Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

Cyber Essentials offers two certification levels: Cyber Essentials and Plus. Both cover the same five core security controls, but they differ significantly in how those controls are verified. Choosing the right level depends on your organisation's requirements, risk profile, and the expectations of your customers and partners.

The Core Difference: Self-Assessment vs Third-Party Verification

Cyber Essentials is the self-assessed certification level. Your organisation completes a questionnaire covering five control categories – firewalls, secure configuration, security update management, user access control, and malware protection. An IASME-accredited certification body reviews your answers and issues the certificate if you meet the requirements.

Cyber Essentials Plus adds independent, third-party verification. An external auditor reviews your self-assessment, then conducts a technical audit of your systems. This includes vulnerability scanning of your external-facing infrastructure and verification that the controls you described are actually implemented and working.

Side-by-Side Comparison

FeatureCyber EssentialsCE Plus---------Assessment typeSelf-assessed questionnaireThird-party technical auditExternal vulnerability scanNoYesOn-site or remote auditNoYesCertification validity12 months12 monthsTime to completeUnder 6 hours (with Fig)1–3 working daysStarting price (Fig)£314.99£1,499Government contract eligibleYes (basic requirement)Yes (preferred for higher-value contracts)Requires Cyber Essentials firstNoYes (Cyber Essentials is a prerequisite)

When Cyber Essentials Is Sufficient

Cyber Essentials is appropriate when:

You need certification quickly – Cyber Essentials can be completed in a single day with Fig. If you are facing an urgent tender deadline, it is the fastest route.

Your clients require Cyber Essentials but do not specify Plus – Many contracts simply require "Cyber Essentials certification" without specifying the level.

You are a small organisation with a simple IT environment – If you have fewer than 50 employees, a straightforward network, and no complex cloud infrastructure, Cyber Essentials demonstrates adequate controls.

You want a cost-effective starting point – At £314.99, Cyber Essentials is an affordable way to demonstrate commitment to cybersecurity fundamentals.

You are bidding on standard government contracts – The minimum requirement for most central government contracts is Cyber Essentials.

When You Need Plus

Cyber Essentials Plus is the right choice when:

Your clients or contracts specifically require Plus – Some enterprise customers and government departments mandate Plus for higher-value or higher-risk contracts.

You want to demonstrate verified controls – Plus carries greater credibility because an independent auditor has confirmed your controls work, not just that you claim they do.

You handle sensitive data at scale – Organisations processing significant volumes of personal data, financial data, or health data should consider the additional assurance that Plus provides.

You are building towards ISO 27001 – Plus verification aligns more closely with the independent audit approach used in ISO 27001 certification. It is a natural stepping stone.

Your insurance provider offers better terms for Plus – Some cyber insurance providers differentiate between Cyber Essentials and Plus when setting premiums.

The Assessment Process for Each Level

Cyber Essentials process with Fig:

1. Purchase your Cyber Essentials certification (select organisation size)

2. Complete the self-assessment questionnaire

3. Submit for review – orders before midday – certified in under 6 hours

4. Receive structured feedback if any gaps are identified (up to 3x)

5. Certificate issued on successful completion

Plus process with Fig:

1. Achieve Cyber Essentials certification first (this is a prerequisite)

2. Purchase your Cyber Essentials Plus certification

3. Schedule the third-party technical audit

4. Auditor conducts vulnerability scanning and control verification (1–3 days)

5. Certificate issued on successful completion

Can I Start with Cyber Essentials and Upgrade Later?

Yes. Many organisations start with Cyber Essentials to meet an immediate requirement, then upgrade to Plus when the business case demands it. Since Cyber Essentials is a prerequisite for Plus, achieving it first is always the right starting point.

Fig's Recommendation

For most organisations, start with Cyber Essentials. It meets the majority of contractual and regulatory requirements, can be achieved same-day, and costs a fraction of Plus. Upgrade to Plus when a specific contract, client, or risk assessment requires it.

If you are unsure which level you need, speak to our team or use our readiness checker to assess your current position.

View Cyber Essentials pricing