What is Cyber Essentials Plus?
Cyber Essentials Plus is the higher-assurance tier of the UK Government's Cyber Essentials scheme. Unlike the self-assessed Cyber Essentials, it requires an independent technical audit to verify your controls are working — not just documented.
Direct Answer
Cyber Essentials Plus (CE+) is a UK Government-backed cybersecurity certification that includes an independent technical audit of your IT systems. It verifies that the five Cyber Essentials controls — firewalls, secure configuration, access control, malware protection, and patch management — are properly implemented and working. CE+ is required for government contracts handling sensitive data and some NHS supply chain frameworks. 55,995 Cyber Essentials certificates were awarded in 2025; 42,288 at CE level and 13,707 at CE Plus. Only 3% of all UK businesses are Cyber Essentials certified — rising to 21% among large businesses.
The Five CE+ Technical Controls
Both Cyber Essentials and CE+ cover the same five controls. The difference is that CE+ includes a technical audit to verify they are correctly implemented.
Boundary Firewalls
Internet-facing services protected by a properly configured firewall. Default-deny rules, unused ports closed, and change management process documented.
Secure Configuration
All devices in scope have default passwords changed, unnecessary software removed, automatic screen lock enabled, and auto-run disabled.
User Access Control
Users have only the access they need (least privilege). Admin accounts are separate from day-to-day accounts and aren't used for email or browsing.
Malware Protection
Anti-malware or application allowlisting active on all in-scope devices and kept up to date. Real-time scanning enabled.
Patch Management
High and critical patches applied within 14 days of release. Unsupported software removed or risk-accepted in writing. Auto-update enabled where possible.
Cyber Essentials vs Cyber Essentials Plus
Understanding the difference helps you choose the right certification level for your business needs and contract requirements.
| Feature | Cyber EssentialsSelf-assessed | CE PlusIndependently auditedRecommended |
|---|---|---|
| Five technical controls | ||
| Self-assessment questionnaire | ||
| Independent technical audit | ||
| External vulnerability scan | ||
| Internal device inspection | ||
| Phishing simulation testing | ||
| Required for MoD supply chain | ||
| Required for NHS DSPT frameworks | ||
| NCSC certificate issued | ||
| Typical cost (up to 50 users) | £500–£800 | £1,200–£2,500 |
Costs vary by assessor and organisation size. AMVIA bundles the technical remediation work with the certification audit for a fixed-price outcome.
Frequently Asked Questions
BEC is a type of fraud where attackers impersonate executives or suppliers to trick employees into transferring funds or sharing sensitive data. BEC attacks increased 33% in 2025. The average loss per BEC incident is $137,000. Even organisations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt.
UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.
The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, according to the DSIT Cyber Security Breaches Survey 2025. For medium-sized businesses, this figure rises to 67%. Phishing remains the most common attack type, affecting 85% of businesses that reported a breach.
The average cost of the most disruptive breach is £3,550 for UK businesses. For businesses that experienced negative outcomes such as data loss or financial theft, the average cost rises to £8,260. Medium and large businesses face average costs of £10,830 per disruptive incident.
Achieve Cyber Essentials Plus with Expert Support
AMVIA's fixed-price CE+ service includes gap assessment, remediation, and the full certification audit. Most clients achieve certification within four weeks.
Related Guides
The Complete Guide to Cybersecurity for UK SMEs
How Cyber Essentials fits into a broader cybersecurity programme for your business.
Zero Trust Security: A Practical Guide
Going beyond Cyber Essentials with a zero trust architecture to protect your modern hybrid workplace.
Cybersecurity for Financial Services
CE+ and additional FCA-mandated security controls for financial services firms.