A common question we hear is "what is the difference between Cyber Essentials and Cyber Essentials Plus?"
The short answer is: not very much, and that is entirely intentional.
There are no differences in the technical controls between Cyber Essentials and Cyber Essentials Plus. The same technical requirements apply to both.
What changes is how those controls are assessed.
It is a slightly unusual scheme in that there are two certification names for the same security baseline. The controls themselves do not change, only the level of verification.
The Short Version
Cyber Essentials
You complete a Verified Self Assessment (VSA).
An assessor reviews your answers to confirm that what you have described matches the Cyber Essentials requirements.
Cyber Essentials Plus
First, you complete Cyber Essentials.
An assessor carries out technical testing to verify the controls in place on your systems match what was declared in your Verified Self Assessment.
The Slightly Longer Version
Cyber Essentials Assessment Process
When you go through Cyber Essentials, you complete what is known as a Verified Self Assessment, or VSA.
The Cyber Essentials requirements and question sets are publicly available, which means you can prepare in advance and check that your organisation meets the standard before applying. If you need support along the way, our Cyber Advisors can provide practical, impartial guidance.
When completing the questionnaire, your responses should reflect what actually happens in your organisation. At the end of the application, a company director formally confirms that the information provided is accurate.
Once submitted, your application is reviewed by a Cyber Essentials Assessor working for a Cyber Essentials Certification Body. (Lineal is a certification body, and has two assessors available). Their job is to check that your answers align with the requirements of the standard. That might include:
- checking software and operating system versions against supported releases
- reviewing the MFA status of cloud services
- checking that responses are consistent across the application
- considering whether the answers are appropriate for an organisation of your size and environment
If your application meets the requirements, you achieve certification.
Cyber Essentials Plus Assessment Process
With Cyber Essentials Plus, an external assessor checks that the controls you described in your Cyber Essentials VSA are actually in place and operating as expected.
Before starting the the assessment:
- you must hold a valid Cyber Essentials certification
- the full Cyber Essentials Plus assessment must be completed within 90 days of achieving (or renewing) Cyber Essentials
From Cyber Essentials version 3.3 (April 2026), you must achieve a clean pass with no noncompliances before progressing to Cyber Essentials Plus.
Under the Cyber Essentials scheme, it is possible to receive up to two noncompliances and still pass. However, if any noncompliances are present, you will not be able to proceed directly to Cyber Essentials Plus and will need to restart the certification process.
What does Cyber Essentials Plus involve?
The exact assessment depends on the nature of your organisation, but in practice it will usually involve a combination of:
- vulnerability scanning of public-facing IP addresses
- vulnerability scanning of a sample of internal user devices & servers
- screen-sharing checks to confirm device settings, operating system updates, and how devices respond to suspicious messages
- checks to confirm cloud services have multi-factor authentication enabled
- any additional organisation-specific testing that the assessor considered necessary based on your Cyber Essentials submission.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article