Short answer
Cyber Essentials Plus adds an independent technical audit - external vulnerability scan, device configuration check, MFA verification - on top of the CE self-assessment. Plus is required by many UK government contracts and most large enterprise supply chains.
Why this matters
This question affects how buyers compare Cyber Essentials with broader assurance schemes. Cyber Essentials is a baseline technical certification, so the useful answer is not only what the scheme is called, but what it proves, who administers it, and when a buyer should ask for Cyber Essentials Plus or a wider framework such as ISO 27001.
For procurement teams, the practical test is whether the certificate covers the organisation and scope named in the contract. For applicants, the practical test is whether the five technical controls are implemented across the devices, users, networks, and cloud services that access organisational data.
What to check next
- Confirm the certificate holder and scope match the buyer requirement.
- Check whether the contract asks for Cyber Essentials or Cyber Essentials Plus.
- Use the NCSC register to verify a certificate before relying on it.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.