Cyber Essentials vs Cyber Essentials Plus: Which Do You Actually Need?

Standard or Plus? One is a self-assessment, the other is a technical audit. Here's how to decide which certification is right for your business.

You have heard you need Cyber Essentials. Your supply chain is asking for it, your insurance broker is demanding it, or you want to bid on government work. But when you start researching, you discover there are two levels: Standard and Plus.

So, which one do you actually need? Let us break it down.

The Quick Answer

Understanding Standard: The Self-Assessment

Cyber Essentials Standard is essentially a declaration. You complete an online questionnaire covering the five key controls (firewalls, secure configuration, access control, malware protection, and patch management). A qualified assessor reviews your answers. If they are satisfied, you pass.

The Reality: You are saying "we do these things" without an external party verifying it. It is like a driving theory test - you prove you *know* the rules, but nobody watches you drive.

Standard is sufficient if:

• You want a baseline level of security hygiene
• Your clients or insurers accept Standard as the minimum
• You are a small business with fewer than 10 employees
• You are not handling highly sensitive data
• You want to start your security journey without major investment

Understanding Plus: The Technical Audit

Cyber Essentials Plus is verification. An external assessor (like our partners at Predatech) will physically or remotely access your systems and perform technical tests. They will:

• Scan your external network for open ports and vulnerabilities
• Inspect sample devices (laptops, servers) for unpatched software
• Test your email filters with simulated phishing attachments
• Check user permissions to ensure staff are not using admin accounts daily
• Verify firewall rules are correctly configured

If they find gaps (like an unpatched Adobe Reader or an open RDP port), you will fail and need to remediate before re-testing.

The Reality: Plus proves you are not just *saying* you are secure - you *actually are*. It is the practical driving test where someone watches you parallel park.

When You Absolutely Need Plus

There are scenarios where Standard simply will not cut it:

1. Government Contracts If you are bidding on MOD, NHS, or central government contracts involving sensitive data, Cyber Essentials Plus is often mandatory. Standard is a good start, but Plus is the door-opener.

2. Supply Chain Requirements Large enterprises (especially in defence, finance, and critical infrastructure) increasingly require their suppliers to hold Plus certification. They want proof, not promises.

3. Cyber Insurance Discounts Many insurers offer premium reductions for Plus holders because the verified audit significantly reduces your risk profile. The savings can offset the audit cost.

4. Handling Sensitive Data If you process personal data at scale, financial records, medical information, or intellectual property, Plus demonstrates due diligence. It can protect you in the event of a breach investigation.

5. Competitive Advantage In crowded markets, Plus is a differentiator. When two suppliers look equal, the one with verified security credentials wins.

The Hidden Benefit of Plus

Here is something most guides will not tell you: the audit itself is valuable.

Even if you pass, the assessor's report will highlight areas for improvement. It is like a free security review. You will discover:

• That old laptop in the corner that nobody updated
• The legacy software with known vulnerabilities
• The administrator account the previous IT person set up and forgot about

We have seen clients discover serious issues during Plus audits that Standard would never have caught.

The Journey: Standard First, Then Plus

For most businesses, we recommend a phased approach:

Phase 1: Get Standard Certified Use the self-assessment process to audit your own practices. Fix the obvious gaps. Get the badge. This typically takes 2-4 weeks with our support.

Phase 2: Prepare for Plus Spend 1-2 months hardening your systems. Automate patch management. Implement proper access controls. Consider moving to Microsoft Business Premium for built-in security tools.

Phase 3: Pass Plus With proper preparation, you will sail through the technical audit. We typically see a 95%+ first-time pass rate for clients we have prepared.

How We Help

At Fresh Tech, we are not assessors - we are your IT partner who prepares you to pass. Here is what we do:

• Gap Analysis: We audit your systems against the Cyber Essentials controls before you start the official process.
• Remediation: We fix the gaps - deploying automated patching, configuring firewalls, and implementing MFA.
• Documentation: We help you compile evidence and complete the questionnaire accurately.
• Assessor Coordination: We liaise with accredited assessors like Predatech to schedule and facilitate audits.
• Post-Audit Support: If issues are found, we remediate and arrange re-testing.

The Bottom Line

Get Standard if: You want a recognised baseline and your stakeholders accept it.

Get Plus if: You want to prove your security, win bigger contracts, or handle sensitive data.

Get both: Start with Standard, then upgrade to Plus within 12 months.

Not sure which you need? Contact us for a free assessment. We will review your situation and give you an honest recommendation - even if that means Standard is enough for now.

Learn more about Cyber Essentials certification