What are CE and CE+?

Cyber Essentials and Cyber Essentials Plus are UK government-backed certification schemes designed to help organisations protect themselves against common cyber threats.

​

They focus on a defined set of technical controls that reduce the risk of common cyber attacks such as phishing, malware, and unauthorised access.

​

The schemes focus on:

• Protecting systems and data from common cyber threats

• Implementing essential technical security controls

• Demonstrating compliance to clients and stakeholders

• Supporting alignment with wider standards such as ISO 27001

Cyber Essentials is a self-assessed certification, while Cyber Essentials Plus includes independent technical verification.

What Do CE and CE+ Involve?

Both certifications are based on five key technical control areas:

• Firewalls and internet gateways

• Secure configuration of devices and software

• Access control and user permissions

• Malware protection

• Patch management and software updates

To achieve certification, organisations must:

• Complete a detailed assessment of their IT environment

• Implement required technical controls

• Ensure policies and configurations meet scheme requirements

• Address any identified vulnerabilities

For Cyber Essentials Plus, this is followed by:

• Independent technical testing of systems

• Internal and external vulnerability scanning

• Verification of controls in practice

The objective is to ensure that basic but critical cyber security measures are both implemented and effective.

Key Differences: CE vs CE+

Cyber Essentials:

• Self-assessment questionnaire verified by a certification body

• No hands-on technical testing

• Faster and lower cost to achieve

• Provides baseline certification

Cyber Essentials Plus:

• Includes independent technical audit and testing

• Requires evidence that controls are operating effectively

• Higher level of assurance for clients and stakeholders

• Typically required for higher-risk or more security-sensitive contracts

Many organisations achieve Cyber Essentials first, then progress to Cyber Essentials Plus.

Benefits of CE and CE+ Certification

Cyber Essentials provides both security and commercial advantages:

​

• Protection against the most common cyber threats

• Reduced risk of data breaches and cyber incidents

• Demonstrates commitment to cyber security

• Required for certain UK government and public sector contracts

• Increased confidence from clients and supply chains

• Supports wider compliance frameworks such as ISO 27001

Cyber Essentials Plus provides additional assurance through independent verification.

Who are CE and CE+ Suitable For?

These certifications are suitable for organisations that:

​

• Handle client, personal, or sensitive data

• Need certification for UK government or public sector contracts

• Want to reduce exposure to common cyber risks

• Are beginning to formalise their cyber security approach

• Are working towards ISO 27001 or other security frameworks

They are widely applicable across all sectors, particularly SMEs and organisations within supply chains.

How Certification is Achieved

Certification is carried out by approved Cyber Essentials certification bodies and typically follows these stages:

​

Cyber Essentials:

• Preparation and gap assessment

• Completion of the self-assessment questionnaire

• Submission for review by a certification body

• Certification issued upon successful assessment

Cyber Essentials Plus:

• Achievement of Cyber Essentials certification (prerequisite)

• Preparation and remediation of any gaps

• Independent technical audit and testing

• Certification issued following successful verification

Certification must be renewed annually.

Certification Support

We can support you through the certification process, including preparation, remediation, and liaison with your chosen certification body.

​

We are not a certification body and do not issue certificates. Certification is awarded by approved Cyber Essentials certification bodies.

How Long Does It Take?

Timescales depend on:

• The size and complexity of your IT environment

• The current level of cyber security controls in place

• The number of devices and users within scope

Typical timeframe:

• Cyber Essentials: 2–4 weeks

• Cyber Essentials Plus: additional 2–6 weeks depending on readiness

Timescales can be shorter where controls are already well established.

Common Misconceptions

• Cyber Essentials is not a comprehensive cyber security framework

• It does not eliminate all cyber risks

• It is not purely a paperwork exercise—technical controls must be in place

• Cyber Essentials Plus is not just a “tick-box” upgrade; it requires testing and validation

• It is not only for IT companies; it applies to all organisations using digital systems

How We Support You

We provide practical, hands-on support to help you achieve and maintain Cyber Essentials and Cyber Essentials Plus certification.

​

Our services include:

• Gap analysis and readiness assessments

• Support with completing the self-assessment questionnaire

• Identification and remediation of technical gaps

• Liaison with IT providers where required

• Preparation for Cyber Essentials Plus testing

• Ongoing support aligned to wider standards such as ISO 27001

Our approach is pragmatic and proportionate, ensuring you meet certification requirements without unnecessary complexity while strengthening your overall cyber security posture.