You are not alone if security compliance has cropped up within your IT strategy planning. With the global cybersecurity industry set to be worth $366.1 billion by 2028, it is clear that companies worldwide are planning for a safer future.

Cyber Essentials and Cyber Essentials Plus have grown in popularity recently. In 2023, 50% of medium and 59% of large companies are aware of the Cyber Essentials schemes. Increasingly, companies are choosing to invest their time and effort in the schemes as the future of operations hinges on being cyber secure in the present.

One question we get asked a lot as IT experts is, do you need Cyber Essentials to achieve Cyber Essentials Plus? Let’s set the record straight. Keep reading to find out.

Why Do You Need Cyber Essentials to Get Cyber Essentials Plus?

We can confirm that you DO need Cyber Essentials before continuing to achieve the Plus certification.

The main reason is that the two awards go together, so you would not be sufficiently covered without one. You will need to complete the Cyber Essentials as part of the Cyber Essentials Plus accreditation. You should think of it as a stage of compliance that needs to be met before achieving the highest level of certification.

As this blog post focused on what is included within cyber essentials shows, the five core pillars of the basic award create a robust cyber security network. These cover firewalls, malware, user control, patch management, and software security. Designed to work together and provide ultimate protection, these pillars will protect every form of digital operation that a company could need to carry out. This is considered a cyber security toolkit available to every person within a company’s network.

Cyber Essentials is achieved through a self-assessment, reflecting on what measures are in place and if they meet the needs of the outlined pillars. This is enough to pass the award, but if you want the Essentials Plus certificate, you must progress your analysis further.

Cyber Essentials Plus focuses on vulnerability testing and cyber network performance. You must therefore have all the core controls in place and operations to pass these tests. Carried out by an expert auditor, the assessment tests all internal and external measures to understand their resilience against threats.

Forming a union that is the Bonnie and Clyde of the digital world, these two awards support each other resulting in elevated security performance.

What are the Differences Between Cyber Essentials and Cyber Essentials Plus?

What are the Differences Between Cyber Essentials and Cyber Essentials Plus?

External Audit and Vulnerability Testing

Cyber Essentials is self-assessed, but Essentials Plus requires an external audit. To prove that the measures that make up the five core pillars are in place, an approved team member from the applying company can sign to confirm this when applying for the Essentials award.

You may be asked for some additional information, but this can all be provided via proof of software etc. The application form also requires details on how the pillars have been implemented so that the awarding body can assess the suitability from a remote location.

To achieve the Cyber Essentials Plus award, an external auditor will run tests to ascertain the efficiency of the security measures. This involves trying to penetrate the network in several ways that the pillars should eliminate.


The cost for achieving the two certifications does vary due to the complexity that is included. The approved costs as outlined by the National Cyber Security Centre are as follows:

Cyber Essentials:

  • Micro Companies (0-9 Team Members) £300+vat
  • Small Companies (10-45 Team Members) £400+vat
  • Medium Companies (50-249 Team Members) £450+vat
  • Large Companies (250+ Team Members) £500+vat

Cyber Essentials Plus:

  • Micro Companies (0-9 Team Members) £1,650+vat
  • Small Companies (10-45 Team Members) £2,250+vat
  • Medium Companies (50-249 Team Members) £3,250+vat
  • Large Companies (250+ Team Members) £4,000+vat

The Cyber Essentials and Cyber Essentials Plus tiered pricing was announced in 2022. This was implemented to make the scheme more sustainable due to its long-term success and increasing awareness within global markets. As assessing the applications from small, medium, and large organisations takes longer, a higher charge is in place.

The NCSC also commented that this reflected the “increasing levels of rigour that go into every assessment”. Resulting from the ever-changing demands thrust upon companies due to rising security threats; this represents the relevance of both awards in today’s markets.

While paying for security compliance may not be your top priority, it is worth having. Cyber Essentials Plus ensures that your company’s security infrastructures are fully operational. Just having the measures in place is not enough to ensure your data’s and people’s safety.

As experts in cyber security, we agree with this, and as such, we encourage our clients to proactively undertake penetration testing even if they do not want to apply for this award.

You can read more about what the differences are between Cyber Essentials and Cyber Essentials Plus here.

What are the Benefits of Having Cyber Essentials Plus?

What are the Benefits of Having Cyber Essentials Plus?
  • Improved competitiveness and company image as all businesses that achieve this accreditation are seen to take their cyber security seriously. As the certification is recognised worldwide, suppliers and customers will also look at the awarded company more favourably as they know that their data is safe.

  • Less spending on insurance premiums is also a huge benefit. This is because insurance suppliers will understand that risk has been minimised, so the company in question will experience lower premiums. Cyber Essentials Plus is viewed positively as it encompasses all modern threats and continues to update in line with current trends. Insurance providers will appreciate this as the renewable process, and constant compliance adoption measures indicate that the company is a safe option to cover.

  • By achieving the Cyber Essentials Plus certificate, companies can also be eligible to bid for government and public centre contracts. Being one of the highest levels of security certification, any companies that adhere to these rules will be easier to bring on board and work with, as various levels of protection have already been cleared. While Cyber Essentials and Cyber Essentials Plus are not mandatory in the UK, they do help!

  • Preventing cyber-attacks is much easier than resolving successful ones. By having the structures in place to highlight any issues, cybercriminals cannot access your sensitive data. Essentials Plus is about ensuring the structures work, meaning that the award puts the processes in place that are more likely to prevent attacks effectively.

  • Cyber Essentials Plus is also beneficial as it means that implemented processes protect all staff members. As the measures must be functional during daily tasks, employees can work more confidently with additional advantages, including higher efficiency and satisfaction.

How Can I Achieve Cyber Essentials Plus?

If you are ready to take the next step in protecting your business, Cyber Essentials Plus is a brilliant security compliance solution to align with. You can also achieve it quickly using the following steps:

  1. Choose an IT agency to work with that can configure your security solutions.
  2. Create your security network with vulnerability testing in mind. This should be bespoke to your company’s operating style and consider the five core pillars.
  3. Achieve the Cyber Essentials award.
  4. Once you have the Cyber Essentials certificate, you can apply for the external testing Cyber Essentials Plus certification. You must have at least three months left on your certificate when you apply.
  5. Repeat the process annually to ensure long-term coverage and cyber security safety.

It is as simple as that! Contact us today if you want to chat with us about starting the process.

Cyber Essentials Plus is growing in popularity. This means that any companies which undertake the assessment now, will be seen as pioneers within their industry in coming years. If you want to be cyber secure and seen as a safe bet for customers and suppliers to align with, start your journey today.

Share this post

Prices from £32/user

We employ our own 3CX accredited engineers, and with our partners we’re able to offer support and installation services for a whole range of other systems including NEC, Siemens, Avaya and Mitel.

Why not see what we can do for your business?

Our friendly team is ready to answer any questions you may have. If you are interested in any of our products or services, then have a discussion with us!