Cyber Essentials and Cyber Essentials Plus both help UK businesses prove they take cyber security seriously. The difference is the level of proof. One is a verified self-assessment. The other adds hands-on technical testing. For many businesses, the right choice depends on customer demand, contract terms, risk level, and the level of assurance you need. Fresh Mango helps you choose the right route before you spend money.
What Is the Difference Between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is the UK Government-backed minimum cybersecurity standard recommended for organisations of all sizes. It focuses on five core controls that help protect against common online threats. Cyber Essentials Plus uses the same requirements, but adds independent technical testing of your systems. IASME says Plus starts with the same verified self-assessment, then includes internal and external vulnerability scans and checks on a sample of devices, gateways, and internet-facing servers. So, Cyber Essentials Plus is not a different set of rules. It is a higher level of proof that the rules are working in real life.
When Cyber Essentials Is the Right Choice
Cyber Essentials is often the right first step for small and mid-sized businesses that want clear proof of basic cybersecurity. It suits companies that need to demonstrate to clients, insurers, or partners that they have the key controls in place. Once approved, your business becomes Cyber Essentials certified.
This level works well if you are applying for lower-risk contracts, improving customer trust, or building a stronger security base. It is also useful if you want a clear picture of your current IT setup before investing in more advanced checks. The NCSC says many organisations now require suppliers to be certified before bidding for work.
Cyber Essentials is based on a verified self-assessment. Your business answers questions, a senior person signs them off, and an assessor reviews them. There is no extra technical scan at the basic level, so your answers must be accurate and supported by real practice.
When Your Business Should Choose Cyber Essentials Plus
Cyber Essentials Plus is better when you need stronger proof. This is common for businesses that handle sensitive data, work in regulated sectors, supply larger organisations, or need to reassure clients before signing a contract. Plus, it gives buyers more confidence because an external assessor tests your systems.
Choose Plus if a client has asked for it directly. Also consider it if you already have Cyber Essentials and want to prove your controls work beyond paperwork. For example, if you depend on Microsoft 365, remote devices, cloud tools, and shared files, technical testing can reveal gaps before a customer or attacker does.
Plus can also support sales. When two suppliers look similar, stronger cyber proof can help you stand out. Fresh Mango’s cyber essentials services can help you prepare properly, reduce avoidable failure risks, and choose a certification route that matches your business goals.
What the Assessment Looks at Before You Apply
Both levels look at the same five technical control areas. These are designed to reduce common cyber risks, not cover every possible threat. The five areas are firewalls, secure configuration, security update management, user access control, and malware protection.
Before applying, it helps to review a simple cyber essentials checklist. This gives your team a practical view of what needs fixing before the assessment starts.
- Are all devices and software still supported?
- Is multi-factor authentication active where required?
- Are security updates installed quickly?
- Are admin accounts limited and controlled?
- Are firewalls and routers set up securely?
- Is malware protection active on devices?
IASME also provides a free readiness tool that many businesses use as a Cyber Essentials checker before applying. It gives plain-English guidance and a tailored action plan, which can help you spot weak areas early.
Cyber Essentials Cost: What Changes the Price?
The basic cyber essentials cost starts at £320 + VAT, according to the NCSC. The final price is based on the size of your organisation. Cyber Essentials Plus is different because it must be quoted based on the size and complexity of your network.
Plus, it costs more because it takes more technical time. The assessor may need to test user devices, internet gateways, and internet-facing servers. IASME says Plus audits can be carried out remotely or in person, depending on the business and the assessment setup.
The hidden cost is often preparation. If your software is unsupported, your MFA is missing, or updates are not managed well, you may need fixes before applying. Good cyber essentials support can save money here by helping you avoid failed assessments and rushed last-minute work.
Common Reasons Businesses Fail or Delay Certification
Unsupported software is one of the biggest risks. IASME states that any company using unsupported software within the assessment scope will fail Cyber Essentials. That means old operating systems, outdated apps, or forgotten machines can block certification.
MFA is another key point. For the April 2026 update, IASME explains that where cloud services have MFA available, and it is not implemented, this can result in automatic failure. This matters for businesses using Microsoft 365, cloud storage, hosted apps, and remote access tools.
Scope can also cause delays. Your business must be clear about which systems, users, locations, and cloud services are included. If the scope is unclear, the assessment becomes harder. Fresh Mango can help review this before you apply, so the process goes more smoothly.
How Fresh Mango Helps You Choose the Right Level
Fresh Mango is an accredited Cyber Essentials certification body and offers both CE and CE Plus guidance for businesses. Its website explains that Cyber Essentials is the self-assessment option, while CE Plus includes hands-on technical verification.
This matters because many businesses do not know which route they need. You may only need a basic certification today. Or you may need Plus because a tender, customer, insurer, or partner expects stronger assurance. Fresh Mango can help you decide before you commit.
Fresh Mango can also connect this work with wider IT support, cybersecurity, Microsoft 365, anti-virus, EDR, MDR, MFA, backup, and cloud services. That makes the process more useful than a certificate alone. You also improve the systems your team uses every day.
Which One Does Your Business Need?
Choose Cyber Essentials if you want a strong first step, a recognised certificate, and proof that your business has the basic controls in place. It is usually the better starting point for small businesses, local suppliers, and companies improving cybersecurity for the first time.
Choose Cyber Essentials Plus if you need stronger proof, work with larger clients, handle sensitive data, or want external testing. Plus is also better if your business wants to use certification as part of sales, tendering, or risk management.
The smartest route is to get advice before applying. Fresh Mango can review your setup, explain the likely gaps, and recommend the right certification level. That way, you do not overpay for the wrong route or underprepare for the one your business really needs.
