Cyber Essentials Plus is the more rigorous version of the UK Government-backed Cyber Essentials scheme. Where standard Cyber Essentials is a self-assessment, Cyber Essentials Plus adds an independent technical audit by a qualified assessor who physically tests your systems to verify the claims in the self-assessment.
How it differs from standard Cyber Essentials
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Assessment type | Self-assessment | Self-assessment + independent audit |
| Cost | Lower | Higher |
| Evidence | Your word | Auditor’s verified findings |
| Typical timeline | 2–4 weeks | 6–10 weeks |
| Validity | 12 months | 12 months |
What the audit covers
The assessor will test:
- A sample of staff devices to check patching, configuration, and malware protection
- Internet gateways and firewalls to verify the claimed controls are in place
- User access management to confirm administrators are properly segregated
- Email and web filtering to check phishing protections
Why businesses choose Plus over standard
- Required by certain corporate panels (St. James’s Place for financial advisers is the best-known example)
- Required for some MOD and defence supply chain contracts
- Demonstrates an externally verified security posture, stronger trust signal than self-assessment
- Increasingly preferred by cyber insurers for better premiums
How we help
We take clients through Cyber Essentials and Cyber Essentials Plus as a pathway, usually achieving standard CE first, then progressing to CE Plus once any gaps identified during the self-assessment have been closed. See our cyber security service or read the Ennvee case study for a concrete example of the journey.