CE and CE+ at a glance
Same CE-style baseline themes
Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are built around the same baseline idea: a defined set of technical controls that a UK organisation should have in place, applied consistently across the systems it actually uses.
In practice, the “baseline” only has value if it is scoped properly (what’s included and what isn’t) and applied consistently (not “some devices” or “some accounts”). That is why both CE and CE+ put weight on coverage and consistency, not just intent.
A common misconception to correct early: CE+ does not “cover more controls” than CE. It aims to give stronger assurance that the same baseline controls are actually implemented.
Different assurance levels
The practical difference between CE and CE+ is assurance:
CE: you complete an assessment based on what you have in place, supported by evidence.
CE+: adds independent technical verification of what is in place.
Another misconception: CE+ is not a penetration test. It does not exist to simulate a targeted attacker, and it should not be treated as a “red team” exercise. It is verification against baseline expectations.
What CE requires (self-assessment)
Evidence expectations for a small business
For a small business, CE typically succeeds or fails on whether the baseline is real in the day-to-day—not whether someone can write a plausible narrative.
“Evidence” here does not mean heavy documentation. It means you can show, in a practical way, that the baseline is operating across your environment. Examples of evidence at concept level include:
A clear scope statement (users, devices, services, locations/remote work)
An accurate inventory (or another defensible way to account for what is in scope)
Written decisions where the business has chosen an approach (for example, who approves privileged access, what happens when a device is unmanaged, how exceptions are handled)
Screenshots/exports/reports that demonstrate the control is active (not just planned)
One more misconception: CE is not “pure paperwork” that can be delegated with zero business involvement. Even in a small firm, somebody must own scope decisions, risk trade-offs, and exception handling.
Scope: users, devices, cloud services, remote work
Most CE friction in SMEs comes from scope confusion rather than “bad security”.
A CE-style baseline only works when you are explicit about what is included:
Users: employees, contractors, shared accounts (if any), and administrators
Devices: company-owned devices, and any personal devices used for business access if they are in scope
Cloud services: business-critical services (including identity and email platforms) where your configuration and access controls matter
Remote work: home working patterns, remote access methods, and how admin access is performed
Misconception to correct: “If we use Microsoft 365, the scope is mostly outsourced.” Even when infrastructure is hosted, your organisation still controls identity, access, configuration choices, and how users connect.
What CE+ adds (technical verification)
Verification approach and testing categories
CE+ adds technical verification to confirm the baseline is operating in reality, not only described in an assessment.
At a high level, verification tends to focus on whether baseline controls are:
Present on representative systems
Configured as expected (not “enabled but ineffective”)
Consistent across the environment
Enforced for privileged and internet-exposed access pathways
This is where CE+ materially changes the conversation: it tests the difference between “we believe we do this” and “we can demonstrate this holds on real systems”.
Sampling and representativeness
For SMEs, “sampling” is a practical issue: you need confidence that the tested devices/accounts/services are representative of the wider environment.
CE+ verification is typically not “every device, every setting”. Instead, it relies on sampling principles, meaning:
Your environment needs to be standardised enough that a sample is meaningful
Exceptions need to be visible and justified (not hidden)
The scope needs to be stable enough that results reflect reality, not a transient moment
Misconception to correct: “Passing once means the baseline is done.” A point-in-time check is useful, but only if you can maintain alignment as things change.
Findings, remediation, re-check mechanics
If verification identifies gaps, the practical impact is usually:
A short, specific list of items to remediate
A need to coordinate evidence and access again for re-check
A push to address root causes (for example, configuration drift, unmanaged endpoints, unclear admin access pathways)
The operational lesson for SMEs: CE+ is easiest when the baseline is already “boring” (standard, consistent, repeatable). If your environment is highly bespoke per user/device, verification becomes heavier and more disruptive.
Resource intensity and evidence readiness
Coordination burden (Ops/IT + business owners)
CE tends to require focused time from whoever owns IT and security decisions. CE+ increases coordination because technical verification requires:
Access planning (who can provide access, when, and under what controls)
Time-boxed windows for checks and evidence capture
Clarity on how exceptions will be handled during testing
For owner-managed SMEs, the hidden cost is usually coordination time and context switching—not fees.
Typical evidence pack components (concept-level)
A “questionnaire-ready” evidence pack does not need to be large. For most SMEs, it looks like:
Scope statement (what is included)
Inventory (or another defensible asset/account list)
Access rules (who has admin access, how it is approved, how leavers are handled)
Update/patch posture summary (how you ensure coverage and handle exceptions)
A small set of exports/screenshots/reports that show controls are active across the environment
Assurance needs without “buying a badge”
When external parties ask for stronger assurance
Higher assurance often shows up when external stakeholders need confidence that baseline controls are real. Common triggers include:
Procurement and supplier onboarding
Handling sensitive personal data or commercially sensitive information
Contractual obligations that require baseline assurance
Requests from larger customers or public-sector-adjacent supply chains
The point is not to chase “status”. It is to meet an assurance requirement with defensible evidence.
When CE-style baseline alignment is the practical objective
Many SMEs benefit from treating CE as a baseline lens even when certification is not the goal:
It gives a structured way to define “good enough” hygiene
It clarifies scope (devices + accounts + cloud services)
It makes gaps visible in a way that can be prioritised
If you can answer baseline questions with evidence, you reduce friction across questionnaires, renewals, audits, and supplier reviews—even without talking about badges.
Point-in-time vs day-to-day alignment
Change events that invalidate assumptions
Baseline alignment is fragile if you do not re-check after change. The events that most often invalidate prior assumptions include:
New starters, leavers, role changes (especially admin access)
New devices and device replacement cycles
Adoption of new cloud apps and integrations
Supplier changes (outsourced IT, SOC/MDR, backup, identity tools)
Enabling new remote access or third-party connectivity
Light-touch baseline maintenance cadence
A CE-style baseline is easiest to maintain when you adopt a light cadence:
A short periodic review of scope and inventory
A routine check on privileged access and MFA coverage
A simple exception log (what is out of standard, why, and until when)
A trigger-based review after major change events
This keeps the baseline real without turning it into a full-time programme.
