that need remediation before certification you need time to address them.
If you miss the three month window, standard CE needs to be redone before Plus can proceed. Build the timeline with that constraint clearly in view.
The verdict – which level does your business need?
For most UK small businesses getting certified for the first time: start with standard Cyber Essentials. It is the right level, the right cost and the right starting point. Get certified, maintain the controls through the year and reassess whether Plus is needed at renewal.
For businesses with government contracts, enterprise clients or regulated sector requirements: go for Plus. The additional cost is justified by the contract access and client confidence it provides.
For businesses currently on standard CE considering whether to upgrade at renewal: the question to ask is whether your clients are starting to ask for Plus specifically, or whether your risk profile has changed in the last 12 months. If the answer to either is yes, upgrade at renewal.
The controls are the same either way. The investment in implementing them properly is the same. The only variable is whether you want an independent technical expert to verify they are working, and who else needs to see that verification.
How nDuo helps
We work with UK businesses running Apple and mixed fleets through both levels of Cyber Essentials certification, from initial gap analysis and remediation through to the Plus technical audit.
If you are not sure which level is right for your business, or if you want to understand your current gap against either standard, the starting point is a free readiness review.
For more detail on the full Cyber Essentials scheme read our Cyber Essentials 2026 guide and our practical checklist. For the cost picture including cyber insurance implications read our cyber insurance guide.
Book a free Cyber Essentials readiness review and find out exactly where you stand and which level is right for your business.