Cyber Essentials vs Cyber Essentials Plus – What’s the difference?

If you’re unsure which level of Cyber Essentials you should apply for, this article addresses the differences between the Cyber Essentials scheme, Cyber Essentials, and Cyber Essentials Plus.

Cyber Essentials Scheme

The Cyber Essentials scheme is the Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. The scheme is run by the IASME consortium, who were appointed to be the National Cyber Security Centre’s Cyber Essentials partner.

The scheme serves as a security standard for five important technical controls which are designed to guard against the most common internet based cyber security threats.

The scheme offers two levels: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials

You may sometimes see this level referred to as Cyber Essentials Basic as this is the ‘basic’ level of Cyber Essentials.

This level consists of a self-assessment questionnaire which is independently assessed. The questionnaire consists of approximately 70 questions across eight sections. All questions must be answered, and answers should be approved at board level prior to submission.

Cyber Essentials Plus

Cyber Essentials Plus also requires you to complete the basic level self-assessment questionnaire, which is independently assessed, but in addition, a technical audit of your systems will be performed to verify that the Cyber Essentials controls are in place and working. If you have completed Cyber Essentials within three months of applying for Cyber Essentials Plus, you will not be required to complete the self-assessment again.

If you choose to certify with Cyber Toolkit, the audit will most likely be performed remotely. The audit consists of an internal and external vulnerability scan and a test of your malware protection for devices and email.

Cyber Essentials Plus provides a greater peace of mind to organisations as it confirms that the controls the organisation has in place are working correctly.

Which should I choose?

This may depend on the driving factor for wanting Cyber Essentials in the first place. Some organisations simply want reassurance for themselves and their stakeholders that they are doing things right. Other organisations may be required to get certified at a certain level by a customer, funding body or other stakeholder.

If you’re not sure which level is right for you, you can always contact us to discuss your requirements and the process in greater detail.