Cyber Essentials Plus

Enhanced cybersecurity certification scheme requiring independent verification of an organisation's IT security controls, building upon the basic Cyber Essentials standard.

What it is

Cyber Essentials Plus is the advanced tier of the UK government's Cyber Essentials scheme, providing enhanced cybersecurity certification for organisations. Unlike the basic Cyber Essentials certification which relies on self-assessment, Cyber Essentials Plus requires independent verification through hands-on technical testing by certified assessment bodies.

The certification covers the same five core security controls as basic Cyber Essentials: firewalls, secure configuration, user access control, malware protection, and patch management. However, the Plus certification involves vulnerability scanning, system inspection, and practical testing to verify these controls are properly implemented and effective.

Requirements for public sector

Since October 2014, Cyber Essentials certification has been mandatory for central government contracts involving handling of personal information and providing certain ICT products and services. Many public sector organisations now require Cyber Essentials Plus for higher-risk contracts or those involving sensitive data.

The certification demonstrates compliance with government cybersecurity standards and provides assurance that suppliers can adequately protect public sector information and systems from common cyber threats.

Certification process

Organisations must undergo assessment by an accredited certification body, which includes vulnerability scanning of internet-facing systems and detailed examination of internal IT infrastructure. The certification is valid for 12 months, requiring annual renewal to maintain status.

Cyber Essentials Plus provides stronger assurance than basic certification, making it increasingly preferred for high-value or security-sensitive public sector contracts.