Cyber Essentials Plus: is the verified assessment worth the extra cost?

The two tiers, briefly

Cyber Essentials has two levels. The standard certification – often just called Cyber Essentials – is a self-assessment. You complete an online questionnaire describing your IT environment and the five controls you have in place, a certifying body reviews your answers and, if they're satisfied, you receive a certificate. The certifying body doesn't test your systems. They take your word for it.

Cyber Essentials Plus starts from the same questionnaire but adds a layer on top. An independent assessor – accredited through IASME – carries out a technical audit of your actual systems. They connect to your environment, run tests and verify that the controls you've described are genuinely in place and functioning as you've said. You can't pass by describing something you haven't implemented.

Both certificates expire after 12 months. Both cover the same five controls: boundary firewalls, secure configuration, user access control, malware protection and patch management. The difference is entirely in how compliance is established – self-reported versus independently verified.

What the Plus assessment actually involves

The Plus assessment is carried out by an assessor from an IASME-accredited certifying body. It typically happens in two stages: external vulnerability scanning followed by internal device testing.

The external scan looks at your internet-facing systems – your public IP addresses, any web-facing services, remote access entry points. The assessor runs automated vulnerability scans to identify exposed services, open ports and known weaknesses. If anything is flagged that contradicts what you've described in your questionnaire, that's a problem you need to resolve before you can pass.

The internal testing is where the assessor works through a sample of your endpoints. They check that patch levels match what you've stated – specifically that critical patches have been applied within the required 14-day window. They verify that endpoint protection software is active and up to date. They test your MFA implementation on user accounts, particularly those accessing services over the internet. They check firewall rules and configuration settings hands-on rather than reviewing a document that claims they're correct.

The key distinction from the self-assessment is that nothing is assumed. If you tell a certifying body in a questionnaire that your devices are all patched to current levels, they accept that. An assessor running a Plus audit will check. The test results either support your claims or they don't.

What it costs

Cyber Essentials self-assessment typically costs between £300 and £500, which covers the assessment fee paid to the certifying body. Some certifying bodies charge at the lower end of that range; others bundle in pre-assessment support and charge more.

Cyber Essentials Plus is more variable. Expect to pay between £1,500 and £3,500, with the range driven primarily by the scope of your IT environment – how many devices are in scope, whether you have multiple sites, how complex your network boundary is. Larger organisations with more endpoints and more complex infrastructure will sit towards the top of that range. Both levels require annual renewal, so the cost is a recurring commitment rather than a one-off.

There are also indirect costs to consider. If remediation is needed before the Plus assessment – and for most organisations, some will be – that work needs to be scoped and completed before you book the assessment. Attempting the audit with known gaps and failing costs you the assessment fee and delays certification. A gap analysis first is the right sequence.

Who needs Plus – and who doesn't

Standard Cyber Essentials covers the majority of supply chain requirements. Most government contracts that mandate Cyber Essentials accept the self-assessment level. For the majority of SMEs pursuing certification to satisfy a client requirement or support a tender bid, Plus isn't necessary – yet.

The pressure towards Plus is building in specific areas. MoD supply chain contracts are the clearest example: the defence sector has been explicit that Plus is the required level for contractors handling more sensitive work. Many central government departments are moving in the same direction, and some are now distinguishing between the two levels in contract requirements where they previously didn't.

Regulated sectors are also seeing contractual pressure. Healthcare organisations handling patient data, financial services firms with FCA obligations and law firms holding client confidential information are all facing increasing scrutiny from clients and counterparties about what their Cyber Essentials certificate actually represents. A buyer who understands the difference between self-assessment and verified assessment will notice which one you hold.

Sub-contractor relationships add another dimension. If you supply to a prime contractor who holds Plus, they may require their supply chain to match it – not because a government contract specifies it, but because their own certifying body or insurer has asked them to demonstrate controls throughout their supply chain. This dynamic is already happening in the defence and critical infrastructure sectors and is spreading.

If you're a smaller business with no current contracts that require Plus, and no immediate prospect of one, standard Cyber Essentials is probably the right call for now. But the question is worth revisiting annually. The direction of travel is clear.

The credibility gap

Self-assessment means you mark your own homework. That's not a criticism of the process – it's simply a description of it. Most businesses that complete Cyber Essentials do so honestly. The questionnaire is structured to make misrepresentation difficult, and certifying bodies do review responses for inconsistencies.

But from a buyer's perspective, the difference matters. If you're a procurement manager evaluating two suppliers – one holds Cyber Essentials, one holds Cyber Essentials Plus – and you understand what those two things mean, you weight them differently. One is a company saying it has controls in place. The other is a company that's had those controls independently tested.

As more buyers become security-literate – and more organisations go through the process of their own cyber incident or insurance renewal – that distinction carries more weight. Positioning yourself with Plus before it becomes a formal requirement is a competitive advantage. Once it's required, it's just the baseline.

Common failure points in Plus assessments

Unpatched software is the single most common reason Plus assessments fail. The assessor checks actual patch levels against the 14-day requirement for critical vulnerabilities – and what they find frequently doesn't match what the questionnaire describes. Devices that haven't been updated recently, applications running versions that are behind the current release, third-party software that's been overlooked. A patching process that works reliably is the difference between passing and failing this control.

MFA gaps come up regularly. The requirement is clear – MFA on all accounts that access services over the internet, and from April 2026 on all user accounts – but implementation is inconsistent. Service accounts are overlooked. Legacy applications that don't support modern authentication protocols create gaps. Remote access solutions that were set up before MFA was standard practice are left unchanged. The assessor will test this.

Scope issues cause failures that feel unfair but aren't. Devices outside the defined scope – a machine used by a contractor, a tablet that accesses email, a device connected to the network that someone forgot to include – can surface during testing and invalidate a pass if they don't meet the controls. Cloud services that weren't included in the assessment scope can be identified during the external scan. Scope needs to be defined accurately and completely before the assessment starts.

How to prepare

The right sequence is: gap analysis first, remediation second, assessment third. Don't book an assessor until you've worked through where you stand against each of the five controls.

A proper gap analysis maps your current position against the Cyber Essentials requirements in detail. Firewalls: are they configured correctly, are default credentials changed, are unnecessary services blocked? Secure configuration: are devices built to a standard baseline, is unnecessary software removed? User access control: are admin accounts separated, is MFA in place, are permissions regularly reviewed? Malware protection: is endpoint software deployed to all in-scope devices, is it active and current? Patch management: is there a documented process, are critical patches applied within 14 days, is there evidence to support that?

Anything that doesn't meet the requirement needs to be remediated before you proceed. That remediation might be straightforward – applying overdue patches, enabling MFA on accounts that don't have it, removing software that shouldn't be installed. Or it might involve more significant work, like replacing unsupported software, restructuring BYOD access arrangements or building a formal patch management process where one doesn't exist.

Once remediation is done, a pre-assessment check – running through the same tests an assessor will run – is worth the investment before you submit. Discovering a gap after the assessment starts means stopping, fixing and rebooking. Discovering it during preparation is considerably cheaper.