As a busy Cyber Essentials (CE) certification body we get this question a lot and there is a lot of misunderstanding or misinterpretation about the difference between Cyber Essentials and Cyber Essentials Plus (CE Plus) certification. There have been a few updates to the certification in 2022 but the updates are applicable to both certifications. You can check out the latest changes to Cyber Essentials here. So what is the difference?

`Here it is. For the most part, CE and CE Plus certifications are the same but the only difference is you will get audited/assessed in the CE plus process. CE Plus does include the CE self-assessment certification as a 1st step. Without achieving the basic self-assessment certification you cannot progress towards Plus. The questionnaire is exactly the same for both. In fact, there is only a questionnaire you would fill in to get assessed for CE then organise a systems audit/assessment in order to achieve the Plus certification.


Step 1: Organisation Size

Step 2: Pick Cyber Essentials Package

  • Cyber Essentials Basic - CEB001

    £300 + VAT


    2 Days for Remediation

    1 Day Turnaround

    £25k Cyber Insurance*

    The package explained

    *Insurance details are on IASME website

  • Guided Cyber Essentials - CEB002

    £500 + VAT

    Everything in CEB001 plus


    Online/Phone Support

    *Insurance details are on IASME website

  • Cyber Essentials Plus - CEP001

    £1500 + VAT

    Everything in CEB002 Plus

    30 Day Remediation

    Systems Audit (remote)

    *Insurance details are on IASME website

  • Guided CE Plus - CEP002

    £2500 + VAT

    Everything in CEP001 plus

    Pre- systems Audit

    Gap Analysis report



    *Insurance details are on IASME website

So what does the Cyber Essentials Plus audit involve? The audit/assessment contains a few different tests. There is File execution test, Email server test, Anti-virus test, Account privileges test, Vulnerability assessment and evidence collection for Operating System versions including mobile devices. If you pass all these tests then you (I mean your company) are pretty much a CE Plus achiever. From our vast experience, the general challenges we see are micro & small businesses usually struggling with Account privileges where local users are using the accounts with the admin privileges. Mid to Large businesses struggle with keeping the applications up to date and removing the End of Life (EOL) software from their infrastructure. We have published other blogs where we discussed the most common challenges in achieving CE & CE Plus. Please check them out.

Bonus tip, you will have 3 months from achieving CE self-assessment to upgrade from CE to CE Plus. Failing that, you will have to start the process all over.

Do check out our other cybersecurity case studies:

Also check out our blogs on Cyber Essentials & Cyber Essentials Plus certification:

Related Articles


Back to start
aberdeen skyline graphic