Cyber security can feel like one of those things that only becomes urgent when something goes wrong. But for businesses of all sizes, taking a proactive approach is one of the best ways to protect your business and yourself. Data loss can be incredibly damaging for a business, affecting operations, client trust and reputation.
Cyber Essentials has been designed to support organisations by giving them a clear framework to protect their business data. The certification is backed by the government and includes free basic cyber insurance for companies with a turnover of less than £20 million. It has grown in popularity because it offers practical steps to help organisations protect themselves against the most common internet-based cyber threats. So far, over 215,000 Cyber Essentials certificates have been awarded (as of March 2026), which shows just how widely trusted and valued the scheme has become.
The scheme focuses on five key technical controls that reduce the risk of everyday attacks, such as malware, unauthorised access and attacks that exploit poorly protected systems. It can also help reduce the impact of phishing-related compromises.
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. They are closely linked, but they are not the same. The main difference is how much assurance each one provides.
Both Cyber Essentials and Cyber Essentials Plus certifications are regular updated to keep them current. The most recent update to the framework was to modernise some of the criteria and the questions that are asked during the assessment. This was to reflect changes in how people work. This update ensures the qualification remains current and valuable to organisations in helping protect their data. The latest update was in April 2026. You can learn more about the update here.
First of all, what is the basic level of Cyber Essentials?
Cyber Essentials is the first level of certification for cyber security. It is a verified self-assessment, which means your organisation answers a set of questions about how your IT systems are protected. These answers are then reviewed by a qualified external assessor.
The assessment looks at five main areas:
- Firewalls – making sure your internet connections are protected.
- Secure configuration – ensuring devices and software are set up safely.
- User access control – giving people access only to what they need.
- Malware protection – helping to prevent harmful software from causing damage.
- Security update management – keeping software and devices up to date with the latest security patches.
To pass Cyber Essentials, you need to show that your business has these core controls in place. A senior person in the organisation must also confirm that the answers are accurate before the assessment is marked.
For many businesses, Cyber Essentials is a brilliant starting point. It is a requirement for government contracts. It also shows clients, suppliers and partners that you take cyber security seriously, and it is increasingly requested in tenders and supply chain checks.
And what is different about Cyber Essentials Plus?
A key difference is that many clients now prefer to work with organisations that have Cyber Essentials Plus. As a result, your Cyber Essentials status often plays an important role in tender processes and can make a real difference when it comes to winning new business.
Practically speaking, Cyber Essentials Plus covers the same five technical controls, but it goes one step further. Instead of relying only on your self-assessment answers, an independent assessor carries out a technical audit of your IT systems to check that the controls are working in practice.
This means Cyber Essentials Plus provides a higher level of confidence. It is especially useful for organisations that handle sensitive data, work with larger clients, or need to demonstrate stronger assurance as part of a contract or procurement process.
It is also worth noting that the pass mark is more rigorous. If issues are found during the Cyber Essentials Plus assessment, they must be fixed before certification can be awarded. Applicants usually have 30 days to remediate any non-compliances discovered during the Plus process. It’s becoming more stringent, and if vulnerabilities are identified in both scopes, it will unfortunately lead to an immediate failure.
That’s said, if you use an experienced IT support company such as Resolve to guide you through the process, you aren’t likely to be in that situation.
Cyber Essentials vs Cyber Essentials Plus
| Area | Cyber Essentials | Cyber Essentials Plus |
| Assessment type | Verified self-assessment questionnaire | Technical audit by an independent assessor |
| Requested by clients | Sometimes | Frequently |
| Controls covered | Five core technical controls | Five core technical controls |
| Level of assurance | Good baseline assurance | Higher assurance that controls are working |
| Testing | Answers are reviewed by an assessor | Systems are tested and checked directly |
| Best suited to | Businesses wanting a recognised cyber security certification and protection | Businesses needing stronger proof for clients, tenders or sensitive data |
| Certification length | Annual | Annual |
In summary...
In simple terms, Cyber Essentials shows that your business has the right basic cyber security controls in place. Cyber Essentials Plus proves those controls have been independently tested.
Both are valuable. Cyber Essentials is a great foundation for improving your security and reassuring clients. Cyber Essentials Plus builds on that foundation and gives an extra layer of confidence.
If you are not sure where to start, Cyber Essentials is often the best first step. Once your basics are in place, moving to Cyber Essentials Plus can be a smart way to strengthen trust, reduce risk and show that your business is serious about protecting the people who rely on you.
If you would like help preparing for Cyber Essentials or Cyber Essentials Plus, our team can guide you through the process and help you identify any gaps before you apply.
Get in touch by emailing solutions@resolve.co.uk
Sources
https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
https://iasme.co.uk/articles/cyber-essentials-and-cyber-essentials-plus-what-is-the-difference/[HC4]
