In today’s digital world cyber security is essential. For organisations of all sizes, ensuring your systems are secure from common threats is a foundational step toward building trust and resilience. That’s where Cyber Essentials and Cyber Essentials Plus come in.
Both are UK government-backed certification schemes designed to help organisations protect themselves against the most common cyber threats. The Cyber Essentials certifications both last for 12 months and need renewing on a yearly basis. But what is the difference between the two, and which one is right for your organisation?
What is Cyber Essentials?
Cyber Essentials is a self-assessed certification that focuses on five key technical areas. The aim is to help organisations implement basic levels of protection against cyber attacks. To achieve certification, organisations complete a questionnaire that is reviewed by a certification body. This assessment verifies that your systems meet the Cyber Essentials standard.
Cyber Essentials is often the starting point for organisations looking to strengthen their cyber security posture, meet contractual requirements, or reassure customers and partners.
The Cyber Essentials self assessment in more detail
The questionnaire covers five technical controls:
1. Firewalls
You’ll be asked to demonstrate that your boundary firewalls and routers are correctly configured. This includes changing default passwords, restricting inbound traffic, and ensuring devices are updated and secured.
2. Secure configuration
This section checks whether your devices and software are set up securely. You’ll need to confirm that unused services are disabled, security settings are enabled, and user accounts follow best practices.
3. User access control
You’ll be required to show how access to systems and data is managed. This includes limiting user accounts to only what’s needed, using strong passwords, having systems in place for account deletion, and controlling admin rights appropriately.
4. Malware protection
Questions here focus on how you protect against viruses and other malware. You’ll need to confirm that anti-malware tools are in place.
5. Security update management
You’ll need to demonstrate that all your devices, operating systems, and software are regularly updated with the latest security patches.
Where to find the full question set
Updated to version 15 in 2025, you can read the full self-assessment question set, referred to as ‘Willow’ here. Although self-guided, your answers must be accurate and reviewed by a senior representative of your organisation. Completing it thoroughly not only prepares you for certification but highlights areas where your cybers ecurity posture can be improved.
What is Cyber Essentials Plus?
Cyber Essentials Plus includes all the requirements of Cyber Essentials but with one major difference; it involves a hands-on technical audit by a qualified assessor.
This audit tests your systems to verify the information provided in your self-assessment. It includes:
1. Remote vulnerability assessment
To test whether an internet-based opportunist attacker can hack into the organisation’s system with typical low-skill methods, including checking for open ports on the firewall.
2. Check patching, by authenticated vulnerability scan of devices
To identify missing vulnerability fixes that could be exploited within the bounds of the CE threat model. Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism prescribed by the vendor to fix a known vulnerability. Both operating system updates and software updates are tested.
3. Check malware protection
To check that end user devices, servers and IaaS instances benefit from at least a basic level of malware protection.
4. Check multi-factor authentication configuration
To test cloud services have been configured for multi-factor authentication (MFA). Cloud services will be tested for both user and administrator access.
5. Check account separation
To test ordinary user accounts don’t have administrator privileges assigned; this includes end user devices, severs and cloud environments.
Cyber Essentials Plus provides a greater level of assurance because it validates your cyber security measures through independent testing. It’s especially recommended for organisations handling sensitive data, or those in sectors where compliance and trust are critical; such as education, finance, or healthcare.
Why Cyber Essentials certification matters
Whether you choose the basic certification or the Plus version, becoming Cyber Essentials certified offers a range of benefits:
1. Protect against common threats
Both certifications focus on the most common attack vectors used by cybercriminals. This includes phishing, malware, and network breaches, making them highly relevant for today’s most widely used attacks.
2. Demonstrate commitment to cyber security and provide assurance
Certification shows your stakeholders, partners, and clients that you take cyber security seriously. It builds trust and gives reassurance that you’re proactive about protecting data.
3. Meet and exceed government and regulatory requirements
Cyber Essentials is often a requirement for UK government contracts and is increasingly expected across sectors. It supports compliance with wider frameworks such as GDPR and the DfE’s digital standards in education.
4. Improve incident response readiness
Going through the certification process helps organisations understand their current cyber security posture and identify areas for improvement. This strengthens your overall resilience and response in the event of an incident.
5. Insurance benefits
Many insurers recognise Cyber Essentials certification and may offer better terms or reduced premiums for certified organisations.
Which should you choose?
If you’re starting your cyber security journey, Cyber Essentials is a solid first step. It’s accessible, affordable, and demonstrates you have the basics covered.
If you want to go a step further and provide assurance to clients, regulators, or internal stakeholders, Cyber Essentials Plus is the gold standard. Its hands-on audit confirms your defences are not only in place but functioning effectively in real-world conditions.
Need help getting certified?
With our partners, we can support organisations through the full Cyber Essentials and Cyber Essentials Plus process from initial assessments to technical remediation and audit preparation. Get in touch to find out how we can help secure your organisation.