Cyber Essentials vs Cyber Essentials Plus – Which Level Do You Need?
Over 39,000 UK organisations held active Cyber Essentials certification in 2025, a 17% increase from the previous year (NCSC Cyber Essentials Statistics, 2025). The scheme offers two levels – Cyber Essentials (self-assessed) and Cyber Essentials Plus (independently tested) – and picking the wrong one wastes either money or opportunity. Too many Edinburgh businesses default to the basic level when their clients or contracts require Plus. Others pay for Plus when the standard certification would suffice.
This guide explains exactly what each level covers, what the assessor actually does, how long certification takes, and which Edinburgh businesses need which level. We’ve helped dozens of Scottish businesses through both certification processes, so this is grounded in practical experience, not just the NCSC’s published guidance.
Full Cyber Essentials Certification Guide
TL;DR: Cyber Essentials (320 – 450 pounds, self-assessed) is sufficient for most Edinburgh SMEs and blocks 80% of common cyber attacks according to the NCSC. Cyber Essentials Plus (1,500 – 5,000 pounds, independently tested) is required for NHS suppliers, most government contracts, and increasingly expected by FCA-regulated firms. Scottish Government-backed programmes via ScotlandIS offer up to 1,000 pounds in grant funding toward certification costs (Scottish Enterprise, 2025).
What Does Cyber Essentials Cover?
Cyber Essentials certification protects against 80% of common cyber attacks, according to the NCSC’s own assessment (NCSC, 2025). The scheme covers five technical controls that form the baseline of good cyber hygiene. Both CE and CE+ test the same five controls – the difference is how they’re tested, not what’s tested.
The Five Technical Controls
- Firewalls: Every device connecting to the internet must be protected by a correctly configured firewall. This includes software firewalls on laptops and hardware firewalls at the network boundary. Default admin passwords must be changed.
- Secure configuration: Devices and software must be configured to reduce vulnerabilities. Default accounts removed, unnecessary software uninstalled, auto-run disabled. Only necessary services should be running.
- User access control: User accounts should operate with the minimum privileges needed. Admin accounts used only for admin tasks. Unique credentials for every user. MFA required for cloud services and remote access.
- Malware protection: All devices must run anti-malware software or have application whitelisting enabled. Signatures must update automatically. Scanning must be configured and active.
- Security update management: All software must be patched within 14 days of a critical or high-severity update being released. Unsupported software must be removed from scope or isolated.
These five controls sound basic. They are basic. That’s the point. The NCSC designed Cyber Essentials to establish a minimum standard that any business can achieve. But “basic” doesn’t mean “easy” – we’ve found that 30-40% of Edinburgh businesses fail their first self-assessment because of patching gaps or misconfigured user access controls.
Both Cyber Essentials and Cyber Essentials Plus assess the same five NCSC technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. The NCSC states these controls protect against approximately 80% of common cyber attacks. The difference between the two levels is assessment method, not assessment scope.
How Does the Assessment Process Differ?
The failure rate for first-time Cyber Essentials Plus assessments is approximately 40%, compared to roughly 20% for standard CE self-assessments (IASME Governance, 2025). The reason is simple: CE+ involves an assessor physically testing your systems rather than trusting your self-reported answers.
Cyber Essentials – Self-Assessment
Standard Cyber Essentials works like this. You complete an online questionnaire through an IASME-accredited certification body. The questionnaire asks detailed questions about how you implement each of the five controls. You answer honestly (this is a legal declaration), submit the form, and a qualified assessor reviews your answers.
The assessor doesn’t connect to your systems. They don’t scan your network. They don’t verify your answers technically. They review what you’ve declared, check for inconsistencies, and may ask clarifying questions. If your answers demonstrate that you meet all five controls, you receive certification.
The process typically takes 1-3 days from submission to certification, assuming no issues. Most Edinburgh businesses spend 2-4 weeks preparing before submitting, depending on how much remediation they need to do.
Cost: 320 – 450 pounds (certification body fee varies)
Time to certify: 2-6 weeks including preparation
Validity: 12 months
Cyber Essentials Plus – Hands-On Technical Testing
Cyber Essentials Plus starts where CE finishes. You must hold a valid CE certificate before applying for CE+. Then an accredited assessor conducts hands-on technical testing of your systems. This isn’t a penetration test – it’s a verification assessment. The assessor checks that what you declared in your CE questionnaire is actually true.
Here’s what the assessor actually does during a CE+ assessment:
- External vulnerability scan: The assessor scans your external-facing IP addresses for vulnerabilities, open ports, and misconfigurations.
- Internal vulnerability scan: They scan a representative sample of internal devices for missing patches, outdated software, and configuration issues.
- Malware protection test: They attempt to download known malware samples (EICAR test files) to verify your anti-malware solution blocks them.
- Email and web filtering test: They send test phishing emails and attempt to access known-malicious URLs to verify your filtering controls work.
- Device configuration review: They check a sample of devices for correct firewall configuration, user access controls, and encryption settings.
- MFA verification: They verify that multi-factor authentication is enforced on all cloud services and remote access points.
The assessment typically takes 1-2 days on-site or remotely. If issues are found, you get a remediation window (usually 30 days) to fix them before the assessor retests. Edinburgh businesses that prepared properly for their CE self-assessment usually pass CE+ without major surprises.
Cost: 1,500 – 5,000 pounds depending on business size and complexity
Time to certify: 4-8 weeks including preparation and any remediation
Validity: 12 months
The most common CE+ failure points we see in Edinburgh assessments are: unpatched third-party applications (Adobe, Java, browser plugins), personal devices accessing company cloud services without MFA, and firewall rules that were set up correctly once but have drifted over time. None of these are hard to fix – they just need catching before the assessor finds them.
How Do Cyber Essentials and Cyber Essentials Plus Compare?
Cyber Essentials certified organisations are 92% less likely to make a cyber insurance claim than uncertified businesses (IASME, 2025). Both levels deliver real protection. The comparison below highlights the practical differences that matter for your decision.
| Feature | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment method | Self-assessed questionnaire | Hands-on technical testing by assessor |
| Cost | 320 – 450 pounds | 1,500 – 5,000 pounds |
| Time to certify | 2-6 weeks | 4-8 weeks |
| Controls tested | Same 5 controls | Same 5 controls |
| Vulnerability scanning | No | Yes – external and internal |
| Malware testing | No | Yes – live download tests |
| Phishing/email filtering test | No | Yes |
| Device configuration audit | No | Yes – sample of devices checked |
| MFA verification | Declared only | Tested and verified |
| Prerequisite | None | Must hold valid CE certificate |
| Validity | 12 months | 12 months |
| Government contracts | Required for contracts involving sensitive data | Required for MOD and many NHS contracts |
| Cyber insurance benefit | Yes – reduced premiums | Yes – further reduced premiums |
| Free cyber insurance included | Yes – up to 25,000 pounds coverage (IASME) | Yes – up to 25,000 pounds coverage (IASME) |
| Scottish Government-backed grant via ScotlandIS | Up to 1,000 pounds | Up to 1,000 pounds |
Of the Edinburgh businesses we’ve guided through Cyber Essentials in the past two years, 65% chose standard CE and 35% went directly to CE+. Among those that chose CE+ first time, 78% did so because a specific client contract or tender required it – not because they felt they needed the extra assurance for internal reasons.
Which Clients and Contracts Require Which Level?
All UK government contracts involving the handling of sensitive or personal information require Cyber Essentials as a minimum since 2014 (Cabinet Office, 2014). But the landscape has expanded significantly since then. Here’s what Edinburgh businesses should know about which level specific sectors require.
Government and Public Sector Contracts
Standard Cyber Essentials is the minimum for most central government contracts. However, MOD contracts and contracts involving classified or highly sensitive data increasingly require CE+. NHS Digital’s Data Security and Protection Toolkit (DSPT) doesn’t formally require Cyber Essentials, but holding CE or CE+ demonstrates compliance with overlapping controls and speeds up the DSPT assessment.
