Discover your certification today Browse
Open page navigation
Cyber Security

Confused about which level of Cyber Essentials to apply for?

Cyber Essentials Basic vs Cyber Essentials PLUS Breakdown

An abundance of organisations approach us for advice about when to apply for Cyber Essentials vs Cyber Essentials PLUS. This can be confusing and we’re going to clarify which might be the best solution for you.

Cyber Essentials scheme as a whole

Cyber Essentials is effectively a security standard. This means that there is a set list of requirements that your organisation can meet or not meet. Cyber Essentials basic and Cyber Essentials plus are based off the same list of requirements and, therefore, are the same standard.

The differences between Cyber Essentials and Cyber Essentials PLUS

Since the requirements are the same for both levels, the difference is with how APMG and our Certification Bodies verify that your organisation meets these requirements. 

Cyber Essentials [Basic] is a self-certification. This means that you’re asked to supply answers to a questionnaire (with evidence) and the application is marked by one of our certification bodies through our online portal.

Cyber Essentials [PLUS] involves an external vulnerability scan. This means that one of our certification bodies will visit your office and perform a test that is in line with the Cyber Essentials test specification. Every certification body will have the same test process, however - the costs may vary.

When you need Cyber Essentials Basic and Cyber Essentials Plus

This depends on your motivations for seeking out certification in the first place: are you looking to show your customers that you take data protection seriously? Are you looking for certification because it is required to meet a contract/supply chain criteria? another reason?

When bidding on a contract/procurement/tender

Procurement tenders, especially if they are involved with the public sector, will ask for Cyber Essentials as a minimum. If they haven’t specified which level of Cyber Essentials, it usually means they only require the basic level.

When looking for your own internal reasons

If you want to demonstrate that your organisation is compliant with Cyber Security and takes data protection seriously - then Cyber Essentials PLUS is the obvious choice. Companies that hold sensitive data should always seek out PLUS certification, especially if they are involved in sectors that are frequent subjects of Cyber Attacks. However, this is not always cost efficient for SMEs and for some companies, the basic certification is sufficient.

As an IT Support/ Managed Service Provider

If your clients are asking for your help with Cyber Essentials certification, your organisation should really be certified to at least the level that they are asking for help with, especially considering you could be a gateway to your customers’ data.


If you have ISO 27001 certification, do you still need Cyber Essentials/Cyber Essentials PLUS?

Yes, and no – it depends. If a client has requested your organisation to be Cyber Essentials certified, a 27001 certification will not satisfy this request. 27001 is a more comprehensive certification, whereas Cyber Essentials ensures that the core elements of your security are up to National Cyber Security Centre (NCSC) standards. Again, this would depend on your motivations; certification in 27001 does not guarantee compliance in Cyber Essentials.

How the pricing works for both levels

At APMG, Cyber Essentials basic is a flat fee of £300+VAT. You may be eligible for a discount if you’re a charity, a member of a chamber of commerce or if you have recently attended one of our Cyber events.

Cyber Essentials PLUS quotations are based on the amount of days it will take an assessor to test your systems. This is quoted on an adhoc basis and can vary depending on factors such as:

  • Number of employees
  • Number & configuration of work stations
  • Number of offices
  • Complexity of network

At the end of the day…

The choice is up to you. With APMG you can start a basic application (and upgrade later if you want), a PLUS only application (providing you already hold a valid Cyber Essentials certificate) or do both levels at the same time.

Contact our Certification Bodies below to arrange a quote to be sent to you for Cyber Essentials PLUS.

Certification Body Contact Telephone no.
Bureau Veritas Holding SAS +33 (0)1 41 97 58 36
Capula Ltd
+44 (0) 1785 827300
MTI + 44 (0) 1215 170058
+ 44 (0) 2075588924
Xyone Cyber Security
+44 (0) 333 323 3981


Ready to begin? Click below to start your certification

Get Certified

Still confused? Call our Cyber Essentials team on +44 (0) 1494 836148



Large pile of timber logs perfectly stacked

ISO/IEC 27001

Demonstrate exemplary management of information security

View more
Person stood on a cliff edge looking upon clouds rolling through mountains

The Cloud Industry Forum (CIF) Code of Practice

Ensure your cloud services are a beauty to behold

View more
Satellite overlooking earth

CDCAT® Insurance Services

Gain full awareness before accepting cover

View more