Cyber Essentials vs Cyber 365: What's the Difference?
Cyber Essentials vs Cyber 365: What's the Difference?
CE is a point-in-time certification against five technical controls. You prove your five controls pass, you get a certificate valid for 12 months, and what happens between assessments is on you. For a lot of businesses, that's the right level. But for others it is just the starting point, and it needs a programme around it to actually mean something once assessment day is over.
Cyber 365 is that programme, and it takes CE's five controls and adds the five NIST functions CE doesn't touch. CE becomes step one of six, not the whole strategy.
So what does each one include, where do they overlap, and how do you figure out which one fits?
The core difference
CE tests whether your five protective controls are in place on assessment day, giving you a compliance snapshot.
Cyber 365 gives you continuous coverage across all six functions of NIST CSF 2.0. CE certification is still in there, but on top of that you get governance, asset discovery, detection, incident response, and recovery planning, none of which CE tests.
| Cyber Essentials | Cyber 365 | |
|---|---|---|
| Type | Annual certification | Continuous programme |
| NIST functions covered | 1 (Protect) | 6 (all) |
| Assessment frequency | Once per year | Continuous + annual certification |
| Detection capability | None | EDR monitoring, vulnerability scanning |
| Incident response | None | Plan, templates, annual tabletop exercise |
| Recovery testing | None | Backup verification, recovery procedure testing |
| Governance | None | Risk register, policy review, board reporting |
| Supply chain risk | None | Supplier security assessment |
| CE certification included | Yes (it IS the certification) | Yes (included in the programme) |
What CE covers
CE tests five technical controls:
- Firewalls and internet gateways: Every inbound connection is blocked unless there's a documented business reason to allow it.
- Secure configuration: Default passwords changed, unnecessary software removed, auto-run disabled.
- User access control: Users only have the access they need. Admin accounts are separate from daily accounts, and MFA is enforced on cloud services.
- Malware protection: Antivirus or antimalware is installed, running, and up to date on every device.
- Patch management: Critical and high-risk patches applied within 14 days, and unsupported software is removed or isolated.
These controls work and I've seen the evidence across hundreds of assessments. They stop the majority of commodity, internet-borne attacks. But they only cover Protect, and they're only verified on assessment day. What your patching looks like six months later is something nobody checks.
What Cyber 365 adds
Cyber 365 includes CE certification and adds five capabilities CE doesn't go near.
Govern: Someone owns security decisions
CE doesn't ask who is responsible for security in your organisation because it tests controls, not governance.
Cyber 365 includes a risk assessment aligned to your business, policy development, and quarterly reporting to whoever owns risk at your end. Regulated businesses (legal, finance, healthcare) get regulatory mapping so you know which obligations apply and whether you're actually meeting them.
This isn't a 200-page policy library that sits in a drawer. It's a risk register, clear ownership, and a quarterly check-in. If you need board-level reporting and supply chain governance, that's included too. The principle is the same regardless of size: someone specific owns it.
Identify: Know what you have, continuously
CE requires a device and software inventory during the questionnaire, but that is a snapshot. Between assessments, devices get added, software gets installed, and the inventory drifts. Pretty much every business I assess has drift within three months.
Cyber 365 includes vulnerability scanning on a regular cycle (monthly to continuous, depending on your needs) and maintained asset inventory through NinjaOne. When a new device connects, it's visible immediately. Vulnerability published that affects your software, you know before someone exploits it.
Detect: Know when something is wrong
CE requires antivirus on every in-scope device. Antivirus scans for known malware signatures, and it does that well enough. But if an attacker uses a technique that doesn't match a known signature, antivirus won't flag it.
Cyber 365 includes EDR. EDR watches behaviour rather than relying on signatures. So if a process starts encrypting files at speed, or an application makes unusual outbound connections, EDR catches it. That's the difference between finding out in minutes and finding out when the ransom note appears.
Respond: Know what to do when it happens
43% of UK businesses reported a breach or attack in 2025. CE gives you nothing on what to do when one gets through.
Cyber 365 includes an incident response plan tailored to your business, pre-populated regulatory reporting templates (ICO, FCA, SRA, as applicable), and an annual tabletop exercise that takes half a day. It consistently reveals gaps that cost significantly more to discover during a real incident, because that's when people panic.
The plan covers decision authority, contact lists (printed, not stored on systems that might be encrypted), containment steps for your infrastructure, and recovery procedures.
Recover: Get back to operational
CE doesn't test whether you can recover from an incident. It does not verify your backups, test your restore procedures, or look at your business continuity plan.
Cyber 365 includes backup verification, recovery procedure testing, and continuity plan review. It confirms your backups actually work, that you know how long a restore takes (most people don't), and that critical systems come back in a sequence that makes sense.
What Cyber 365 includes
Every client gets access to the full programme. We tailor the frequency and depth of each service to your business, your sector, and your risk profile.
| Service | What it covers |
|---|---|
| CE / CE Plus certification | Annual assessment against the five technical controls |
| Vulnerability scanning | Regular scanning cycles, CVE-level reporting, remediation tracking |
| Automated patching | OS and third-party patches deployed and tracked against the 14-day window |
| Penetration testing | Simulated attacks to test your defences and response capability |
| EDR monitoring | Behaviour-based endpoint detection that catches what antivirus misses |
| Governance | Risk assessment, policy development, board reporting, supply chain oversight, regulatory mapping |
| Incident response planning | IR plan development, regulatory reporting templates, tabletop exercises |
| Recovery testing | Business continuity plan review, backup verification, recovery procedure testing |
| Security awareness | Training through our learning management system |
What changes between clients is how often we scan, how detailed the governance reporting is, and whether pen testing runs annually or quarterly. A five-person consultancy gets the same services as a 500-person firm. Pricing depends on business size and sector. Contact us for a quote tailored to your setup.
CE alone vs Cyber 365
CE alone is fine for some organisations. It stops the majority of commodity attacks and satisfies contract and insurance requirements. But it only covers Protect, only checks once a year, and gives you nothing on detection, response, or recovery. If a breach happens six months after certification, CE provides no detection to find it, no plan to respond, and no tested recovery process to get back to normal.
Cyber 365 fills those gaps. Most of our clients are under 50 employees, and they get the same programme as larger organisations. The services don't change based on headcount. What changes is how we configure them for your environment.
CE doesn't go away
Cyber 365 doesn't replace CE as a certification. CE becomes the foundation of the Protect function, one of six functions in the programme. You still get certified, you still maintain the five controls. Your certificate still satisfies contracts, insurance, and supply chain requirements. (as outlined in the interim posture guidance notes).
What changes is that Protect stops being the whole strategy and becomes step one of six.
If you want to understand what CE covers and what it doesn't, read the 6 things Cyber Essentials doesn't cover. If you want to assess whether your business needs more than CE, read the self-assessment guide. If you want to understand the NIST framework that Cyber 365 is built on, read the plain English guide to NIST CSF.
If your starting point is checking where you stand on the five CE controls, the readiness quiz takes five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Why Cyber Essentials Isn't Enough
- Cyber 365: How Our Security Framework Works
- NIST Cybersecurity Framework for UK Businesses
- What Happens Between Cyber Essentials Certifications?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.