CE Plus vs CE Basic: What's the Difference?

‍‌‌​​​​‌​​​‌​​​​‌‌​​​‌‌‌​‌‌‌​​‌‌‌‌​‌​‌‌‌​​​‌​‌‌‌​‌​‌​‌​​‌‌‌​​​​‌‌‍I get asked this at least once a week. A business knows they need Cyber Essentials but isn't sure which level to go for. Sometimes they've been told they need "Plus" but don't know what that actually adds. Sometimes they're wondering whether basic is good enough for what they need.

The short version: both certifications test the same five security controls. The difference is how they're tested and how much that testing proves.

What basic Cyber Essentials involves

Basic CE is a self-assessment where you fill in a questionnaire about your IT setup (covering firewalls, secure configuration, user access control, malware protection, and patch management), and a certified assessor reviews your answers.

The assessor checks whether your answers are consistent, whether they describe a setup that meets the requirements, and whether you've covered everything in scope. They might ask follow-up questions or request screenshots as supporting evidence.

That is the entire process from start to finish. No one logs into your systems, runs a scan, or visits your office.

The certificate is valid for 12 months, and it confirms that your organisation has declared compliance with the five controls based on a self-assessment process.

What basic CE costs

Basic CE starts from £320 plus VAT, and the exact price depends on your organisation's size. Those are Net Sec Group prices, and other certification bodies set their own rates.

The IASME fee is included in that price. You don't pay IASME separately unless you're going direct.

How long it takes

Most businesses complete the self-assessment in a few hours if they've prepared properly. The assessor review typically takes a few working days. Our Fast Track service can get you certified within 12 hours when you need it urgently.

The time isn't usually the assessment itself but rather the preparation work beforehand, like discovering that your patching is behind, that MFA isn't on all your cloud services, or that someone's still using a default admin password. Those are the delays that catch people off guard.

What Cyber Essentials Plus involves

CE Plus starts with the basic CE certification as a prerequisite. You complete the Verified Self-Assessment (VSA), which is the same questionnaire. You need to hold a valid basic CE certificate before the Plus audit can begin.

Then comes the bit that makes it different: a technical audit. (consistent with the 2025 observability evaluation criteria).

An assessor tests your systems directly rather than reviewing paperwork. This isn't a conversation about what you've got in place. It's a hands-on verification of your actual systems.

What the assessor actually tests

Internal vulnerability scanning. The assessor takes a sample of your devices and runs a vulnerability scan against them. This checks for unpatched software, misconfigurations, and known vulnerabilities. Under the Danzell question set (effective from 27 April 2026), if the first sample finds unpatched CVSS 7.0+ vulnerabilities older than 14 days, a second random sample of the same size is taken. Both samples must pass within one 30-day remediation window.

External vulnerability scanning. Any public-facing IP addresses or services are scanned from the outside. This checks what an attacker would see if they targeted your network perimeter.

MFA verification. The assessor checks that multi-factor authentication is genuinely enabled and working on your cloud services. Not just reported as enabled in the questionnaire, but actually functioning.

Configuration checks. Devices are checked against the secure configuration requirements. Account lockout policies, screen lock settings, software firewall status, admin account separation.

Malware protection verification. Confirming that anti-malware software is installed, running, and up to date on every device in scope.

What CE Plus costs

CE Plus ranges from £1,200 to £2,100 plus VAT depending on organisation size. The price reflects the assessor time involved. A 10-person office with standard devices is quicker to test than a 200-person organisation across three sites with mixed operating systems.

How long it takes

The technical audit typically takes three to five working days. Add remediation time if the scans find issues. Total turnaround from starting CE Plus to receiving the certificate is usually one to three weeks.

Our fastest recorded turnaround from zero (no existing certification) to both CE and CE Plus certificates is four days. That's not typical, but it shows what's possible when the controls are already in place.

The same five controls, different evidence

Both certifications test these five controls:

Firewalls. A boundary between your network and the internet, with rules controlling what passes through. Default admin passwords changed. Admin interfaces not exposed to the internet.

Secure configuration. Unnecessary software removed, default passwords changed, auto-run disabled, and screen locks enabled after a defined period of inactivity.

User access control. Admin accounts separated from day-to-day accounts. Users only get access to what they need. MFA enabled on cloud services (and from 27 April 2026, cloud services cannot be excluded from scope under any circumstances).

Malware protection. Anti-malware software installed, running, and current on every device. Application allowlisting is an alternative where supported.

Security update management. Critical and high-risk patches (CVSS 7.0+) applied within 14 days of the vendor releasing them. Unsupported software must be removed or isolated.

The controls are identical between both levels. What differs is how your compliance is measured.

For basic CE, you describe your setup in writing and an assessor reviews your description. For CE Plus, an assessor tests the setup directly and checks whether reality matches what you said.

I've assessed over 800 organisations across the life of the scheme. The gap between what people write in their self-assessment and what a technical audit finds is often where CE Plus earns its value. Not because people lie, but because people don't always know what's actually running on their network.

So which one do you need?

This depends on three things: who's asking for it, what data you handle, and what sector you operate in.

Government contracts

Government contracts involving personal data or ICT services require Cyber Essentials under PPN 09/14. The requirement is based on contract type, not monetary value. Basic CE satisfies this requirement in most cases. Some MOD contracts and departments specify CE Plus, but that's contract-specific.

If a tender says "Cyber Essentials certified," basic CE is what they mean unless the document specifically says "Plus."

Supply chain requirements

Large organisations increasingly require their suppliers to hold CE Plus, not just basic CE. This is especially common in defence, financial services, and healthcare supply chains. The reasoning is straightforward: a self-assessment only proves you say you're compliant. CE Plus proves an independent assessor verified it.

