Can I get Cyber Essentials Plus without Cyber Essentials?
No - Cyber Essentials Plus requires a current Cyber Essentials certificate first, or both can be completed in a single engagement. The self-assessment is identical for both levels; Plus adds hands-on technical testing by an assessor.
Can I get Cyber Essentials Plus without Cyber Essentials?
No - Cyber Essentials Plus cannot be issued without a current Cyber Essentials certificate. The Plus audit builds on the same self-assessment as the standard Cyber Essentials scheme. In practice, both can be completed in a single engagement, so "starting from scratch" and "CE + CE Plus together" is a common path.
Why Plus requires standard CE
The IASME scheme rules require the self-assessment questionnaire to be reviewed and passed before the Plus technical audit takes place. Plus is not a separate product with a separate standard - it is the same five controls, verified by hands-on technical testing rather than by self-declaration.
What's different about Plus
A Plus audit, on top of the self-assessment review, adds:
- Authenticated vulnerability scan of a representative device sample.
- External vulnerability scan of internet-facing infrastructure.
- Email-filtering and malware-protection test (EICAR / test-URL delivery, receipt review).
- Browser-based malware test (known malicious URL blocked).
- Patch-management verification against the 14-day rule.
- MFA configuration check on cloud services in scope.
See the dedicated piece: Cyber Essentials Plus remote audit: how the assessor actually tests your controls.
Can CE and CE Plus run in parallel?
Yes. Most IASME-licensed bodies (including Fig Group) offer combined engagements where:
1. The organisation submits the CE self-assessment.
2. The assessor reviews and issues the CE certificate (6-hour turnaround at Fig Group).
3. The Plus audit is scheduled within the following weeks - typically 1 to 3 weeks end to end, depending on the organisation's scan windows.
The CE certificate issued in step 2 remains valid for 12 months; the Plus certificate issued at the end of step 3 is also valid for 12 months from its own issue date.
Pricing
Cyber Essentials from £299.99 + VAT (Micro). Cyber Essentials Plus from £1,499 + VAT (Micro). Both scale by headcount. See the full pricing page.
Bottom line
Cyber Essentials Plus requires a current Cyber Essentials certificate - but both can be completed in a single 1–3 week engagement with an IASME-licensed body. For UK tender, MOD sub-contracting, and enterprise supplier work where Plus is specified, the cleanest route is to plan them together from the start.
Start Cyber Essentials from £299.99 + VAT | All pricing tiers | Cyber Essentials vs Cyber Essentials Plus
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo