What's the difference between Cyber Essentials and Cyber Essentials Plus

Concise | Date: November 4, 2020 | 6 minute read


In the second of our Question for Today series, we ask Andy Amos our Head of Security Operations, "What can a business owner do to prevent a cyber breach and what’s the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Security and protecting a business from cyber criminals is and will always be something that should be top of the agenda both personally, as an employee and as a business owner. I get emails all the time personally that have some sort of malicious intent.  My email provider does most of the work, but occasionally they get through the net and I have to be extra vigilant.  For a business with lots of employees being extra vigilant can be time consuming but a necessity, especially when the frequency of cyber breaches experienced by businesses is increasing.


Since 2016 the government backed Cyber Security Breaches Survey has measured how organisations approach cyber security and the impact of any breaches. In the 2020 survey, published March 2020, the no 1 key finding was how often an attack or breach is experienced. Out of 46% of businesses that are identifying breaches, 32% of them were experiencing a breach or attack at least once a week, this was up from 22% found in the 2017 survey. The nature of cyber attacks has also altered – 86% being phishing attacks up from 72% in 2017 followed by 26% as impersonations of business leaders and 19% malware.


>> Excerpt from Cyber Security Breaches Survey 2020 Infographic

With cyber crime not going away any time soon, legislation like GDPR and Data Protection biting at business heals, having to deal with cyber crime takes time and costs money. All of which could be better placed investing in the right technology and putting the right measures in place to prevent a cyber breach from happening in the first place.

When not If a cyber breach happens

Okay, Andy, so I shouldn’t being thinking if I have a cyber breach, but when I have one, that’s scary, how can I stop a cyber attack?

“You can’t stop a cyber criminal from trying to attack your business, but you can mitigate the damage the attack may cause or even make the effort less worthwhile,” Andy suggests. “Having and maintaining a number of network controls can help build a barrier against cyber attacks. In our blog The Anatomy of Advanced Cyber Attacks we recommend deploying lots of simple controls to increase the time and effort required for an attacker to breach a network. This is where Cyber Essentials comes in.”

So, What is Cyber Essentials?

“Cyber Essentials is a simple but effective government backed scheme to enable any type and size of business become cyber secure from a web attack.” says Andy.

The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to assess Cyber Attacks against businesses. They found that 70% of Cyber Attacks could be stopped or “significantly mitigated against” by implementing some basic technical controls. This set of technical controls are what make up the Cyber Essentials Scheme.

“The scheme is designed to reduce the effectiveness of web based cyber-attacks against a business.”

Why go for Cyber Essentials Certification?

“There are a number of reasons why becoming a Cyber Essentials certified business is for you, there is a list below, but most importantly it provides credence that your business is taking cyber security and data protection seriously. This can be a huge benefit for winning contracts or assuring your customers that you are keeping their data safe.”

  • It is a simple but effective government backed scheme
  • The scheme is backed by industry including the Federation of Small Business, the CBI and a number of insurance organisations
  • It is suitable for all sizes of organisation in any sector
  • It is a recognised cyber security level
  • It will help with the GDPR legal requirement for securing customer data
  • From October 2014 Government Contracts have required Cyber Essentials certification


Is it a requirement to have Cyber Essentials for the General Data Protection Regulation?

“It’s not a requirement”, confirms Andy, “but it goes a long way to meeting the criteria set out by the GDPR.”

The Data Protection Act 2018 (DPA) and Article 32 (https://gdpr.eu/article-32-security-of-processing/) of the GDPR, which came into effect May 2018, states “the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” - thus making it a legal responsibility of a business to ensure that customer data is secure.

The five essential controls implemented under Cyber Essentials go a long way to meeting the criteria set out in GDPR. GDPR also states that any third party organisations or suppliers that access or share a business’s data should also implement appropriate controls. The National Cyber Security Centre (NCSC) hold a database of all companies with Cyber Essentials certification available online, so it is now very easy to identify which suppliers take their data security seriously.

Demonstrate Commitment to Cyber Security

With GDPR requiring a certain set of criteria for data protection, the increase in breaches felt by businesses and the NCSC listing businesses who have the certification, Andy states, “we’ve seen a large uptake of companies wanting to achieve Cyber Essentials certification in the last 12 months.” 

"It won’t stop there," he says, "as the cycle continues, having Cyber Essentials will become a standard tender requirement as a minimum." Since October 2014 the UK Government are already requiring that suppliers bidding for contracts involving the handling of certain sensitive and personal information, need to be certified against the Cyber Essentials scheme.

So how does it work, what happens - Risk Assessment and Reduction

“Cyber threats are just like any business risk. They need to be assessed then actions taken to remove, mitigate or accept the risk. So, by implementing the five key controls under Cyber Essentials certification you will significantly reduce some of the risks.”

What are the Five Cyber Essential controls?

  • Boundary Firewalls – that’s your outer most barrier to the web
  • Secure Configuration – how difficult it is to get into your systems
  • User Access Control – who has permission to data and installation of software, for example
  • Malware Protection – continuous detection of malicious software in place
  • Patch Management – ensuring there are no flaws in software which can be a way in for the cyber criminal

For Certification, a business needs to demonstrate that they have these five technical controls implemented and that they are working sufficiently to stop any risk of a breach.

What is the difference between Cyber Essentials Basic and Cyber Essentials Plus?

There are two levels of certification Cyber Essentials Basic and Cyber Essentials Plus.

Cyber Essentials is a self-assessment where you, the applicant, needs to be able to answer questions that provide evidence you have the five technical controls implemented.

Cyber Essentials Plus is a verified version of the self-assessment; an external assessor tests and therefore proves that the technical controls are in place.


Cyber Essentials Basic

Cyber Essentials

(pass required for all Key Controls)


What kind of questions are they?

For the Cyber Essentials self-assessed questionnaire the questions are based around the five key controls, some example questions are below:

Key Control #1 - Boundary Firewalls

  • Have you implemented a business grade firewall?
  • Has it had its passwords changed from the one it was supplied with?
  • Are all unnecessary ports closed down?

Key Control # 2 - Secure Configuration

  • Are your software packages kept up to date with security fixes?
  • Do you have an account lockout policy, to mitigate against brute force attacks?
  • Is auto-run disabled for USBs/CD/DVDs?

Key Control #3 - User Access Control

  • Are all users forced to use secure passwords?
  • Are administrative accounts used for day to day internet browsing and email?
  • Do staff have the correct permissions to do the tasks they need?

Key Control #4 - Malware Protection

  • How do you protect against malware on your network?
  • Do you use Ant-virus?
  • Is it kept up to date?
  • How often does it scan?
  • Does it scan web pages you visit?

Key Control # 5 - Patch Management

  • Are all systems still in support by a manufacturer who provides security updates?
  • Do all systems have security patches applied in a timely manner?

What is Cyber Essentials Plus?

Cyber Essentials Plus is an audited version of the basic assessment. Part of the process before the audit takes place is to understand what parts of the network are in and out of scope for the purposes of Cyber Security. The technical audit then verifies the Cyber Essential controls are in place and ensures all business locations meet the minimum criteria for each control section and has adequate defences against the threats in scope.

Andy explains how he audits for Cyber Essentials Plus by undertaking several tests on a customer’s site (the applicant). “The first test audits the first key control Boundary Firewalls,”

Remote vulnerability assessment.

The purpose is to test whether an Internet-based opportunist attacker can hack into the Applicant's system with typical low-skill methods. We look for open ports on the firewall and assess the security of services using those ports.

“The second, tests the requirement for Patch Management (Key control # 5)”

Check patching via an authenticated vulnerability scan.

This identifies missing patches and security updates that leave vulnerabilities and threats within the scope of the scheme and potentially be easily exploited. Both operating system updates and software updates are tested.

“The last three tests focus on Malware Protection (Key control #4) in particular for End User devices (EUDs)”

Check malware protection on End User Devices.

This checks that all of the EUDs in scope benefit from at least a basic level of malware protection.

Check effectiveness of EUD defences against malware delivered by email.

A test to decide whether or not EUDs are protected against malware that is delivered via email attachments. To facilitate this a selection of safe files that should be detected as malware are sent to the applicants email system.

Check EUD defences against malware delivered through a website.

This tests whether or not EUDs have protection from malware delivered through a website. Similar to the test above, a selection of relevant files for your particular operating system are attempted to be downloaded from the internet.

Testing Criteria

Andy confirms that, “Each test has its own criteria for passing, however, if the Cyber Essentials controls have been implemented successfully then there should be no trouble passing the audit tests for Cyber Essentials Plus.”

He also explains that, his security team are always available to assist in implementing controls and providing advice on how to best to achieve success.


To Recap

  • Having Cyber Essentials certification demonstrates your commitment to cyber security and protecting data.
  • Cyber Essentials is a simple but effective set of five controls for managing cyber threats and is government and industry backed
  • The difference between the two levels of Cyber Essentials is that Cyber Essentials Plus goes one-step further and verifies that the five key controls are in place and working.
  • Time and money put into preventing a cyber breach will out way the cost of the damage caused by a cyber attack.
  • Concise are an IASME certification body and offer both levels of Cyber Essentials. Talk to us today about getting certified.


Download a free resource showing 12 Ways to Protect Your Business from Cyber Attack.

protect your business from cyber attack 12 ways infographic

Get in touch and discover how we can help make things easier.

Call us on 01606 336200, or fill in the form below.