What the Plus means, what it involves, and whether you actually need it
Cyber Essentials Plus: Beyond the Basics
So you've got Cyber Essentials.
Certificate on the wall. Basic controls in place. Feeling pretty good about yourself. And then someone asks: "But do you have Plus?"
Suddenly you're back to square one. There's a Plus version? What's different? Is your regular certificate not good enough? Do you need to start over?
Deep breath. Let me explain.
The Difference in One Sentence
Cyber Essentials is self-assessment. You answer questions about your security controls.
Cyber Essentials Plus is verified assessment. Someone actually tests your systems to check your answers are true.
That's it. Same five controls. Same requirements. The difference is who's checking - you, or an external assessor with hands on your systems.
What Stays the Same
The five controls don't change:
- Firewalls
- Secure configuration
- Access control
- Malware protection
- Patch management
The standards don't change. What counts as compliant for regular Cyber Essentials counts as compliant for Plus. You're not being held to a higher bar - you're being verified against the same bar.
If you've genuinely implemented the controls properly for your basic certification, Plus shouldn't reveal any surprises. It's confirmation, not escalation.
What's Different
The assessment process is completely different.
For regular Cyber Essentials:
You fill in a questionnaire. You answer questions about your setup - what firewalls you have, how you manage passwords, when you last updated your software. You submit it. An assessor reviews your answers. If everything looks right, you pass.
It's based on trust. You're telling them what you do, and they're taking your word for it.
For Cyber Essentials Plus:
An assessor actually tests your systems. They're not just reading your answers - they're checking if those answers are true.
This involves:
Vulnerability scanning. They scan your external-facing systems looking for known vulnerabilities. Unpatched software, misconfigured services, anything that shouldn't be exposed.
On-site or remote testing. They look at a sample of your devices - laptops, desktops, servers. Checking configurations, verifying security settings, confirming what you claimed is actually in place.
Malware protection testing. They'll verify your anti-virus is working - sometimes by introducing test files to see if they get caught.
Email and web filtering tests. They might send test phishing emails or try to access malicious websites to check your defences.
It's hands-on. It's technical. And it's thorough.
What the Assessment Looks Like
Let me walk you through a typical Plus assessment, because the unknown is what scares people.
Before the assessment:
You'll agree a scope with your assessor - which systems, which locations, what's being tested. You'll provide some information upfront: IP addresses, device lists, that kind of thing.
You'll also pick a date. The technical testing usually takes a few hours to a full day, depending on your setup's complexity.
During the assessment:
The assessor connects to your network (remotely or on-site) and starts their testing. Vulnerability scans run against your external systems. They pick a sample of devices to examine directly.
You'll need someone technical available - that was me at Simpson & Sons - to provide access, answer questions, and help if they hit any issues.
It's not confrontational. They're not trying to catch you out. They're methodically working through checks, verifying what's in place.
After the assessment:
You'll get a report. Either you've passed, or you've got findings that need addressing.
If there are findings, you typically get a window to remediate - fix the issues - and then they'll retest those specific areas. You don't have to start from scratch.
The Findings Reality
Here's something that calmed my nerves before our first Plus assessment: findings are normal.
Most businesses have something come up. A device that missed an update. A configuration that's slightly off. A service that's exposed when it shouldn't be.
This isn't failure. It's the system working. The whole point of Plus is to catch things that self-assessment might miss.
Our first Plus assessment found two things:
- A laptop that had been offline during our last update cycle and was behind on patches
- A firewall rule that was more permissive than it needed to be
Neither was catastrophic. We fixed both within a day. Passed on retest.
The assessor wasn't judging us. They were helping us find blind spots. That's the value.
Who Actually Needs Plus
Here's the honest answer: not everyone.
You probably need Plus if:
Contract requirements specify it. Some government contracts and larger organisations require Plus specifically. Regular Cyber Essentials won't cut it.
