Cyber Security
Cyber Essentials vs Cyber Essentials Plus
Same five security controls, two levels of proof. One is a verified self-assessment; the other adds a hands-on audit. Here's the difference and how to pick the right one.
Both certifications cover the same five core security controls — firewalls, secure configuration, access control, malware protection and keeping software up to date. The difference isn't what they check; it's how thoroughly they verify that you're actually doing it.
Cyber Essentials: verified self-assessment
With standard Cyber Essentials, you complete a questionnaire about your setup, and it's reviewed and verified by a certification body. It's quicker and cheaper, and for many small businesses it's exactly the right level — it gets the fundamentals in place and satisfies most clients and insurers that ask.
Cyber Essentials Plus: hands-on audit
Plus includes everything in the standard certification, then goes further: an assessor checks your systems directly rather than relying on your answers. They test that the controls actually hold up under scrutiny. That independent verification carries more weight with clients, tenders and insurers, because it's proof rather than a declaration.
How to choose
Start with who's asking and why. Some contracts and insurers specifically require Plus; for plenty of others, standard is enough. Cost is a factor too — Plus costs more because of the audit. Our straight advice: don't pay for Plus if standard meets the requirement, and don't scrape by on standard if a contract really needs Plus. We'll tell you which it is.
Either way, fix the gaps first
Whichever level you go for, the value is in passing properly — not scraping through. We go through your systems and put right what needs fixing before the assessment, so the certificate reflects real security rather than a one-off effort that lapses the week after.
FAQs
Common questions
Do I need Cyber Essentials Plus or is standard enough?
It depends entirely on who's asking. Some contracts and insurers specifically require Plus; for many others, standard is enough. We'll give you a straight answer for your situation rather than upselling you to Plus by default.
Can I get Cyber Essentials first and Plus later?
Yes, and that's often sensible — get the fundamentals certified, then step up to the audited version if a client or contract requires it. The groundwork carries over.
Why does Plus cost more?
Because it includes a hands-on technical audit where an assessor verifies your systems directly. That independent check is what gives Plus its extra weight, and it takes more time and expertise to run.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.