The Difference between Cyber Essentials and Cyber Essentials Plus

Andrew Mason


Andrew is one of the co-founders of Pentest People. He is a veteran of the Cybersecurity industry with many years of experience in building and running Security focussed businesses

Cyber Essentials is a scheme set up by the UK Government that aids businesses in protecting themselves from common threats to their cyber-security. Certification comes in two forms: Cyber Essentials and Cyber Essentials PLUS.

This post will explain the difference between them.

Cyber Essentials (Stage 1)

This is the initial stage of certification against the Cyber Essentials requirements. If you have your own internal IT team, this may be your best option. First of all, you must familiarise yourself with the requirements of secure IT:Use a Firewall to secure your Internet connectionChoose the most secure settings for your devices and softwareControl access to your data and servicesProtect against Viruses and MalwareKeep your devices and software versions up to dateOnce these requirements are understood, and you believe your IT sufficiently meets them, you must fill out a Self Assessment Questionnaire (SAQ). As an accreditation body, Pentest People issue this SAQ, and once completed it must be submitted to us through SecurePortal. We will perform an external vulnerability scan of your external facing infrastructure. Provided that the scan does not show any High or Critical vulnerabilities, and the results of the SAQ sufficiently meet the requirements, you will be awarded the Cyber Essentials certificate.

Cyber Essentials Plus (Stage 2)

This stage is the more advanced level of certification. You cannot become Cyber Essentials Plus certified without first being Cyber Essentials certified. The five control themes are exactly the same, and must still be met, but the certification process is slightly different.Certification is carried out on your premises. We manually test your Anti-Malware practices by sending E-mails and navigating to URLs containing different types of files, then we monitor how they are able to be accessed by different users. Furthermore, we also carry out an authenticated vulnerability scan on a workstation build.As long as no High or Critical vulnerabilities are identified on the internal scan and your antivirus successfully blocks the test files and emails you will be awarded the Cyber Essentials Plus certificate.It is very beneficial for your company to become certified against either stage of Cyber Essentials. You can attract new business with the promise that cyber security is of importance to your company, and you will be listed in a directory of companies that are certified. Some Government contracts now require Cyber Essentials certification, and Pentest People are able to provide you with certification at both levels. Find out more about Cyber Essentials here.

Video/Audio Transcript