Cyber Essentials and Cyber Essentials Plus certify exactly the same five technical security controls. The difference is not what is assessed — it is how it is checked. Base Cyber Essentials is a verified self-assessment; Cyber Essentials Plus adds an independent, hands-on audit. That single distinction is what makes Plus the stronger signal.
If you’re new to the scheme, start with our overview of what Cyber Essentials is. This guide focuses purely on telling the two levels apart and knowing which to expect from an IT provider.
Cyber Essentials: verified self-assessment
For the base level, an organisation completes a structured self-assessment questionnaire covering the five controls — firewalls, secure configuration, security update management, user access control and malware protection. A senior person signs a declaration that the answers are accurate, and an accredited certification body reviews the questionnaire before issuing the certificate.
This is genuinely useful: it forces an organisation to examine its own controls against a recognised standard and have that review independently marked. But the evidence is, ultimately, the organisation’s own account of its setup. No one logs into the systems to check.
Cyber Essentials Plus: independently tested
Cyber Essentials Plus starts from a current base certification and adds a hands-on technical audit by a qualified assessor. Rather than taking the questionnaire on trust, the assessor independently tests a representative sample of devices and systems — checking patch levels, configuration, malware protection and how the organisation handles things like malicious email attachments and downloads.
The audit must normally be completed within three months of the base self-assessment being certified. Because someone has actually verified the controls in operation, Plus answers a stronger question: not “do they say the controls are in place?” but “has an independent assessor confirmed they are?”
Side by side
| Cyber Essentials | Cyber Essentials Plus | |
|---|---|---|
| Controls assessed | The same five controls | The same five controls |
| How it’s checked | Self-assessment questionnaire, reviewed by a certification body | Hands-on technical audit by an independent assessor |
| Evidence | Organisation’s own declaration | Independently tested on real systems |
| Relative cost | Lower; tiered by organisation size | Higher; scales with IT estate |
| Validity | 12 months | 12 months |
| Best read as | The minimum baseline | Independently assured security |
Which should your IT provider have?
For the business you’re assessing, the answer is straightforward: base Cyber Essentials is the floor; Cyber Essentials Plus is the mark of a provider serious enough to have its security independently tested. Given that an MSP holds administrative access to your systems, the audited assurance of Plus carries real weight — and many public-sector contracts and larger supply chains now require it specifically.
That said, don’t treat either certificate as the whole story. They confirm a baseline of technical controls, not a complete, managed information-security programme. For that, look to ISO 27001, and weigh it alongside the provider’s wider verified track record.
Beware a provider that markets “Cyber Essentials certified” but is vague about which level. There is a real difference between a self-declared questionnaire and an independently tested audit. If the distinction is being blurred, ask to see the certificate — it states the level plainly.
How WhatMSP scores the two levels
In our /50 methodology, both certifications count towards the Security & Compliance category, but Cyber Essentials Plus is recognised as the stronger signal because it has been independently tested. We confirm the level and validity against the IASME-issued certificate and the NCSC list of certified organisations — so a provider can’t pass off a lapsed base certificate as current Plus.
Filter for independently tested security
See which providers hold Cyber Essentials Plus, verified at source, and compare them on an independent score out of 50. Free for buyers.
Frequently asked questions
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both certify the same five technical controls. Cyber Essentials is a verified self-assessment — the organisation completes a questionnaire that a certification body reviews. Cyber Essentials Plus adds an independent, hands-on technical audit, where an assessor tests a sample of systems to confirm the controls are genuinely in place. Plus is therefore the stronger, evidence-tested level.
Is Cyber Essentials Plus worth it?
For an IT provider or any business handling sensitive data, yes. Plus proves the controls have been independently checked rather than self-declared, which is far more reassuring to clients, insurers and public-sector buyers. Many government contracts and supply chains now specifically require Plus rather than the base level.
Do I need Cyber Essentials before Cyber Essentials Plus?
Yes. Cyber Essentials Plus builds directly on a current base Cyber Essentials certification. The hands-on audit for Plus must normally be completed within three months of the self-assessment being certified, so the two are closely linked rather than wholly separate routes.
How much more does Cyber Essentials Plus cost?
Plus costs more than the base level because it involves an assessor carrying out hands-on testing, and the fee scales with the size and complexity of your IT estate. The base self-assessment is tiered by organisation size and starts at a few hundred pounds; Plus typically runs into four figures. Both certificates last twelve months.
Should my IT provider have Cyber Essentials or Cyber Essentials Plus?
Treat base Cyber Essentials as the absolute minimum and Cyber Essentials Plus as the mark of a provider that takes security seriously enough to have it independently tested. Since your provider holds administrative access to your systems, the independently audited assurance of Plus is a meaningful advantage.
How do I verify a Cyber Essentials or Cyber Essentials Plus certificate?
Ask for the certificate, which states whether it is base or Plus, names the certification body, and carries an issue date and reference. Check it against the NCSC list of certified organisations, and confirm it is still in date — both levels expire after twelve months. WhatMSP verifies this at source for every provider on the register.