Cyber Essentials vs Cyber Essentials Plus: What's the Difference?

Cyber Essentials is the UK government-backed cybersecurity certification scheme administered by the NCSC. Achieving it demonstrates that your organisation has the baseline technical controls in place to defend against the most common cyber attacks. It is increasingly required for UK public sector contracts and is becoming a common requirement in supply chain security questionnaires from larger organisations.

There are two levels: Cyber Essentials and Cyber Essentials Plus. They share the same five technical controls, but the verification method is fundamentally different.

The Five Technical Controls

Both certifications are built around the same five control categories. You need to satisfy all of them to pass either level.

• Firewalls - boundary firewall or software firewall configured to block inbound connections that are not explicitly required. All internet-facing services must be justified.
• Secure configuration - devices must not use default passwords. Unnecessary software and services must be removed. Auto-run must be disabled.
• Access control - user accounts must use the principle of least privilege. Admin accounts must only be used for admin tasks. MFA must be enabled for all internet-facing services and for all users.
• Malware protection - anti-malware software installed and active on all in-scope devices, or application allow-listing deployed.
• Patch management - all software on in-scope devices must be kept up to date. High and critical patches must be applied within 14 days. Unsupported software must not be in use.

Cyber Essentials (Basic)

The basic Cyber Essentials assessment is a self-assessment questionnaire. You answer a set of questions about your IT environment online, an assessor reviews your answers, and if everything checks out, you receive the certification badge.

The questionnaire covers:

• Boundary firewalls and internet gateways
• Secure configuration of all in-scope devices
• User access control and admin account management
• Malware protection
• Patch management and software update processes

Because it is self-assessed, the process relies on you accurately representing your controls. There is no independent technical verification of what you have actually deployed. This is both its strength (low cost, fast) and its limitation (less credible to sophisticated buyers than CE+).

Cyber Essentials Plus

Cyber Essentials Plus includes everything in the basic assessment plus an independent technical verification by a qualified assessor. The assessor performs hands-on testing of your environment to confirm that the controls you claim to have are actually implemented correctly.

The CE+ technical assessment typically includes:

• Vulnerability scanning of internet-facing systems - checking for unpatched services, open ports, and exposed management interfaces
• Internal vulnerability scanning on a sample of in-scope devices - confirming patch levels, security configurations, and software versions
• Malware simulation - testing whether the anti-malware controls actually block known test samples
• Configuration review - checking browser settings, firewall rules, and account controls on sampled devices

CE+ must be completed within 3 months of passing the basic Cyber Essentials assessment. You cannot do CE+ without first having a valid CE basic certificate (or doing them simultaneously with the same assessor).

Key Differences

Cost and Timelines

Cyber Essentials basic costs are set by the certification bodies (IASME is the main one). As of 2025/26, the basic assessment costs around £300-350 for small organisations, scaling up slightly for larger businesses. Cyber Essentials Plus costs vary significantly by assessor and scope but typically run £1,500 to £3,500 for an SMB, and considerably more for larger environments.

Budget time as well as money. Basic CE can be completed in a couple of weeks if your controls are already in place. CE+ typically takes 4-8 weeks from initial contact to certificate, including time to fix anything the assessor identifies during testing.

Which One Do You Need?

Cyber Essentials (basic) is appropriate if you need to demonstrate a security baseline to customers or partners, want to understand your security posture relative to the standard, or are pursuing UK government contracts that require CE but not CE+.

Cyber Essentials Plus is the right choice if you handle Ministry of Defence contracts or supply chain work that mandates CE+, if customers specifically request the independently verified version, or if you want genuine assurance that your controls are working rather than just documented.

The general recommendation: if you are going to pursue CE at all, aim for Plus. The additional credibility and the independent testing are worth the extra cost for any organisation that takes cybersecurity seriously. The basic assessment is a useful first step, but CE+ is the version that tells you whether your controls actually work.

Meeting the Requirements with Intune and M365

If you are managing Windows devices with Intune and user identities with Entra ID, you already have the tooling to satisfy most of the Cyber Essentials requirements at scale. The main controls map as follows:

• Firewalls - Windows Firewall deployed via Intune Endpoint Security policy, enabled on all profiles including public
• Secure configuration - Intune configuration profiles enforcing password requirements, disabling autorun, removing unnecessary features
• Access control and MFA - Entra ID Conditional Access requiring MFA for all users on all cloud apps, admin accounts managed via PIM
• Malware protection - Microsoft Defender Antivirus active on all devices, policies deployed via Intune
• Patch management - Windows Update for Business rings configured in Intune, quality updates applied within 14 days