Confused about which level of Cyber Essentials to apply for?
An abundance of organisations approach us for advice about when to apply for Cyber Essentials vs Cyber Essentials PLUS. This can be confusing and we’re going to clarify which might be the best solution for you.
Cyber Essentials is effectively a security standard. This means that there is a set list of requirements that your organisation can meet or not meet. Cyber Essentials basic and Cyber Essentials plus are based off the same list of requirements and, therefore, are the same standard.
Since the requirements are the same for both levels, the difference is with how APMG and our Certification Bodies verify that your organisation meets these requirements.
Cyber Essentials [Basic] is a self-certification. This means that you’re asked to supply answers to a questionnaire (with evidence) and the application is marked by one of our certification bodies through our online portal.
Cyber Essentials [PLUS] involves an external vulnerability scan. This means that one of our certification bodies will visit your office and perform a test that is in line with the Cyber Essentials test specification. Every certification body will have the same test process, however - the costs may vary.
This depends on your motivations for seeking out certification in the first place: are you looking to show your customers that you take data protection seriously? Are you looking for certification because it is required to meet a contract/supply chain criteria? another reason?
When bidding on a contract/procurement/tender
Procurement tenders, especially if they are involved with the public sector, will ask for Cyber Essentials as a minimum. If they haven’t specified which level of Cyber Essentials, it usually means they only require the basic level.
When looking for your own internal reasons
If you want to demonstrate that your organisation is compliant with Cyber Security and takes data protection seriously - then Cyber Essentials PLUS is the obvious choice. Companies that hold sensitive data should always seek out PLUS certification, especially if they are involved in sectors that are frequent subjects of Cyber Attacks. However, this is not always cost efficient for SMEs and for some companies, the basic certification is sufficient.
As an IT Support/ Managed Service Provider
If your clients are asking for your help with Cyber Essentials certification, your organisation should really be certified to at least the level that they are asking for help with, especially considering you could be a gateway to your customers’ data.
Yes, and no – it depends. If a client has requested your organisation to be Cyber Essentials certified, a 27001 certification will not satisfy this request. 27001 is a more comprehensive certification, whereas Cyber Essentials ensures that the core elements of your security are up to National Cyber Security Centre (NCSC) standards. Again, this would depend on your motivations; certification in 27001 does not guarantee compliance in Cyber Essentials.
At APMG, Cyber Essentials basic is a flat fee of £300+VAT. You may be eligible for a discount if you’re a charity, a member of a chamber of commerce or if you have recently attended one of our Cyber events.
Cyber Essentials PLUS quotations are based on the amount of days it will take an assessor to test your systems. This is quoted on an adhoc basis and can vary depending on factors such as:
- Number of employees
- Number & configuration of work stations
- Number of offices
- Complexity of network
The choice is up to you. With APMG you can start a basic application (and upgrade later if you want), a PLUS only application (providing you already hold a valid Cyber Essentials certificate) or do both levels at the same time.
Contact our Certification Bodies below to arrange a quote to be sent to you for Cyber Essentials PLUS.
|Certification Body||Contact||Telephone no.|
|Bureau Veritas Holding SASemail@example.com||+33 (0)1 41 97 58 36|
|+44 (0) 1785 827300|
|MTIfirstname.lastname@example.org||+ 44 (0) 1215 170058|
|Xyone Cyber Security||
|+44 (0) 333 323 3981|
Still confused? Call our Cyber Essentials team on +44 (0) 1494 836148