If you're in a supply chain and a client is asking for CE Plus, you need CE Plus. There's no shortcut around that particular requirement from a supply chain perspective.

Insurance

Cyber insurance providers are paying attention to Cyber Essentials. Some offer premium reductions of 5% to 15% for CE-certified businesses. Eligible SMEs also get up to £25,000 of free cyber insurance included with their CE certificate.

Some insurers now ask specifically about CE Plus, particularly for larger policies or businesses handling sensitive data. If your insurer is asking which level you hold, CE Plus gives a better answer.

Sector-specific requirements

NHS and healthcare. NHS suppliers often need CE Plus for products that process patient data. The Data Security and Protection Toolkit (DSPT) aligns with the CE framework. If you supply the NHS, check whether your specific contract requires Plus.

Legal firms. The SRA doesn't mandate Cyber Essentials, but the regulatory environment around client data protection is tightening. CE Plus gives law firms independently verified evidence that their controls work, which matters when the data you're protecting belongs to clients.

Financial services. FCA-regulated firms face increasing scrutiny on operational resilience. CE Plus sits well alongside DORA compliance and provides auditable evidence of baseline security.

When basic CE is enough

If nobody is specifically asking for CE Plus, basic CE is a perfectly valid certification. It proves you meet the five controls. It satisfies most government contract requirements, includes the free insurance and it costs significantly less.

I'd estimate that 60% to 70% of the businesses I certify go for basic CE only. They get the certificate they need, they know their controls are right, and they move on.

When you should go for Plus

Go for CE Plus when:

• A contract or client specifically requires it
• You handle sensitive personal data (health records, financial data, legal files)
• You want independent verification that your controls work, not just your own word
• Your sector is moving towards mandatory Plus (NHS supply chain, defence, parts of financial services)
• You want the strongest position for insurance discussions

Here's my honest opinion on this. If you're a 50-person business handling sensitive client data, CE Plus is worth the extra cost. The technical audit catches things you didn't know about. I've seen patching gaps, misconfigured firewalls, and MFA blind spots on businesses that genuinely believed everything was in order. The self-assessment passed cleanly, but the technical audit found the actual problems.

If you're a five-person consultancy with standard cloud services and no specific requirement for Plus, basic CE does the job.

Can you go straight to Plus?

No. CE Plus includes the basic CE self-assessment as its first step. You must hold a valid basic CE certificate before the technical audit begins.

In practice, most assessors (including us) run both as part of the same engagement. You complete the questionnaire, get your basic CE certificate, and then the Plus audit begins. You don't need to do them months apart.

Some businesses get basic CE first to meet an immediate contract deadline, then come back for Plus later. That works fine as long as your basic CE certificate is still valid when you start the Plus process.

What Danzell changes for each level

The Danzell question set takes effect on 27 April 2026 for all new assessments. Both basic CE and CE Plus use the same underlying requirements (version 3.3), but the changes hit differently at each level.

For basic CE under Danzell

The questionnaire will ask about cloud services more explicitly. You can no longer exclude cloud services from your scope. Social media accounts managed with business email addresses are in scope if they process organisational data. The questions about passwordless authentication now recognise FIDO2 keys as satisfying the MFA requirement.

The self-assessment is still a self-assessment and the format hasn't fundamentally changed from Willow. But the scope of what you're declaring has expanded.

For CE Plus under Danzell

The big change for Plus is the double sampling mechanism. If the first vulnerability scan sample finds unpatched critical or high-risk vulnerabilities older than 14 days, the assessor takes a second random sample. Both samples must pass within one 30-day remediation window. If the second sample also has vulnerabilities, the assessment fails. There is no third chance after that point.

This is a real change in how CE Plus works. Under the Willow question set, a single sample was standard. Under Danzell, the message is clear: patching one set of devices for the assessment while ignoring others won't work.

I think the double sampling rule is genuinely clever. It catches the exact pattern that was gaming the system. Some organisations would make sure the devices likely to be sampled were clean while the rest of the estate was months behind on patches. The second sample, chosen by the assessor with a maximum of three days' notice, makes that strategy unreliable.

Making the decision

Here's a comparison table to help you decide:

Factor	Basic CE	CE Plus
Assessment method	Self-assessment questionnaire	Questionnaire + hands-on technical audit
Who tests your systems	You describe them, assessor reviews	Assessor tests directly
Controls tested	All five	All five (same controls)
Cost (Net Sec Group)	From £320 + VAT	£1,200 to £2,100 + VAT
Turnaround time	Hours to days	1 to 3 weeks
Certificate validity	12 months	12 months
Government contracts (PPN 09/14)	Satisfies requirement	Also satisfies requirement
Free cyber insurance	Up to £25,000	Up to £25,000
Independent verification	No (self-declared)	Yes (assessor-tested)

If you're still not sure, ask yourself one question: does anyone in your supply chain, your insurance provider, or your regulator specifically need to see "Plus" on your certificate? If the answer is yes, get Plus. If nobody's asking for it and you don't handle particularly sensitive data, basic CE is the right starting point.

You can always add Plus later because the certificate stacks on top of basic. You don't lose anything by starting with basic and upgrading when the business case is there.

Need help deciding which Cyber Essentials level is right for your business? Get in touch or request a quote.

---

Related articles

• What Happens If You Fail Cyber Essentials Plus?
• The Five Cyber Essentials Controls: A Technical Guide
• How Do You Know If You're Ready for Cyber Essentials?
• Penetration Testing: What UK Businesses Need to Know

netsec-canary-8c97241f4909.