Cyber Essentials
DashboardSign Out

Lesson 1.5 — Cyber Essentials vs Cyber Essentials Plus

This lesson explains the difference between Cyber Essentials Basic and Cyber Essentials Plus — what each level involves, how they relate to each other, who needs which level, and how organisations should plan for Plus if it is required or intended.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • explain the difference between Cyber Essentials and Cyber Essentials Plus
  • identify situations where Plus is required or appropriate
  • understand what additional rigour Plus introduces into the assessment process.

Why This Matters

The Core Rule

Cyber Essentials Basic is a self-assessment — you declare what controls are in place and an assessor reviews your answers.

Cyber Essentials Plus adds independent technical testing — a qualified assessor actually verifies that the controls are functioning on a sample of your systems.

Cyber Essentials Basic

Cyber Essentials Basic is a self-assessment.

The organisation works through the questionnaire, checks its controls, records answers and submits them to an approved certifying body. An assessor reviews the answers and may raise clarification questions. If the assessment passes, a certificate is issued.

Cyber Essentials Plus

Cyber Essentials Plus builds directly on Cyber Essentials Basic. An organisation cannot go straight to Plus — it must hold a valid Cyber Essentials Basic certificate first, or complete the Basic assessment as part of the Plus process.

What Plus adds is independent technical verification.

Why Plus is more rigorous

Cyber Essentials Basic relies on the organisation accurately describing its controls. Plus verifies that those controls are actually functioning.

This matters for several reasons.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the key difference between Cyber Essentials Basic and Cyber Essentials Plus?
  • [ ] Can an organisation go directly to Cyber Essentials Plus without first completing Basic?
  • [ ] Which of the following is typically included in the Cyber Essentials Plus technical assessment?
  • [ ] Why might an organisation that guessed its way through Basic struggle with Plus?
  • [ ] If a contract specifically requires Cyber Essentials Plus, what should the organisation confirm before beginning the assessment?

Your Action

Do this now — it takes 10–20 minutes.

Decide whether CE or CE Plus is right for your organisation. Note the decision and the reason.

Key Takeaway

Good preparation for Basic — where you genuinely check your controls rather than guess — is also the best preparation for Plus.

Your Workbook Activity

Complete: Level decision record and Plus readiness flags

Next Lesson

In the next lesson: Common Cyber Essentials mistakes that cause failure, delay or rework

Up next

Common Cyber Essentials mistakes that cause failure, delay or rework

Avoid the most common mistakes that cause failed answers, rework, or delays during certification.