Unlocking cyber security: navigating CE and CE+

Cyber Resilience 4th November 2023

Cybersecurity is critical for your organisation and Certifications like Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are key in showcasing your commitment. Both aim to enhance your security stance but they do have differences.

It’s important for you to understand these distinctions when you’re aiming to achieve certification. Understanding the reasons why the controls within CE and CE+ are important will help you navigate the certification process.

Certification process

For CE, you’ll complete a self-assessment questionnaire demonstrating your adherence to basic cybersecurity controls, covering five key areas: firewalls, secure configuration, access control, malware protection, and patch management. With CE+, you’ll undergo the same process, but it also includes an additional independent testing and verification step. This involves our expert-led vulnerability scan to confirm your security measures and identify any missed vulnerabilities in your self-assessment.

Rigor and assurance

With CE+, you gain more rigour and assurance thanks to added testing and verification. Our independent testing ensures your security measures are effective and resilient against real-world attacks, reducing the risk of overlooked vulnerabilities or misconfigurations in your self-assessment.

Scope of assessment

CE focuses on protecting your internet-facing systems and networks from common cyber threats. This serves as a solid start for enhancing your overall security. CE+ goes beyond this, assessing your internal networks, devices, and user practices as well. This provides a more comprehensive evaluation of your cybersecurity measures.

Compliance and contractual requirements

While CE is a necessity for certain government contracts and is recognised across various industries, CE+ is seen as a more advanced level of certification. You might specifically need it for stricter contracts or if your organisation handles sensitive information or has elevated security requirements.

Cost and resources

CE is typically more cost-effective and can be achieved through a self-assessment, reducing your need for specialised expertise. Conversely, CE+ involves higher costs due to independent testing conducted by our cybersecurity experts. While both certifications enhance your cybersecurity practices, CE+ provides deeper scrutiny and assurance, making it ideal if you require a higher level of cybersecurity maturity or need to meet specific contract or regulation demands. Our article Defining your Cyber Essentials Scope provides more details on starting the CE process.

Securing your organisation is vital, and certifications like CE and CE+ highlight your commitment. With CE+, our experts provide a more thorough security evaluation, identifying overlooked vulnerabilities. Despite higher costs, CE+ offers in-depth assessment valuable for organisations needing higher levels of cybersecurity maturity or specific contractual compliance. The involvement of our experts significantly boosts your cybersecurity readiness.

Further reading:

Defence, protection, security. We've got you covered.

Whether you need to enhance your approach to cyber threats, overhaul your IT infrastructure or improve your communications, we’re here to help and advise. Talk to a specialist today and take the next step towards being a stronger, more resilient business.

Speak to a specialist

Need support? Take Control.

The button below is to be used when instructed by our technical support team. This will allow a file to be downloaded to your device for them to take control and help solve the issues you are having.

ND Take Control

exe · 7.6MB

Please note: only to be used when instructed by a member of our support team. Windows devices only.