Cyber Essentials Plus: what UK SMEs need to know
If you run a business of 10–200 people in the UK, you’ve probably heard the phrase “Cyber Essentials Plus” and wondered whether it’s another bureaucratic tick-box or something that actually protects your bottom line. Short answer: it’s useful, practical and often worth the time — if you care about winning work, keeping insurance premiums sensible and not explaining a breach to customers.
What Cyber Essentials Plus actually is (in plain English)
Cyber Essentials Plus is the step-up in the UK Government’s Cyber Essentials scheme. Where basic Cyber Essentials is a documented self-assessment, the Plus version adds hands-on testing by an external assessor. It checks that your core defences — things like firewalls, secure configuration and software updates — are not just on paper but working in practice.
This isn’t about impressing your IT team with acronyms. It’s about reducing the chance of a nuisance outage, a data loss that costs you time and reputation, or a client walking away because they don’t feel their data is safe with you.
Why it matters for UK businesses — the commercial case
For many small and medium-sized firms the decision comes down to three commercial points:
- Procurement and tenders: Public sector contracts and an increasing number of private-sector buyers favour or require Cyber Essentials Plus. If you want to bid for certain contracts, it’s often non-negotiable.
- Insurance and risk: Insurers look for evidence you’re taking basic cyber hygiene seriously. Being able to show a tested certification can make renewal conversations simpler and the risk assessment less painful.
- Client confidence and reputation: Large clients want predictable suppliers. If you handle personal or financial information, a certified posture reduces the friction when clients run their supplier checks.
Those are the tangible outcomes: more bids accepted, smoother insurance discussions, and fewer awkward meetings after an incident. That’s why boards and managing directors increasingly treat Cyber Essentials Plus as a business enabler, not an IT-only exercise.
How Cyber Essentials Plus differs from Cyber Essentials
The difference is practical testing. Basic Cyber Essentials asks you to confirm configurations and policies. Plus sends an assessor to run simple, non-destructive tests against your systems. Think of it as the difference between a fire drill on paper and actually setting off the alarm (in a controlled way) to check it works.
Because of the extra assurance, Cyber Essentials Plus carries more weight with buyers and insurers — again, the benefit is commercial not just technical.
What the assessment involves (without the tech-speak)
Assessment typically covers the systems that talk to the internet and your staff devices. The assessor will:
- Check that basic protections are in place and configured sensibly.
- Perform simple tests to verify those protections work.
- Flag issues that could let in common attacks — often the same mistakes we see in small offices or on site visits: default passwords left in place, missed updates, or unnecessary services exposed to the internet.
Preparation usually takes a few days to a few weeks depending on how tidy your estate is. The assessment itself is focused and non-disruptive; it’s designed not to break your systems but to check that routine defences hold up.
Costs, effort and realistic timelines
Costs vary by the size and complexity of your estate and whether you use an external consultancy to prepare. Expect effort from your IT lead or external provider to gather evidence and tidy configurations. If your firm has reasonably organised IT — up-to-date devices, standardised accounts and a simple network — preparation is straightforward. If you’ve got legacy systems, bespoke kit or a handful of remote locations, allow more time.
Think in terms of outcomes: a few days of internal time preparing can avoid a last-minute scramble before a tender deadline, and the certification itself is a one- to two-year reassurance that your basics are sound.
Where it fits in your wider security plan
Cyber Essentials Plus is not a silver bullet. It’s a sensible baseline. It sits alongside sensible policies, regular backups, staff training and an incident plan. Many businesses I’ve worked with across towns and cities from Liverpool to Canterbury treat it as the foundation they can reasonably explain to customers and insurers without getting into technical detail.
If you want a straightforward summary of what a Plus assessment covers and how to prepare, our practical Cyber Essentials guidance explains the checks assessors perform and the common pitfalls small UK businesses encounter — useful if you’re budgeting time and allocating tasks.
Practical tips from experience
- Start early if you’ve got remote sites or less-managed devices; gathering evidence takes time.
- Standardise device setup where possible — it makes both certification and ongoing maintenance cheaper.
- Back up before any big changes and keep a simple, tested incident plan so your team knows who does what if something goes wrong.
Those are the sort of fixes that save hours and reduce stress later, not just technical bragging rights. (See our healthcare IT support guidance.)
FAQ
Is Cyber Essentials Plus mandatory for all UK businesses?
No. It isn’t legally mandatory for all businesses. However, it is often required by government contracts and increasingly by large corporate clients as part of their supplier checks. If you plan to tender for public sector work, check the specific contract requirements early.
How long does the certification last?
Certification is usually valid for twelve months. It reassures clients and insurers for that period, after which you’ll need a reassessment to maintain the certificate.
Will Cyber Essentials Plus stop all cyber attacks?
No single measure stops every attack. Cyber Essentials Plus reduces the risk from common, opportunistic attacks and demonstrates you’ve addressed basic hygiene. It’s a strong foundation, but you should still have backups, incident plans and sensible staff training.
Can we do the audit without external help?
You can handle parts of preparation internally if you have the skills, but the Plus assessment itself is carried out by an authorised external assessor. Many firms find a short engagement with a knowledgeable provider makes the process faster and less disruptive.
How will this affect our insurance?
Insurers welcome evidence of tested controls. Certification doesn’t guarantee lower premiums, but it simplifies risk conversations and may prevent insurers from asking for additional remedial steps during renewal.
If you’re weighing the cost of time and money against the benefits, think about the outcomes: fewer procurement hurdles, clearer conversations with insurers, and the quiet confidence that basic protections have been independently checked. That’s the sort of productivity and reputational calm that keeps directors sleeping better at night.
