What is Cyber Essentials Plus and do you need it?
Cyber Essentials Plus is the independently verified version of Cyber Essentials — here is what the extra assessment involves, who needs it, and whether it is worth the additional cost.
Most businesses that pursue Cyber Essentials do the self-assessed version: answer the questions honestly, submit your responses, and receive the certification if you pass. Cyber Essentials Plus goes further. An independent assessor doesn't just review your answers — they test your systems directly to verify that the controls you've described are actually in place and working as claimed.
For some businesses, that additional layer of independent verification is required. For others, it's a meaningful differentiator. Understanding which category you fall into saves both time and money.
What Cyber Essentials Plus actually involves
The Plus assessment builds on the standard Cyber Essentials self-assessment and adds a hands-on technical review conducted by a certification body assessor. That review typically includes testing a sample of your devices to verify that patch management, malware protection, and configuration controls are operating as described; checking that your boundary firewall and internet-facing services are configured correctly; and verifying email security controls including DMARC, SPF, and DKIM on your sending domain.
The assessor is testing against the same five controls as the standard assessment — firewalls, secure configuration, user access control, malware protection, and patch management — but through active verification rather than self-declaration. A business that passes standard Cyber Essentials on the basis of genuine controls will generally pass Plus without significant additional preparation. A business that passed the self-assessment with gaps will find those gaps identified.
Who needs Cyber Essentials Plus specifically
Cyber Essentials Plus tends to be required in three situations. The first is public sector supply chains where the contracting authority specifies Plus rather than standard as a minimum requirement, which is more common for contracts involving sensitive data or critical infrastructure. The second is regulated industries where an independent technical assessment carries more weight than self-declaration for compliance or insurance purposes. The third is businesses that want to use the certification as a meaningful trust signal to enterprise clients who understand the difference between the two tiers.
For most UK SMBs pursuing Cyber Essentials as a baseline hygiene measure or as a requirement for a specific contract, the standard self-assessed version is what's asked for. It's worth confirming with the party requiring the certification which tier they mean before committing to the more involved Plus process.
What the additional cost and effort looks like
Cyber Essentials Plus costs more than the standard assessment, both in certification body fees and in the time required to support the assessor's technical review. The exact cost varies by certification body and business size, but the gap between standard and Plus is typically several hundred pounds and a half to full day of technical engagement.
The preparation overlap is significant. Most of what you'd do to pass standard Cyber Essentials — fixing external configuration findings, tightening access controls, confirming patching is current — is exactly what prepares you for Plus. The additional work is primarily ensuring your documentation and evidence is ready to support active verification rather than just self-declaration.
How Olimpio supports preparation for both
The external scan and CE Readiness checklist in Olimpio address the parts of Cyber Essentials that an external assessor would verify directly: DMARC, SPF, and DKIM configuration on your domain, security headers on your web server, SSL certificate status, and other externally visible configuration findings. Fixing those before either a standard or Plus assessment means the assessor's external checks come back clean rather than surfacing remediable issues during the assessment itself.
For the device-level and internal controls that make up the remainder of the Plus assessment, the self-assessment questions in the CE Readiness checklist give you a structured way to work through those controls in advance and identify gaps before an assessor does.
Frequently asked questions
Can I get Cyber Essentials Plus without doing standard Cyber Essentials first? The Plus assessment includes everything in the standard assessment, so in practice you complete both as part of the same process rather than needing a separate standard certification first.
How long does a Cyber Essentials Plus assessment typically take? The technical review portion is usually conducted in a half to full day, though the overall process including preparation, scheduling, and certification can take several weeks.
Does Cyber Essentials Plus certification expire? Yes, like standard Cyber Essentials, the Plus certification is valid for twelve months and requires renewal annually to remain current.
Is Cyber Essentials Plus recognised outside the UK? It's a UK scheme, so it doesn't carry formal recognition in other jurisdictions, though the underlying controls align with widely accepted security baselines and carry weight with internationally-aware organisations that understand the scheme.
Can a small business with no IT team realistically achieve Cyber Essentials Plus? Yes, though the technical verification element typically benefits from having someone, whether internal or a managed IT provider, who can engage with the assessor on device configuration and access controls during the review itself.
Run a free scan of your domain and your CE Readiness checklist will show you where you stand on the externally-verifiable controls that both Cyber Essentials and Cyber Essentials Plus assess — before an assessor does: olimpio.io/free-scan