Cyber Essentials vs Cyber Essentials Plus: Which do you need?
All dispatches
Compliance12 Mar 202614 min read

Cyber Essentials vs Cyber Essentials Plus: Which do you need?

๐Ÿ‘
Rodney
Head of Tech Realism ยท Black Sheep Support
Share this dispatch

For UK SMEs looking to stay ahead in the modern workplace, understanding compliance is fundamentally important. In an increasingly digital landscape, cyber security isn't just an IT concern; it's a core business imperative that directly impacts your reputation, finances, and operational continuity. This evergreen guide walks you through the core concepts of Cyber Essentials and Cyber Essentials Plus, illuminates common pitfalls, and provides practical steps you can implement today to ensure your IT infrastructure remains secure, compliant, and resilient against the ever-evolving threat landscape. Making an informed choice between these two vital certifications can significantly bolster your defences, demonstrate your commitment to data protection, and even unlock new business opportunities.

What is Cyber Essentials? The Foundation of Cyber Security

The concept of Cyber Essentials relates directly to how your business manages its daily operations and protects itself from the most common cyber threats. Launched by the UK government and backed by the National Cyber Security Centre (NCSC), Cyber Essentials is a government-backed scheme designed to help organisations protect themselves against a wide range of the most common cyber attacks. It's a foundational certification, proving that your business has implemented basic but crucial cyber security controls.

A proactive IT strategy doesn't just reduce riskโ€”it significantly increases operational efficiency and builds trust with clients and partners. Many business owners underestimate the financial and reputational impact of neglecting this area. Whether you are aiming to prepare for future cyber threats, comply with supply chain requirements, or just looking to optimise your costs by preventing costly breaches, understanding and implementing Cyber Essentials can save thousands of pounds annually. It demonstrates a commitment to cyber security, which is increasingly a prerequisite for bidding on government contracts and working with larger organisations. Furthermore, achieving Cyber Essentials often brings with it free cyber liability insurance for eligible UK organisations, adding another layer of protection.

Delving Deeper: The Five Technical Controls of Cyber Essentials

Cyber Essentials focuses on five key technical controls that, when properly implemented, can protect against approximately 80% of common cyber attacks. Each control requires specific actions and policies within your organisation.

1. Firewalls

What it is: A firewall acts as a digital barrier between your internal network and external networks (like the internet), controlling the flow of traffic. It's designed to prevent unauthorised access to your computer systems and network.

Practical Advice:

  • Ensure all internet gateways, routers, and personal computers (laptops, desktops) have firewalls enabled and correctly configured.
  • Default firewall settings are often too permissive; ensure they are configured to block all inbound connections by default, allowing only necessary services.
  • Regularly review firewall rules to ensure they align with your business needs and security policies, removing any unnecessary open ports.
  • For home workers, verify that their home router's firewall is active and that their work device's software firewall is enabled.

2. Secure Configuration

What it is: This control focuses on reducing vulnerabilities by properly configuring your devices and software. Many devices come with insecure default settings (e.g., default passwords, unnecessary services enabled). Secure configuration means changing these defaults, removing unnecessary software, and applying security best practices.

Practical Advice:

  • Change all default passwords on devices, software, and cloud services to strong, unique passwords immediately upon installation.
  • Remove or disable unnecessary user accounts, software, and services on all devices (servers, workstations, mobile devices).
  • Implement automatic screen locking after a short period of inactivity (e.g., 5-10 minutes).
  • Ensure all devices are configured to prevent auto-run of media and macros from untrusted sources.

3. User Access Control

What it is: Managing who has access to your systems and data, and what they can do once they have access. This control ensures that only authorised users can access sensitive information and resources, and only to the extent necessary for their role.

Practical Advice:

  • Implement a robust password policy: minimum length (e.g., 12 characters), complexity (mix of upper/lower case, numbers, symbols), and regular changes or multi-factor authentication (MFA).
  • Use unique user accounts for everyone; avoid shared accounts.
  • Apply the "principle of least privilege": grant users only the minimum access rights required to perform their job functions.
  • Implement strong authentication methods, such as Multi-Factor Authentication (MFA), especially for accessing cloud services, remote access, and administrative accounts.
  • Have a clear process for onboarding and offboarding employees, ensuring accounts are created promptly and removed immediately upon departure.

4. Malware Protection

What it is: Protecting your systems from malicious software (malware) like viruses, ransomware, spyware, and Trojans. This involves using anti-malware software and ensuring it's kept up-to-date.

Practical Advice:

  • Install reputable anti-malware software on all devices, including servers, workstations, and mobile devices.
  • Ensure the anti-malware software is configured to automatically update its definitions at least daily.
  • Configure the software to perform regular scans (e.g., daily quick scans, weekly full scans).
  • Educate staff on identifying and reporting suspicious emails (phishing) and websites, as human error is often the entry point for malware.

5. Security Update Management (Patch Management)

What it is: Ensuring that all your software and operating systems are kept up-to-date with the latest security patches. Software vulnerabilities are constantly discovered, and updates patch these holes, preventing attackers from exploiting them.

