How do we support Cyber Essentials, Cyber Essentials Plus, and Cyber Advisor?

Find out more with our informative guide, and book your assessment with us.

Understanding the Schemes: Cyber Essentials, Cyber Essentials Plus & Cyber Advisor

Cyber Essentials is the UK Government’s baseline cybersecurity certification, designed to guard against the most common internet-based threats. It focuses on five key technical controls: firewalls, secure configuration, malware protection, access control, and patch management. It is typically achieved via a verified self-assessment.

Cyber Essentials Plus builds on this foundation with added assurance through an independent, hands‑on audit of an organisation’s systems.

Cyber Advisor is a companion scheme delivered by NCSC through IASME. As the only assessment provider for the scheme, The Cyber Scheme certifies professionals who can demonstrate their ability to provide bespoke implementation advice on the Cyber Essentials controls. These advisors complete a rigorous assessment to become NCSC assured, enabling their organisations to become NCSC Assured Service Providers.

Why These Schemes Exist

Cyber Essentials was introduced in 2014 to strengthen national cyber resilience by equipping organisations across the UK with essential controls to defend against widespread, low-skill cyberattacks.

Cyber Essentials Plus verifies that these controls aren’t just documented, but effectively implemented through independent testing.

The Cyber Advisor scheme was created to guide smaller organisations, particularly those lacking internal cyber expertise. By certifying trusted advisors, the NCSC ensures consistent, high-quality support for Cyber Essentials adoption.

How Businesses Benefit
  • Defend against common threats: Organisations with Cyber Essentials are 92% less likely to make an insurance claim, reflecting the resilience resulting in implementing just a few simple safeguards.
  • Fewer cyber incidents: It has been reported that organisations experience 80% fewer incidents after implementing Cyber Essentials Plus across their networks.
  • Boost awareness and confidence: An independent evaluation showed 85% of users gained a better understanding of how cyber threats work, and 91% felt more confident implementing risk-reducing measures.
  • Commercial advantage: Many UK Government contracts and corporate supply chains now require Cyber Essentials certification, making the provision of these services an attractive addition to consultancies. The expectation is that Cyber Essentials Plus will become fully adopted and mandated by UK PLC in the coming years.
What is the difference between an Assessor and an Advisor?

Cyber Essentials Assessors are trained to assess CE applications and issue CE certifications, Cyber Advisors are there to provide support and advice to non-technical organisations to help them understand the CE technical controls. They are able to tailor the advice to individual organisational needs and suggest solutions that are right for the size and type of organisation.

Click here to learn more from IASME.

Where do The Cyber Scheme fit in?

Our CSTM and VA+ assessments are essential qualifications for professionals supporting Cyber Essentials and Cyber Essentials Plus.

The CSTM (Cyber Scheme Team member) exam validates advanced technical knowledge and practical skills needed to deliver high-quality security assessments, including those required for Cyber Essentials Plus audits. Similarly, VA+ (Vulnerability Assessment Plus) ensures assessors can perform thorough vulnerability testing and interpret results accurately, going beyond automated scans to provide meaningful assurance. Together, these certifications underpin the integrity of Cyber Essentials schemes by guaranteeing that assessors have the competence to identify risks, advise on remediation, and uphold NCSC standards, giving organisations confidence that their certification process is robust and credible.

The Cyber Scheme is also the sole accredited provider of the NCSC-approved Cyber Advisor assessment, delivering rigorous, practical exams that certify professionals to advise organisations on implementing Cyber Essentials controls effectively.

Becoming an Assessor for CE+

If your organisation wants to deliver Cyber Essentials Plus (CE+) assessments, having a qualified assessor is essential. The Vulnerability Assessment Plus (VA+) certification is a mandatory requirement for assessors who do not hold a Lead Assessor qualification.

VA+ ensures your team can:

  • Perform comprehensive vulnerability assessments beyond automated scans
  • Apply NCSC-aligned methodologies for CE+ audits
  • Meet IASME and NCSC compliance requirements for delivering CE+

 

Without VA+, your organisation cannot offer Cyber Essentials Plus assessments. Investing in this certification strengthens your service capability and credibility in the UK cyber security market.

Becoming a Lead Assessor for CE+

To deliver Cyber Essentials Plus (CE+) assessments, your organisation must have a qualified Lead Assessor. The Cyber Scheme Team Member (CSTM) certification is a recognised route to achieving this status.

