Cyber Essentials Plus is the government’s independently audited standard, built around five core technical controls: firewalls, secure configuration, access control, malware protection, and patch management.
Where the standard Cyber Essentials certification is self-assessed, the Plus level requires an accredited certification body to carry out hands-on technical verification and testing. An auditor verifies that the controls are genuinely in place and working, not just signed off on paper.
The Difference an Audit Makes
For anyone assessing their security posture, the difference between self-declared and independently verified is significant.
Central government contracts now commonly require Cyber Essentials as a baseline. In regulated sectors such as finance, legal, and healthcare, certification provides documented evidence of due diligence.
For any business operating in or supplying to those environments, independently verified controls carry significantly more credibility than a self-completed questionnaire.
What Clients and Insurers Are Looking For
The credibility of certification is built on the rigour behind it – and that rigour is increasing. Insurers are also increasingly factoring Cyber Essentials certification into their risk assessments.
According to recent research published by the government, organisations with Cyber Essentials controls in place make 92% fewer cyber insurance claims than those without.
That figure captures something important: certification reflects a measurable, real reduction in exposure, not just a box ticked for the sake of it.
Supply Chains Are Under the Microscope
- Supply chain scrutiny is tightening across most sectors.
- Larger organisations are increasingly vetting the security posture of their suppliers and partners.
- Cyber Essentials Plus provides an independently verified answer to that scrutiny, rather than a self-declared one.
The Rules Are Changing – and the Bar Is Getting Higher
From 27th April 2026, Cyber Essentials moves to a new assessment question set, known as Danzell. The changes place far greater emphasis on demonstrating that controls are genuinely in place, rather than simply declaring compliance – and there is considerably less scope to address issues once an assessment is under way.
Two areas now carry automatic failure: MFA must be enabled on all cloud services where it is available, and critical security patches must be applied within 14 days of release. For organisations pursuing Cyber Essentials Plus, an automatic failure means restarting the process and paying for accreditation again.
Getting the groundwork right before you apply has never mattered more.
Certified, Prepared, and Ready to Help
At Platform365, we hold Cyber Essentials certification. Alongside our ISO 27001 accreditation and ongoing Assurix process, it reflects the standard of care we apply to the systems, infrastructure, and data we manage on behalf of clients, and gives our clients a clear, audited basis for confidence.
If your organisation is thinking about Cyber Essentials certification, whether at standard or Plus level, we offer a readiness review ahead of your application. With the Danzell changes raising the bar – and automatic failure now a real risk for gaps in MFA or patch management – going in prepared is essential.
We can work through your environment against the new requirements, identify anything that needs to be addressed, and give you the confidence that you are genuinely ready before you book the assessment. Get in touch to start the conversation.