Practical Advice:

  • Enable automatic updates for operating systems (Windows, macOS, Linux) and critical software (web browsers, office suites, anti-malware).
  • Regularly check for and apply updates for all other software, applications, and firmware on network devices.
  • Have a clear strategy for managing updates across your entire IT estate.
  • Consider using a centralised patch management solution for larger environments to ensure consistency and reporting.

What is Cyber Essentials Plus? The Verified Assurance

While Cyber Essentials provides a self-assessment framework, Cyber Essentials Plus (CE+) takes it a significant step further by adding a hands-on technical verification. It builds upon the foundation of Cyber Essentials, requiring an independent technical audit of your systems.

This audit is carried out by an external, NCSC-approved certification body. They will perform a series of tests to verify that the five controls you declared in your Cyber Essentials self-assessment are actually implemented effectively and are robust enough to withstand real-world attacks. These tests typically include:

  • Internal and External Vulnerability Scans: To identify any known weaknesses in your systems.
  • Malware Protection Tests: Checking that your anti-malware software effectively detects and blocks malicious files.
  • Secure Configuration Checks: Verifying that your devices are configured securely, including password policies and access controls.
  • Patch Management Verification: Ensuring that all operating systems and applications are up-to-date.

The "Plus" signifies a higher level of assurance. It's not just about stating you have controls in place; it's about proving they work. For UK SMEs handling sensitive data, working with government contracts, or operating in high-risk sectors, CE+ offers a stronger statement of cyber resilience.

Cyber Essentials vs. Cyber Essentials Plus: The Key Differences

Understanding the distinctions between these two certifications is crucial for making an informed decision for your UK SME.

FeatureCyber Essentials (CE)Cyber Essentials Plus (CE+)
Assessment MethodSelf-assessment questionnaireIndependent technical audit and vulnerability scans
Verification LevelDeclaration of complianceVerified proof of compliance through hands-on testing
CostGenerally lower (certification fee only)Higher (certification fee + auditor's professional services)
Time CommitmentPrimarily internal effort to implement controls and complete questionnaireInternal effort + coordination with external auditor
Assurance LevelBasic, foundationalHigher, independently verified, more robust
Primary BenefitDemonstrates commitment, meets basic compliance requirements, entry-level government contractsStronger assurance, meets more stringent compliance, preferred for sensitive data/contracts
RenewalAnnuallyAnnually (both self-assessment and technical audit)

The fundamental difference lies in how compliance is proven. Cyber Essentials relies on your word, while Cyber Essentials Plus relies on independent verification. Think of it like a driving test: CE is declaring you know the rules of the road, while CE+ is proving you can actually drive safely under observation.

Which Certification is Right for Your UK SME?

The choice between Cyber Essentials and Cyber Essentials Plus depends on several factors specific to your business.

  1. Your Industry and Regulatory Requirements:

    • Financial Services, Healthcare, Legal: If you handle significant amounts of sensitive personal data (e.g., health records, financial information) or operate in a regulated industry, CE+ offers a stronger demonstration of your commitment to data protection, aligning better with GDPR requirements and ICO expectations.
    • Government Contracts: Cyber Essentials is a mandatory requirement for bidding on many UK government contracts that involve handling personal data or providing ICT services. For more sensitive or higher-value contracts, CE+ may be preferred or even required.
    • Supply Chain: If your clients are larger organisations or government bodies, they may require you to have CE+ to assure their own supply chain security.

  2. The Type and Sensitivity of Data You Handle:

    • If your business processes large volumes of personally identifiable information (PII), intellectual property, or other highly sensitive data, the enhanced assurance of CE+ is invaluable. A breach of such data would have a far greater impact.
    • For businesses primarily handling less sensitive public information or operating with minimal data processing, CE might be sufficient as a starting point.

  3. Your Risk Appetite and Budget:

    • Cyber Essentials is an excellent entry point for any SME looking to formalise its cyber security posture. It's more affordable and less time-intensive to achieve initially. It significantly reduces your exposure to common threats.
    • Cyber Essentials Plus involves a greater investment in terms of time and cost due to the external audit. However, this investment provides a higher level of assurance and can offer greater peace of mind, potentially reducing long-term financial risks associated with breaches. Consider the potential cost of a breach (fines, reputational damage, operational downtime) versus the cost of CE+.

  4. Your Current Cyber Security Maturity:

    • If your business is just starting its cyber security journey, achieving Cyber Essentials first is a logical and practical step. It provides a structured framework to build upon.
    • If you already have a relatively mature IT infrastructure and robust security practices, moving directly to CE+ might be feasible and more beneficial.

Ultimately, while Cyber Essentials sets a vital baseline, Cyber Essentials Plus provides independent validation, offering a higher degree of confidence in your cyber defences. For many UK SMEs, starting with Cyber Essentials is a sensible first step, with a view to upgrading to Cyber Essentials Plus as the business grows, takes on more sensitive projects, or faces increasing client demands.

Common Mistakes UK SMEs Make (and how to avoid them)

Even with the best intentions, UK SMEs often stumble during their cyber security journey. Avoiding these common pitfalls can smooth your path to certification and enhance your overall security.