CSTM demonstrates advanced technical competence and practical skills required for high-assurance security testing. By ensuring your team holds this certification, you can:

  • Meet NCSC and IASME requirements for CE+ delivery
  • Provide trusted, accredited assessments to clients.

 

Without CSTM (or equivalent), individuals in your organisation cannot operate as a Lead Assessor for Cyber Essentials Plus. Investing in this qualification is essential for expanding your service offering and meeting compliance standards.

How to Gain Cyber Advisor Certification

Check eligibility:

You should have practical experience in implementing Cyber Essentials controls plus a strong understanding of UK cyber security best practices.

Book your assessment with us.

Prepare for the assessment:

  • Multiple-choice test: Covers Cyber Essentials technical controls.
  • Written responses: Demonstrate your ability to advise organisations.
  • Professional discussion: Assesses communication and advisory skills.


Pass the assessment to earn the NCSC-approved Certificate of Competence.

Register your organisation as an NCSC Assured Service Provider via IASME.

Certification is valid for 3 years.

Take the Next Step

If you’re ready to become a Cyber Essentials Plus Assessor or Lead Assessor within your business, or qualify as a Cyber Advisor, book your exam with The Cyber Scheme today to contribute to a safer digital UK – one certified person, one resilient organisation at a time.

Cyber Advisor (Cyber Essentials Implementation)

Creating Advisors assured by NCSC, able to advise on and implement appropriate measures .

The Cyber Advisor Scheme helps businesses find service providers capable of providing appropriate guidance on implementing Cyber Essentials, a Government backed scheme that helps protect organisations against the most common cyber attacks.

We are the only Assessment Provider of the Cyber Advisor scheme, and deliver assessments nationwide. Learn more here.

CSTM for Cyber Essentials Plus

In order to deliver Cyber Essentials Plus assessments, every Certification Body will need at least one ‘Lead Assessor’.  A Lead Assessor may hold a CSTM exam from The Cyber Scheme (there are alternative options) to be considered to have met the standard required from NCSC and IASME to operate Cyber Essentials Plus Certification Services.

The CSTM Training Course from The Cyber Scheme will allow potential Lead Assessors to test their existing knowledge prior to taking the exam if required. Please click here for more information.

VA+ (Vulnerability Assessment Plus)

The VA+ (Vulnerability Assessment Plus) exam developed by The Cyber Scheme, NCSC and IASME is a useful and well respected standard, and is also a requirement for all Cyber Essentials Plus (CE+) assessors that do not have a Lead Assessor qualification. Book your exam directly with us.

To book an exam, please click here.

For detailed self-study notes please click here.

FAQs

Both Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months.

The Cyber Advisor certificate is valid for three years.

Cyber Essentials is a self-assessment, while Cyber Essentials Plus includes an independent technical audit for added assurance.

Any experienced cybersecurity professional who passes the NCSC-approved Cyber Advisor assessment delivered by The Cyber Scheme.

Review the Cyber Advisor standard thoroughly, and familiarise yourself with the entirety of this applicant guidance document as well as the example scenario on this page: Cyber Advisor Supporting Notes – The Cyber Scheme

Not for all, but it is required for many UK Government contracts and strongly recommended for supply chain security.

Directly through The Cyber Scheme’s booking page.

Please note these costs are for guidance only and subject to change.

Cyber Essentials (Self-Assessment)

Based on organisation size (pricing from IASME):

  • Micro (0–9 employees): £320 + VAT
  • Small (10–49 employees): £440 + VAT
  • Medium (50–249 employees): £500 + VAT
  • Large (250+ employees): £600 + VAT
 
Cyber Essentials Plus (Hands‑On Audit)
  • Audit costs typically range from £1,200 to £2,000+, depending on network complexity, number of devices, and chosen Certification Body.
  • Note: The base Cyber Essentials certification fee still applies.
 
VA+ (Vulnerability Assessment Plus) Exam
  • Required for assessors without Lead Assessor qualification.
  • Fee: £550 + VAT for the remote examination, including scoping session and practical testing.
 
Cyber Advisor Exam 
  • Fee: £600 + VAT per candidate.
  • Exam duration: approx. 3.5 hours (morning or afternoon session).

For any other questions, please contact us.