You handle sensitive data. If you're processing particularly sensitive information - healthcare, financial, certain government data - Plus provides stronger assurance.
Your clients demand it. Increasingly, larger organisations want their supply chain to have Plus. If your key clients are asking, you need to deliver.
You want the verification. Some business owners just sleep better knowing an external party has actually tested their controls. Peace of mind has value.
You probably don't need Plus if:
Basic Cyber Essentials meets your contract requirements. If no one's asking for Plus specifically, you might not need the extra expense.
You're a very small operation. A three-person business with basic IT needs might find Plus overkill for their risk profile.
Budget is genuinely tight. Plus costs more - typically £1,500-3,000+ depending on your setup. If regular Cyber Essentials is stretching you, get that solid first.
There's no shame in sticking with regular Cyber Essentials. It's a legitimate certification that proves you've got the basics in place. Plus is an enhancement, not a replacement for inadequacy.
The Cost Difference
Let's talk numbers.
Cyber Essentials: £300-500 typically, including the IASME fee and platform costs.
Cyber Essentials Plus: £1,500-3,000+, depending on the size and complexity of your setup. More devices, more locations, more complexity = higher cost.
The Plus assessment involves actual human time - assessors running tests, analysing results, writing reports. That's where the cost comes from.
Is it worth it? Depends on your situation. If a contract worth £100k requires Plus, spending £2k on certification is obvious. If you're a small business with no external requirements for Plus, that £2k might be better spent elsewhere.
Preparing for Plus
If you've decided Plus is right for you, here's how to prepare.
Get your regular Cyber Essentials solid first.
Plus builds on the basic certification. If you rushed through Cyber Essentials with half-implemented controls, Plus will expose that. Take the time to do the basics properly.
Do your own testing.
Before the assessor arrives, do your own vulnerability scan. There are free tools that can give you a sense of what they'll find. Fix the obvious stuff before assessment day.
Update everything.
Seriously. Go through every device and make sure patches are current. This is the most common finding - something that slipped through the update cycle.
Document your setup.
Know your network. Know your devices. Know your configurations. When the assessor asks questions, you need clear answers.
Have someone technical available.
The assessment needs someone who can provide access, explain configurations, and address questions in real-time. If that's not you, make sure that person's calendar is blocked.
Don't panic.
The assessor wants you to pass. They're not looking for reasons to fail you. They're verifying that your controls work. If you've done the work, verification is just confirmation.
Our Plus Journey
We got our first Plus certification about eighteen months after the basic cert.
Mr S was nervous. I was nervous. Even Kev asked about the tie again (I told him no, again).
The assessor was professional, methodical, and genuinely helpful. When they found the laptop with outdated patches, they explained exactly what needed updating and why it mattered. When they spotted the firewall rule, they showed us a better configuration.
It felt less like an exam and more like a really thorough health check. Yes, they found things. No, it wasn't embarrassing. We fixed the issues, passed the retest, and now we renew Plus annually.
The first time is the scariest. After that, it's just maintenance.
The Bottom Line
Cyber Essentials Plus is the verified version of the basic certification. Same controls, same standards, but with hands-on testing instead of self-assessment.
You need it if contracts require it, clients demand it, or you want the assurance of external verification.
You don't need it if basic Cyber Essentials meets your requirements and budget is a concern.
If you do go for Plus, prepare properly - update everything, document your setup, and don't panic. The assessors are there to verify, not to destroy.
Beyond the basics? Yes. Beyond your capabilities? Definitely not.
Danny Preece is Head of Technical Sales at Simpson & Sons and an SME Cyber Resilience Consultant with TransCrypt. He still gets slightly nervous before Plus assessments, but now it's more like pre-match nerves than existential dread. Progress.
Ready to streamline your compliance?
Join hundreds of fast-growing fintechs building with Transcrypt today.
Join the WaitlistAbout the Author
"We are building the operating system for compliance. Transcrypt removes the ambiguity from regulatory frameworks, turning them into deterministic, executable code."