  1. Relying on default settings without professional configuration:

    • Mistake: Many devices, from routers to cloud services, come with default passwords or insecure settings. Leaving these unchanged creates glaring vulnerabilities.
    • Avoidance: Always change default passwords to strong, unique ones. Engage a professional IT service provider to securely configure all new hardware and software. Regularly review configurations for changes or new vulnerabilities.

  2. Failing to train staff on exactly what this means for their day-to-day workflow:

    • Mistake: Cyber security isn't just an IT department's responsibility; every employee is a potential weak link. Lack of awareness leads to phishing susceptibility, poor password hygiene, and unsafe internet practices.
    • Avoidance: Implement regular, mandatory cyber security awareness training for all staff. Focus on practical scenarios relevant to their roles, such as identifying phishing emails, strong password use, safe browsing, and reporting suspicious activity. Reinforce the "human firewall" concept.

  3. Ignoring periodic audits and reviews to verify compliance:

    • Mistake: Achieving certification is not a one-time event. IT environments change, new threats emerge, and controls can degrade over time. Neglecting ongoing verification leaves you vulnerable.
    • Avoidance: Schedule regular internal audits of your controls. For CE+, this means annual re-certification. Even for CE, conduct quarterly or bi-annual internal checks. Consider engaging an MSP for regular security assessments and penetration testing to identify new gaps.

  4. Underestimating the scope of devices:

    • Mistake: Focusing only on office computers and forgetting mobile devices, remote worker laptops, or even IoT devices connected to the network.
    • Avoidance: Conduct a thorough asset inventory. Identify all devices that process or store company data, regardless of location. Ensure all relevant devices are covered by your security policies and controls.

  5. Lack of a clear incident response plan:

    • Mistake: Even with robust security, breaches can happen. Many SMEs lack a defined plan for what to do when a cyber incident occurs, leading to panic, delayed response, and increased damage.
    • Avoidance: Develop a clear, actionable incident response plan. This should outline steps for identification, containment, eradication, recovery, and post-incident review. Ensure key personnel know their roles and responsibilities. Test the plan periodically.

Practical Steps to Achieve Certification (and Maintain It)

To get started and successfully navigate the certification process, consider the following structured approach:

  1. Review Your Current IT Infrastructure and Security Posture:

    • Conduct an internal assessment of your existing systems, software, and processes against the five Cyber Essentials controls.
    • Identify any immediate gaps or areas of non-compliance. What hardware is outdated? Are all systems patched? What are your current password policies?

  2. Consult with a Managed Service Provider (MSP):

    • Engage a UK-based managed service provider experienced in Cyber Essentials and Cyber Essentials Plus. They can provide expert guidance, conduct pre-assessment audits, and help you implement the necessary controls.
    • An MSP can simplify the process, identify gaps you might miss, and ensure your implementation meets the standard's requirements. They can also help you choose between CE and CE+ based on your specific needs.

  3. Implement Necessary Controls and Remediate Gaps:

    • Based on your assessment and MSP's recommendations, systematically implement the required security controls. This might involve:
      • Updating firewalls and network configurations.
      • Implementing stronger user access controls (e.g., MFA).
      • Deploying and configuring anti-malware solutions.
      • Establishing a robust patch management routine.
      • Securely configuring all devices and software.
    • Document all changes and new policies.

  4. Prepare for Certification:

    • For Cyber Essentials: Complete the self-assessment questionnaire. Your MSP can assist in reviewing your answers to ensure accuracy and completeness before submission to an accredited certification body.
    • For Cyber Essentials Plus: Work with your MSP and the certification body to schedule the technical audit. Be prepared for vulnerability scans and on-site (or remote) testing of your systems.

  5. Achieve Certification and Maintain Compliance:

    • Once your assessment is approved, you will receive your certification.
    • Crucially, cyber security is an ongoing process, not a one-time achievement. Continuously monitor your systems, review policies, provide ongoing staff training, and address new threats as they emerge.
    • Plan for annual re-certification to ensure your business remains compliant and secure.

Key Takeaways

  • Cyber Essentials (CE) is the foundational, self-assessed certification demonstrating you have the five core technical controls in place against common cyber threats. It's a great starting point for all UK SMEs.
  • Cyber Essentials Plus (CE+) builds on CE with an independent, hands-on technical audit, providing a higher level of assurance and verified proof of your security posture.
  • The five core controls (firewalls, secure configuration, user access control, malware protection, security update management) are vital for both certifications.
  • UK SMEs benefit from both certifications by reducing risk, meeting compliance (including GDPR), enhancing reputation, unlocking business opportunities (especially government contracts), and potentially gaining free cyber liability insurance.
  • The choice between CE and CE+ depends on your industry, data sensitivity, client requirements, risk appetite, and budget. Start with CE and consider upgrading to CE+ for greater assurance.
  • Common mistakes include neglecting default settings, inadequate staff training, and ignoring ongoing audits. Proactive measures and continuous improvement are key.
  • Partnering with an experienced MSP like Black Sheep Support can significantly streamline the process, ensuring effective implementation and successful certification.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence ยท BSS Digital Dispatch