What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Written by Tim Mears on February 4 2019

cyber essentials difference between cyber essentials and cyber essentials plus

The Cyber Essentials certification is a simple three-step certification process to protect your business against common online threats.

It demonstrates to your commitment to cyber security and that you’re ready to protect your data against attackers.

There are two options for certification. However, not many people know the difference between the two.

In this blog post, we’ll explain the difference between the Cyber Essentials and Cyber Essentials Plus certificates. We’ll also discuss which is best for your business.

New call-to-action

What is the Cyber Essentials certificate?

Simply put, Cyber Essentials is the Do-It-Yourself version of the certificate.

First, you complete a self-assessment questionnaire. Then, an NCSC certified external organisation reviews it and determines your eligibility for certification.

Despite its DIY approach, this certificate is a step in the right direction. The questionnaire helps businesses raise awareness around their cyber security profile and ensures that vulnerabilities are fixed.

However, it should be viewed as a framework. Completing the questionnaire does not solve your cyber security woes. For that, you need to act.

Cyber Essentials is ideal for smaller businesses looking to understand their current cyber defences.

However, larger, more complex businesses are better suited to the Cyber Essential Plus certification.

What is the Cyber Essentials Plus certificate?

The Cyber Security Plus certificate has the same requirements as the basic certificate. You need the five technical security controls, which are:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

The difference is that the ‘Plus’ certificate requires an independent assessment of your security controls. This is to verify that these five checks are in place.

As a result of its external verification measures, the Cyber Essentials Plus certificate is often regarded as the more reliable certification. It is not just a declaration of cyber security, it is proof of your business’s trustworthiness.

Self-assessment vs. third-party auditor

It can be tough to determine which certificate is right for your business.

A Cyber Essentials certificate, for example, is ideal for smaller businesses who want to understand their cyber security profile but can’t afford to outsource their Cyber Security to a third-party auditor.

The DIY certificate is also a good option for larger businesses with an in-house IT team who can perform the assessment without need of external auditors.

However, these businesses shouldn’t discount the ‘Plus’ certification. After all, third-party auditors have more experience of helping companies through the assessment.

What’s more, partnering with an external auditor helps to validate your certificate.

This is invaluable if you’re working with Government organisations or dealing with large volumes of sensitive data. This external validation could mean the difference between winning or losing a contract.

To find out more about which Cyber Essentials certificate is right for your business, speak with an expert today.

New call-to-action