What does Cyber Essentials Plus test that standard Cyber Essentials does not?

Cyber Essentials Plus adds independent hands-on technical testing to the self-assessment questionnaire. An assessor performs external vulnerability scans, checks device configurations, and tests your defences against simulated attacks. This verification confirms that the five controls you declared in your self-assessment are genuinely implemented and working as intended.

Is Cyber Essentials Plus mandatory for government contracts?

Standard Cyber Essentials satisfies most government contract requirements, but certain MOD supply chain and defence-related contracts mandate Plus specifically. Cyber Essentials certified organisations are 92% less likely to claim on cyber insurance (IASME), and insurers increasingly favour Plus for its independent verification when setting premiums and coverage terms.

Can I go straight to Cyber Essentials Plus without doing standard Cyber Essentials first?

No. Cyber Essentials Plus requires a valid Cyber Essentials certificate as a prerequisite. You must complete the self-assessment first, then proceed to the independent technical testing within three months. The combined process typically takes two to four weeks when managed by an experienced assessor, compared to one to two weeks for standard alone.

How much more does Cyber Essentials Plus cost compared to standard Cyber Essentials?

Standard Cyber Essentials costs approximately £300 to £500. Cyber Essentials Plus adds £1,500 to £5,000 depending on business size and complexity, covering the independent assessor's testing time. However, with the average cost of a disruptive breach at £3,550 (DSIT 2025), the additional investment in verified controls typically pays for itself through reduced breach risk.

Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?

Cyber Essentials is a self-assessment covering five technical controls. Cyber Essentials Plus adds independent verification through hands-on testing. Both are NCSC-backed. If you handle sensitive data or work with government, aim for Plus.

Get CE Readiness Assessment View CE Service

Key Facts

99.99%of compromised accounts had not enabled MFA (Microsoft)

612,000UK businesses affected by cyber breaches in the past year

19,000UK businesses hit by ransomware in the past 12 months

204%increase in AI-powered phishing emails in 2025

Last updated: March 2026

Cyber Essentials vs Plus: Comparison

What each level of certification involves and how they differ.

Feature	Cyber Essentials£300–£500	CE Plus£1,500–£5,000Recommended
Self-assessment questionnaire
Independent technical testing
Vulnerability scanning
On-site assessment
Valid for government contracts
Stronger assurance for insurers	Basic	Strong
Typical completion time	1–2 weeks	2–4 weeks
Annual renewal required

Costs vary by business size and assessor. CE Plus requires a current CE certificate.

When to Choose Each Level

Both certifications have their place — the right choice depends on your risk profile and requirements.

Choose Cyber Essentials if...

You want a quick, affordable baseline certification. Good for meeting basic government contract requirements and demonstrating commitment to security.

Choose Cyber Essentials Plus if...

You handle sensitive data, work in regulated sectors, need stronger assurance for clients and insurers, or want independent verification that your controls actually work.

Cost-Benefit Analysis

Cyber Essentials costs £300–£500 and provides immediate baseline certification. Cyber Essentials Plus costs £1,500–£5,000 but delivers significantly stronger assurance — many insurers offer premium reductions that offset the additional cost within the first year. For businesses handling sensitive data, the Plus certification pays for itself.

Get a free CE readiness assessment

The AMVIA Recommendation

If you are achieving certification for the first time, start with Cyber Essentials. It is quicker, cheaper, and counts towards most government and insurance requirements. Upgrade to CE Plus when you tender for contracts involving sensitive data, or when your cyber insurer specifically requires independent verification. AMVIA supports both — often on a fixed-price basis.

Book a Cyber Essentials Readiness Call