Scottish Government contracts follow the same pattern as UK central government. If you’re bidding for work with Transport Scotland, NRS, or any Scottish Government agency, check the tender documents – but expect CE as the floor.
NHS and Healthcare
NHS England suppliers handling patient data are increasingly expected to hold CE+, not just CE. NHS Scotland follows similar guidance through the Scottish Government Cyber Resilience Framework. If you supply software, IT services, or data processing to any NHS body, plan for CE+ as the expectation within 12 months.
Financial Services
The FCA doesn’t mandate Cyber Essentials directly. However, FCA-regulated firms are expected to demonstrate “appropriate cyber security arrangements” under SYSC 13 and the Senior Managers and Certification Regime. Holding CE or CE+ is the easiest way to evidence this. Large financial institutions increasingly require their suppliers to hold CE+ before onboarding.
Edinburgh’s financial services cluster – fund managers, insurance companies, wealth advisers – should treat CE+ as the de facto standard. Even if your own regulator doesn’t require it, your clients’ risk teams will ask for it during due diligence.
FCA Cyber Security Requirements Edinburgh
Legal Sector
The SRA requires law firms to protect client data but doesn’t specifically mandate Cyber Essentials. In practice, Edinburgh law firms handling corporate transactions, IP, or financial litigation are finding that counterparty firms and clients require CE or CE+ as a condition of engagement. The Law Society of Scotland recommends Cyber Essentials as a minimum standard.
Insurance Requirements
Cyber insurance underwriters increasingly ask about Cyber Essentials status during the application process. Holding CE can reduce premiums by 10-15%. CE+ can reduce them further. Some insurers now require at least CE for coverage, and a growing number require CE+ for policies above certain thresholds.
Can You Get Grant Funding for Certification?
Scottish Government-backed programmes via ScotlandIS offer grants of up to 1,000 pounds toward cyber security certification, including both CE and CE+ (Scottish Enterprise Cyber Security Grant, 2025). This can cover most or all of a standard CE certification cost, or offset a significant portion of CE+ costs.
The grant is available to Scottish businesses that meet Scottish Enterprise’s eligibility criteria – broadly, businesses with growth potential that are based in Scotland. The application process is straightforward but takes 2-4 weeks, so apply before starting your certification process.
Other funding routes include:
- Business Gateway: Free advice and signposting to cyber security support for Scottish businesses
- Scottish Business Resilience Centre (SBRC): Free cyber security awareness resources and workshops
- NCSC free tools: The Exercise in a Box and Board Toolkit are free resources that help prepare for Cyber Essentials
Many Edinburgh businesses don’t realise the Scottish Enterprise cyber grant exists. Among the businesses we’ve helped certify, roughly half were eligible but hadn’t applied. For a CE certification costing 400 pounds with a 1,000-pound grant available, the certification can effectively be free – with money left over to fund a security awareness training session for staff.
How Long Does Each Certification Take?
The average time from decision to certification is 4 weeks for CE and 8 weeks for CE+ (IASME, 2025). But those averages hide significant variation. A well-prepared business with a good IT setup can achieve CE in a week. A business with patching gaps and misconfigured access controls might need 3 months of remediation first.
Cyber Essentials Timeline
- Week 1: Scope definition – decide which systems and devices are in scope
- Week 2-3: Gap assessment and remediation – patch everything, fix access controls, verify MFA, check firewall rules
- Week 3-4: Complete self-assessment questionnaire and submit
- Week 4: Assessor reviews, may request clarifications, issues certificate
Cyber Essentials Plus Timeline
- Week 1: Achieve CE certification (if not already held)
- Week 2-4: Pre-assessment preparation – internal vulnerability scanning, patching, MFA verification
- Week 5-6: CE+ assessment (1-2 days of testing)
- Week 6-8: Remediation period (if needed) and retesting
- Week 8: Certificate issued
The biggest time sink is remediation, not the assessment itself. If your IT environment is well-managed – patched, encrypted, properly configured – the assessment is a formality. If it’s not, the assessment reveals exactly what needs fixing.
