Cyber Essentials vs Cyber Essentials Plus: which is right for your UK business?

If you run a business in the UK with 10–200 staff, you’ve probably seen Cyber Essentials mentioned in tender documents, insurance forms and internal risk registers. It comes in two flavours: Cyber Essentials (self-assessed) and Cyber Essentials Plus (independently tested). Both reduce common cyber risks, but they do so in different ways and with different business outcomes.

What they are — plain English

Cyber Essentials is a government-backed scheme that sets a baseline for basic cyber hygiene. It’s a checklist: do you have firewalls, are devices patched, are user accounts managed sensibly, and so on. You answer questions about your controls and a certification body signs it off.

Cyber Essentials Plus includes the same checklist but adds hands-on testing by an external assessor. They run scans and checks to verify that the controls actually work in practice, rather than relying only on what you say.

Key differences that matter to the business

Verification and trust

For procurement teams and insurers, the difference is one of confidence. A self-assessed certificate shows you’ve got the basics in place; a Plus certificate proves those basics stand up under test. If your business bids for public-sector contracts or wants to reassure large partners, Plus carries more credibility.

Effort, time and internal resource

Cyber Essentials can often be achieved with a modest effort from your in-house IT person or managed service provider. It’s documentation and configuration work: inventories, patch schedules, user privileges. For many firms this is a few days to a couple of weeks’ work.

Plus involves extra time for the external tester to run scans and follow up on any issues. Expect the assessment to add a few days and possibly a couple of weeks if corrective actions are needed. If your IT team is a one- or two-person outfit looking after offices in Bristol and a cluster of remote workers, plan for that disruption.

Cost considerations

There’s a cost delta: Cyber Essentials is the cheaper, faster option; Plus costs more because of the technical testing. I’ve sat in boardrooms where finance directors asked whether the extra spend buys value. The short answer: it does, for tenders, insurance and when you need independent assurance. For routine supplier relationships or internal risk management, the basic certification can be a sensible place to start.

Insurance and procurement

Some insurers offer better terms if you have either certificate, and many public-sector contracts now ask for Cyber Essentials as a minimum. If a buyer asks for independent testing, that’s Cyber Essentials Plus territory. If you routinely respond to council or central government tenders, Plus can avoid losing business on a technicality.

Operational impact

Both schemes promote good habits: keeping devices patched, using strong passwords, limiting admin privileges, and enabling multi-factor authentication where practical. These actions reduce disruption from common threats like phishing and commodity malware — the things that typically take a small business offline for days.

How to decide for a 10–200 staff business

Rather than thinking purely in terms of badges, think about the outcome you need.

  • If you want a quick, affordable way to demonstrate basic competence to partners and insurers, and your IT team is small but capable — start with Cyber Essentials.
  • If you’re bidding for contracts that explicitly require independently tested assurance, or you want stronger proof for customers and boards, choose Cyber Essentials Plus.
  • If your IT estate is messy — many unmanaged devices, third-party kit, or lots of remote workers — Plus will expose gaps you didn’t know about, and that’s valuable because it forces you to fix them before they cause a breach.

Often the pragmatic approach is staged: get Cyber Essentials in place to build the discipline, then move to Plus once gaps are closed. That sequence also spreads cost and workload across quarters, which is useful for small finance teams.

If you want to see practical steps and a checklist to prepare, there’s clear, actionable practical guidance on Cyber Essentials certification that many UK firms find helpful when starting out.

What preparation looks like (business-focused)

Preparation isn’t a technical deep-dive — it’s about organisation. Typical tasks include:

  • Mapping what devices and services you rely on (servers, laptops, cloud apps).
  • Assigning responsibility: who is responsible for patches, backups and account management?
  • Implementing straightforward controls: a basic firewall, up-to-date patches, limited admin accounts and multi-factor authentication where possible.
  • Documenting your policies so assessments don’t stall on paperwork.

These are things you can tackle with an internal IT lead, a trusted local IT supplier, or a pragmatic consultant. I’ve seen businesses in Leeds and Southampton clear the major issues within a few weeks when someone in the team took ownership.

Risks of skipping certification

Skipping certification doesn’t make you safer — it just leaves you with less proof that you’ve taken reasonable steps. That matters when an incident happens and you’re dealing with insurers, customers or regulators. Certification doesn’t prevent breaches entirely, but it reduces the chance and improves your position afterwards.

Costs versus benefits — the business case

Think of certification as risk management, not a marketing exercise. The benefits are: less downtime, better insurance terms, smoother tendering and stronger trust from customers. For a business of your size, avoiding even a few days’ downtime can justify the cost in obvious ways: lost sales, staff time, and reputational damage.

Practical tips from experience

  • Start small: tackle patching and admin rights first — they offer the biggest risk reduction for the least effort.
  • Use the certification process to build repeatable processes that survive staff changes.
  • Choose the timing: avoid assessments during peak trading months so your team can focus.

FAQ

Do I need Cyber Essentials to win government contracts?

Not every contract needs it, but many public-sector tenders list Cyber Essentials as a requirement. Check tender documents closely; buyers sometimes specify the level required.

Will certification stop ransomware?

No single certification guarantees prevention. Cyber Essentials reduces exposure to common attacks, which lowers risk, but it should sit alongside backups, incident plans and staff awareness training.

Can my internal IT team handle the Plus assessment?

Often yes — but Plus requires technical testing by an accredited assessor. Your IT team should prepare the environment and address findings, but the testing itself is external.

How often do I need to recertify?

Both schemes require periodic reassessment. Treat certification as an ongoing process rather than a one-off tick box.

Is my small size an excuse not to bother?

No. Smaller firms are often easier targets because attackers expect weaker controls. Basic certification proves you’ve taken steps to reduce that risk.

Deciding between Cyber Essentials and Cyber Essentials Plus comes down to the outcomes you need: speed and affordability versus independent assurance. Both improve resilience, but Plus gives extra proof when confidence matters to procurement, insurers or your own board.

If you want less time firefighting, lower risk of lost sales and a smoother path through tenders and insurance checks, start with a gap review and plan the most cost-effective route to certification. That way you buy time, credibility and calm — and keep the business moving.