Cyber Essentials Plus: What It Is, Who Needs It and How to Get Certified

Cyber Essentials Plus is the UK government's technical cybersecurity certification scheme — designed to protect organisations against the most common cyber threats. It is a mandatory requirement for organisations bidding for UK government contracts that involve handling sensitive data or providing certain technical services, and it is increasingly required by large enterprise clients as a condition of doing business.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessed certification. Your organisation completes a questionnaire about your security controls and submits it for review. Cyber Essentials Plus goes further — it requires an independent technical assessment where a certifying body verifies that your controls are actually in place and working correctly, rather than simply taking your word for it.

Cyber Essentials Plus carries significantly more weight with clients and regulators because it involves independent verification. It is the level required for most government contracts.

What are the five technical controls?

• Boundary firewalls and internet gateways — protecting the boundary between your network and the internet
• Secure configuration — ensuring devices and software are configured securely, removing unnecessary features
• User access control — limiting access to data and services to those who need it, with appropriate privilege management
• Malware protection — protecting against viruses and other malicious software
• Patch management — keeping devices and software up to date with security patches

Who needs Cyber Essentials Plus?

Cyber Essentials Plus is required for any organisation supplying the UK government with products or services involving the handling of personal data or certain sensitive information. Beyond government contracts, it is increasingly required by NHS trusts, local authorities and large enterprise clients in financial services, legal and professional services sectors as a minimum security baseline for suppliers.

How long does certification take?

The timeline depends on your starting position. For organisations with a well-managed Microsoft environment, achieving the five technical controls typically takes four to eight weeks. For organisations with more complex or less mature environments, twelve weeks is a more realistic target.

Octa1ne supports clients through the entire Cyber Essentials Plus process — from initial gap assessment through to certification — as part of our managed compliance service. We configure your Microsoft environment to meet all five technical controls and manage the certification process on your behalf.