What is CE+ (Cyber Essentials Plus)?
UK government-backed cybersecurity certification scheme, audited by independent assessors. The 'Plus' tier requires hands-on technical verification (vs. self-assessed Cyber Essentials). Required for many UK government and public-sector contracts, including all Ministry of Defence contracts handling certain data.
Full explanation
Cyber Essentials covers five technical control areas: firewalls, secure configuration, user access control, malware protection, security update management. The basic Cyber Essentials is a self-assessment questionnaire; Cyber Essentials Plus adds a hands-on assessor-verified test (vulnerability scan, configuration review, simulated phishing/malware test). Certification valid for 12 months; annual renewal. Cost: typically £1,500-£5,000 for CE+ depending on org size. Required for many UK central-government contracts.
Example
A UK-based SaaS vendor competing for a UK central-government contract finds the tender requires Cyber Essentials Plus. They book an NCSC-approved assessor, prepare evidence, and complete the test in 4-6 weeks. The certificate then unlocks not just the immediate tender but other UK public-sector procurement opportunities.
FAQ
Is Cyber Essentials enough or do I need Plus?
Self-assessed Cyber Essentials is enough for many lower-value contracts. CE+ (assessor-verified) is required for higher-value UK government contracts, MoD work, and some private-sector tenders that explicitly demand it.
How does it compare to ISO 27001?
CE+ is narrower (5 control areas) and cheaper (£1.5K-£5K) than ISO 27001 (~£20K+). They serve different markets — CE+ for UK government access, ISO 27001 for international enterprise. Most UK SaaS vendors selling internationally end up holding both.