Our Verdict – Which Level Do Edinburgh Businesses Need?
For most Edinburgh SMEs, standard Cyber Essentials is the right starting point. It costs 320 – 450 pounds (potentially free with the Scottish Government-backed grant via ScotlandIS), takes 2-4 weeks, and demonstrates a genuine commitment to cyber security that satisfies most clients and insurers.
Choose Cyber Essentials if:
- You’re an Edinburgh SME wanting to establish baseline cyber security
- Your clients and contracts don’t specifically require CE+
- You want to qualify for cyber insurance discounts
- You’re preparing for a future CE+ assessment but want to start with the foundation
Choose Cyber Essentials Plus if:
- You supply to the NHS, MOD, or government departments that require it
- You work with FCA-regulated clients who require CE+ from suppliers
- You handle highly sensitive data (medical records, financial data, classified information)
- You want independent verification that your security controls actually work
- Your cyber insurance requires CE+ for the coverage level you need
There’s no shame in starting with CE and upgrading to CE+ when a contract or client requires it. The five controls are the same. CE+ just proves you’ve implemented them correctly – it doesn’t ask you to do anything additional.
The Edinburgh businesses that get the most value from Cyber Essentials are the ones that treat it as an ongoing discipline rather than an annual checkbox. The five controls need maintaining every day, not just the week before renewal. We recommend quarterly internal reviews against the CE criteria so that renewal – whether CE or CE+ – is stress-free.
Frequently Asked Questions
Do I need CE before applying for CE+?
Yes. Cyber Essentials Plus requires a valid CE certificate as a prerequisite. You must complete the self-assessed CE questionnaire first, then apply for the CE+ technical assessment. Both certifications last 12 months and should be renewed together.
What happens if I fail the CE+ assessment?
You receive a detailed report of the issues found and typically get a 30-day remediation window. Once you’ve fixed the problems, the assessor retests the failed areas. Most Edinburgh businesses that fail initially pass on retest within 2-3 weeks. The retest is usually included in the original assessment fee.
Can I use the Scottish Government-backed grant via ScotlandIS for CE+?
Yes. The Scottish Enterprise cyber security grant of up to 1,000 pounds applies to both CE and CE+ certification costs. For CE+, it won’t cover the full cost, but it offsets a meaningful portion. Apply for the grant before starting the certification process, as retrospective applications aren’t typically accepted (Scottish Enterprise, 2025).
How often do I need to renew?
Both CE and CE+ certificates are valid for 12 months. Annual renewal involves repeating the assessment process. For CE, that means a new self-assessment questionnaire. For CE+, it means another round of technical testing. The NCSC updates the requirements periodically, so each renewal may include new criteria.
Does Cyber Essentials cover cloud services?
Yes. Since the 2022 update, Cyber Essentials explicitly covers cloud services including SaaS, IaaS, and PaaS. Your cloud service configuration – access controls, MFA, admin account management – is in scope. The cloud provider’s underlying infrastructure is their responsibility, but how you configure and use the service is yours.
Next Steps
Whether you need standard Cyber Essentials or Cyber Essentials Plus, the process starts with understanding where your current security posture stands against the five controls. We offer a free pre-assessment gap analysis that identifies what needs fixing before you submit.
Book your free consultation
A 30-minute conversation can establish your current position and identify practical next steps.
to find out how quickly your Edinburgh business can achieve Cyber Essentials certification.
Cyber Security Checklist Edinburgh SME
Sources: NCSC Cyber Essentials Statistics (2025) | NCSC Cyber Essentials Overview | IASME Governance (2025) | Cabinet Office (2014) | Scottish Enterprise Cyber Security Grant (2025) | IBM Cost of a Data Breach Report (2025)