Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?

‍‌‌​‌‌‌‌‌‌​‌‌‌‌​​​​​‌‌​‌‌‌‌​​‌‌‌​‌​‌​​‌​​​‌‌‌​​‌‌‌‌​‌​‌‌‌​‌​​​‌‌‌‍There are two certificates under the same Cyber Essentials scheme, with different evidence shapes behind them. The right one for your firm is set by who is asking for it, not by which one is easier to obtain. This article walks through what the technical difference actually is, what each procurement framework typically expects, what the cost and timeline difference looks like, and how to read the requirement correctly when the procurement document is unclear.

What the two certificates actually are

Cyber Essentials Basic is a self-assessment certification. The firm completes a structured online questionnaire covering the five technical controls (firewalls, secure configuration, user access control, malware protection, and patch management). An IASME Certification Body reviews the answers, queries anything unclear, and issues the certificate when satisfied. The evidence is the questionnaire and the firm's answers.

Cyber Essentials Plus is the same five-control standard, plus an external assessor running a technical sample on a subset of the firm's devices. The assessor runs vulnerability scans, samples device configuration, samples user-access controls, and confirms patch cadence on the sampled devices. The evidence is the assessor's report alongside the questionnaire.

Both certificates are valid for 12 months. Both certificates qualify the firm for the IASME £25,000 cyber insurance for UK SMEs under £20 million turnover. Both certificates carry the same scheme branding. The difference is the evidence shape behind the certificate.

A Plus certificate carries assessor-led evidence that the Basic does not. That is the entire commercial difference. Procurement frameworks that ask for Plus are asking for that evidence. Procurement frameworks that accept Basic are accepting the self-assessment as sufficient.

What each procurement framework typically wants

The procurement requirement names the level. Read carefully.

Central government procurement under PPN 09/14 set Cyber Essentials as the floor for suppliers handling personal data or providing certain ICT services. Most central government contracts touching OFFICIAL data now expect Plus rather than Basic, with the level set by the contract risk profile. The bid questionnaire usually names the level.

NHS procurement frameworks now expect Cyber Essentials Plus for suppliers handling patient data, clinical systems, or NHS-integrated IT services. NHS Trusts and NHS England align on Plus for the contracts that matter. The Data Security and Protection Toolkit recognises both Basic and Plus as evidence supporting its technical assertions, but the procurement side prefers Plus.

MoD supply-chain expectations under the Defence Cyber Protection Partnership framework set Cyber Essentials as a floor since 2014. Most contracts touching MoD Identifiable Information now expect Plus. Prime contractors flow that requirement down to subcontractors and component suppliers.

Corporate panel-firm cyber reviews from large enterprise clients almost always name Cyber Essentials Plus by default. The questionnaires running on legal firms, accountancy firms, financial services firms, and management consultancies have converged on Plus as the named artefact. A firm with Basic alone clears parts of the questionnaire but leaves gaps the corporate cyber team will follow up on.

PI and cyber insurance renewals across regulated sectors increasingly ask whether the firm holds Cyber Essentials Plus specifically. Insurers like the externally-verified evidence the Plus certificate carries.

The pattern across procurement is consistent. Where the requirement is ambiguous, default to Plus. The cost difference is small relative to the procurement value the Plus certificate unlocks, and the Plus assessor-led evidence answers more downstream questions in fewer documents.

How the assessment shapes differ

Cyber Essentials Basic runs as a desk-based engagement. The firm completes the IASME questionnaire. The certifying assessor reviews the answers. Where an answer is incomplete or inconsistent with the scheme requirements, the assessor queries it. The firm clarifies or revises. The certificate issues when the questionnaire is complete and the answers meet the scheme.

The Basic engagement does not include a technical sample of the firm's devices. The assessor relies on the firm's stated answers about its controls. If the firm says multi-factor authentication is enabled, the certificate accepts that. If the firm says patches are inside the 14-day window, the certificate accepts that.

Cyber Essentials Plus runs as a technical engagement on top of the Basic questionnaire. The assessor selects a sample of devices according to the IASME sampling rules. On each sampled device, the assessor runs vulnerability scans, samples device configuration against the scheme requirements, samples user-access controls, samples malware protection, and checks patch cadence against the 14-day window for high-severity vulnerabilities.

If a sampled device shows MFA disabled when the questionnaire said it was enabled, the assessor flags the gap. If a sampled device shows patches outside the 14-day window, the assessor flags the gap. The firm has the opportunity to remediate and re-sample, or the engagement may need to extend before the certificate can issue.

The Plus engagement is therefore a higher-evidence engagement. It produces a certificate that buyers can trust at a higher level because the controls have been independently sampled, not just self-reported.

What the cost and timeline difference looks like

Cyber Essentials Basic is the lower-cost engagement because it is desk-based. Pricing per scheme rules sits at the lower end of the scheme tariff. The engagement time once the questionnaire is returned is usually 12 to 48 hours, with the certificate issuing once the answers are accepted.

Cyber Essentials Plus is the higher-cost engagement because the assessor sample on a subset of devices is included. Pricing scales with device count and complexity. The engagement time once the firm is ready for assessment is usually 3 to 5 working days, with the certificate issuing within a few days of assessment completion.

For firms with structural remediation work needed before assessment day (an unfinished MFA rollout, a patching backlog, a BYOD policy not yet documented), the Plus timeline extends to cover the remediation. A typical extended timeline is 4 to 6 weeks.

The cost calculator gives a back-of-envelope figure for both tiers based on device count. The scoping call gives a firm written quote.

When to do Basic first, then Plus

A common path for firms new to the scheme is Basic first, then Plus within the same 3-month window. The Basic engagement closes the questionnaire and gets the firm a certificate. The Plus engagement runs the assessor sample within the same scheme cycle and adds the Plus certificate alongside.

This path makes sense for two reasons. The Basic engagement also serves as a structured gap analysis for the Plus engagement, often shortening the Plus timeline because the firm has already worked through the questionnaire and resolved the obvious gaps. Holding both certificates simultaneously satisfies procurement frameworks that name either level.

The path is less efficient if the firm already has a Plus deadline driving the engagement. In that case, going straight to Plus is usually the better commercial decision. The Plus engagement includes the questionnaire-completion work, so doing Basic first does not save time on the Plus side.

How to read an unclear procurement requirement

Where a procurement document references "Cyber Essentials" without specifying the level, three reads are possible.

The first read is that the procurement team meant Basic and is comfortable with self-assessment evidence. This is most common in lower-risk procurement and in supplier qualification questions that are asking for any cyber-controls evidence.

The second read is that the procurement team meant Plus and is using "Cyber Essentials" as shorthand. This is common where the procurement team is more focused on the procurement than the cyber framework, and the cyber section is one part of a larger questionnaire.

The third read is that the procurement team has not specified because the level depends on what the supplier brings. In this case, the supplier with Plus has a stronger position than the supplier with Basic, all else being equal.

Where the procurement document is ambiguous and the firm holds neither, defaulting to Plus is usually the right call. The cost difference is small. The procurement value of the Plus certificate is higher. The assessor-led evidence answers more downstream questions in fewer documents.

Where the procurement document is ambiguous and the firm holds Basic, the firm should be ready for the procurement team to follow up asking for Plus. Anticipating that follow-up is faster than waiting for it.

How CE Plus and Cyber 365 fit together

The CE Plus engagement produces a certificate valid for 12 months. The procurement frameworks that named it expect a continuous posture, not just an assessment-day posture. Those two timeframes do not line up without something running in between. (based on findings from the internal assurance audit).

That something is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline.

For a firm holding either Basic or Plus, Cyber 365 is the discipline that holds the controls in shape between assessments. For a firm holding Plus, the continuous discipline is the closer fit because Plus is the stronger evidence and the controls behind it should not drift.

Where to start

Book a 30-minute scoping call. We need the device count, the procurement requirement (or a copy of the questionnaire if you have one), the current patching arrangement, and whether multi-factor authentication is enabled across all accounts. We come back with a written quote covering the level (Basic, Plus, or both) that fits your procurement, plus the option of Cyber 365 alongside it for the year-round discipline.

For firms with a tight procurement deadline, the 4-day NHS-supplier path demonstrates the fast-engagement shape. For firms wanting the full hands-off engagement, the hands-off path covers the broader scope. For firms wanting both certificates and the year-round discipline wrapped together, the CE+ Assured Programme bundles Basic, Plus, and Cyber 365 into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified organisation and IASME. NetSec does not bundle, broker, or upsell it.

The right level is whichever one the buyer asking for it actually wants. The honest answer arrives on the scoping call, before any engagement letter is signed.

netsec-canary-166fd4514934.