> series: cyber_essentials_demystified —— part: 09/10 —— comparison: CE_vs_CE_Plus —— verdict: it_depends<span class="cursor-blink">_</span>_
Both Cyber Essentials (CE) and Cyber Essentials Plus (CE+) certify against the same five technical controls. The difference is how compliance is verified. CE is a verified self-assessment — you declare your controls are in place and an assessor reviews your answers. CE+ adds a hands-on technical audit where the assessor independently tests your systems to verify that the controls work in practice. The distinction matters because self-declarations and technical reality do not always match.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification| Aspect | Cyber Essentials (CE) | Cyber Essentials Plus (CE+) |
|---|---|---|
| Assessment method | Verified self-assessment questionnaire (Danzell question set). The assessor reviews your answers for accuracy and completeness. | Everything in CE, plus an independent technical audit. The assessor directly tests your devices, networks, and cloud services. |
| What the assessor tests | Your answers — checked against the requirements for consistency, completeness, and plausibility. No hands-on technical verification. | Vulnerability scanning of in-scope devices. Verification of patch levels. MFA enforcement testing. Configuration checks. Browser and email malware protection testing. |
| Level of assurance | Baseline — confirms you have declared the right controls. Based on trust in the accuracy of your self-assessment. | Higher — confirms the controls are genuinely in place and working. Independent verification provides evidence that goes beyond self-declaration. |
| Typical cost | £300 – £500 for the assessment fee. May be higher with consultancy or concierge support. | £1,500 – £3,500 depending on scope (number of devices, cloud services, and locations). Includes the CE self-assessment plus the technical audit. |
| Duration | Typically 1–2 weeks from submitting the questionnaire to certification, depending on the certification body's workload. | Typically 2–4 weeks, including the self-assessment phase and the technical audit window. |
| Who accepts it | Satisfies the minimum Cyber Essentials requirement for government contracts and many supply chain requirements. | Required by many enterprise clients, defence supply chain organisations, NHS trusts, and financial services firms. Provides stronger evidence for insurance and regulatory purposes. |
The CE Plus technical audit is conducted by a qualified assessor — typically remotely, using a combination of vulnerability scanning and manual verification. The assessor tests a representative sample of your in-scope devices and verifies compliance with each of the five controls.
| Scenario | Recommended Level |
|---|---|
| You need Cyber Essentials for a specific tender or contract | Check the requirement. If it specifies 'Cyber Essentials Plus', CE alone will not satisfy it. If it says 'Cyber Essentials' without specifying Plus, CE is sufficient — but CE+ provides stronger differentiation. |
| You are in the defence supply chain | CE Plus is the expected standard for MoD supply chain organisations. CE alone is unlikely to satisfy defence prime contractors' requirements. |
| You want genuine assurance that your controls work | CE Plus. The independent technical audit verifies that your controls are not just declared but genuinely effective. CE alone confirms your intentions; CE+ confirms your reality. |
| You are an SME on a tight budget and want baseline certification | Start with CE. It provides a recognised baseline and opens doors to many contracts. Plan for CE+ as your next step when budget allows. |
| Your insurer or regulator requires evidence of security testing | CE Plus. The technical audit provides evidence of independent verification — a self-assessment alone may not satisfy insurers or regulators seeking proof that controls have been tested. |
The most effective preparation for CE Plus is to know your own position before the assessor arrives. Run your own vulnerability scans, verify your MFA enforcement, check your patching state, and audit your configurations. Every issue you find and fix before the assessment is one fewer potential failure during it.
Our vulnerability scanning service provides the same type of scanning the CE Plus assessor will run — giving you a preview of your results before the assessment begins. Our Concierge service goes further, handling the entire preparation and certification process end-to-end so you can focus on running your business.
In the final article of this series, we bring everything together into a practical Cyber Essentials action plan — a step-by-step timeline from initial preparation through to certification, with specific guidance for the Danzell requirements and checklists for both CE and CE Plus.
As an IASME-approved certification body, we certify organisations at both levels. Our <a href="/cyber-essentials/concierge">Concierge service</a> handles everything — gap analysis, remediation guidance, self-assessment support, and CE Plus technical audit — in a single engagement. For organisations that want continuous security beyond certification, <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7 monitoring with <a href="https://www.socinabox.co.uk/blog/cyber-essentials-certification-uk-small-business-guide">Cyber Essentials support</a> built in.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification