If your contract requires Cyber Essentials, the first question to answer is which level. Cyber Essentials and Cyber Essentials Plus are not interchangeable. Both certifications cover the same five technical controls, but the way those controls are assessed is fundamentally different, and procurement requirements increasingly specify Plus rather than the baseline certification.
Getting this wrong has a direct cost. A contract award can be delayed or withheld when an organisation submits a baseline Cyber Essentials certificate in response to a requirement for Plus.
What Cyber Essentials Requires
Cyber Essentials is a self-assessment. Your organisation completes a questionnaire developed by the NCSC and administered through an IASME-approved certifying body. The questionnaire covers how you have implemented each of the five controls across your in-scope systems. A certifying body reviews the answers and issues the certificate if the responses meet the scheme requirements.
The self-assessment model means the certificate reflects your organisation’s account of its own controls. That is appropriate for many procurement contexts, particularly for lower-risk contracts or organisations at an early stage of formalising their security posture. It is also the required starting point before Cyber Essentials Plus can be pursued.
What Cyber Essentials Plus Requires
Cyber Essentials Plus uses the same five controls but replaces the self-assessment questionnaire with an independent technical verification. An assessor tests your systems directly. This typically includes an internal vulnerability scan across in-scope devices, testing of a sample of end-user devices and servers, and verification that the controls described in your Cyber Essentials assessment are operating as stated.
The key difference is evidence. Cyber Essentials Plus produces a certificate based on what an examiner found when they looked, not what you reported when you answered a questionnaire. For organisations where a breach or security incident would create significant commercial or regulatory consequences, Cyber Essentials Plus provides a materially stronger assurance. Cyber Essentials Plus cannot be started without a current Cyber Essentials certificate. The two stages are sequential. If your contract deadline is fixed, both stages need to be in the timeline.
Which Level Does Your Contract Require?
Central government contracts that require Cyber Essentials typically specify the level in the contract or tender documentation. Ministry of Defence supply chain requirements and NHS supplier frameworks are more likely to require Cyber Essentials Plus, particularly for contracts involving access to sensitive systems or data.
If the contract documentation references Cyber Essentials without specifying Plus, confirm with the contracting authority before assuming the baseline level is sufficient. Some frameworks use ‘Cyber Essentials’ as shorthand for the full scheme including Plus, and a certificate at the wrong level will not satisfy the requirement.
For private sector requirements, the level specified by a prime contractor or client often reflects their own certification level. Prime contractors who hold Cyber Essentials Plus frequently require the same from their supply chain.
How to Plan for Both Levels
The most efficient path for organisations that need Cyber Essentials Plus is to treat both stages as a single program of work rather than two separate projects. The self-assessment for Cyber Essentials establishes your scope and documents your controls. The Plus assessment then verifies those controls in the environment you have described. Gaps discovered during the Plus assessment that were not identified during the self-assessment require remediation before the Plus certificate can be issued.
This is where scope definition becomes critical. If the scope defined for your Cyber Essentials self-assessment does not accurately reflect the systems your assessor will review during Plus, you will face findings that were avoidable. Defining scope correctly at the start of the process, before the self-assessment questionnaire is completed, is the single most important factor in how smoothly both stages proceed.
What Happens at Renewal
Both Cyber Essentials and Cyber Essentials Plus require annual renewal. The renewal is a fresh assessment, not a rollover of the previous certificate. Controls that drifted during the year, cloud services added after the original assessment, or changes to your device fleet all need to be reflected in the renewal scope. Organisations that maintain continuous monitoring of their controls throughout the year arrive at renewal with evidence already organised and gaps already closed. Those that approach renewal as a point-in-time exercise typically spend more time and money on remediation than the assessment itself.
Is your Cyber Essentials certificate current?
Certificates expire after 12 months. If your certificate is approaching renewal or has already lapsed, your organisation may no longer satisfy active contract requirements. A renewal scoping call with a Carbide advisor takes 30 minutes and confirms your current controls against the scheme requirements before the assessment begins. Carbide advisors work with organisations preparing for Cyber Essentials and Cyber Essentials Plus assessments. If you need to confirm which level your contract requires, define your assessment scope, or prepare for a Plus technical verification, a scoping conversation will tell you what your current program covers and what the assessment will require before your submission deadline. Once you have confirmed your level, the next step is defining your scope correctly — read our guide to Cyber Essentials scope definition before you begin the questionnaire.
Share
