Cyber Essentials vs Cyber Assessment Framework: What’s the difference and which one do I need? 

Taking cyber security seriously is no longer optional for UK businesses. Clients, regulators, and even insurers increasingly expect organisations to prove they’re stepping up protection measures. 

A term that often comes up when discussing cyber security is Cyber Essentials (CE), but there’s something new coming to compliment it. Enter the NCSC Cyber Assessment Framework.  
 
Let’s take a look at the differences and what you need to consider. 

What is Cyber Essentials? 

Cyber Essentials is a government-backed certification scheme created by the UK Government and overseen by the National Cyber Security Centre. It helps businesses put in place five key technical controls that protect against the most common cyber-attacks. 

There are two levels:

Cyber Essentials: A self-assessment questionnaire reviewed by a certification body.

Cyber Essentials Plus: Includes an independent technical audit of your systems. 

Why SMEs choose it:

• Affordable and straightforward.
• Builds trust with customers and supply chain partners.
• Sometimes a requirement for government or public sector contracts, if handling personal data.
• Reduces the risk of common attacks like phishing, ransomware, and malware. 
• For most SMEs, Cyber Essentials is the first step towards a stronger cyber posture. 

What is the Cyber Assessment Framework (CAF)? 

The Cyber Assessment Framework (CAF) was also developed by the NCSC, but it’s a completely different tool. Instead of a certification, it’s a structured framework used to assess cyber resilience across four objectives and 14 principles. 

It was designed for operators of essential services – organisations in energy, water, transport, healthcare, and other parts of the UK’s Critical National Infrastructure (CNI). 

The CAF is closely tied to the Network and Information Systems (NIS) Regulations 2018, which legally require those operators to meet a certain level of cyber resilience. 

Key features of CAF:

• Focuses on governance, risk management, resilience, and response.
• Provides a detailed view of how robust an organisation’s cyber defences really are.
• Resource-heavy: it’s not a quick tick-boxing exercise but an ongoing, in-depth assessment. 

For some SMEs, the CAF may not be necessary, unless you’re formally designated as an operator of essential services. 

Cyber Essentials vs Cyber Assessment Framework: Key Differences 

While both Cyber Essentials (CE) and the Cyber Assessment Framework (CAF) aim to improve security, they are very different in practice: 

• Purpose: Cyber Essentials is a certification scheme focused on basic technical controls. The CAF is an in-depth framework for assessing resilience across governance, risk, and response. 

• Audience: Cyber Essentials is designed for businesses of all sizes. The CAF is aimed at operators of essential services and organisations in Critical National Infrastructure. 

• Complexity: Cyber Essentials is straightforward and checklist-style. The CAF is resource-heavy and requires ongoing, detailed assessment. 

• Cost: Cyber Essentials is low cost and accessible. The CAF usually requires significant investment. 

• Outcome: Cyber Essentials provides a certification badge (CE or CE Plus). The CAF produces a detailed assurance report but no “badge”. 

• Mandatory?: Cyber Essentials is sometimes required for contracts, but not for all. The CAF is mandatory for certain regulated sectors under the NIS Regulations. 

Which One Do You Need? 

For almost all UK SMEs, the answer is simple: Cyber Essentials. 

It’s affordable, practical, and delivers immediate benefits: 

• Protects you against some of the most common cyber threats. 

• Shows customers and partners you take security seriously. 

• Helps you qualify for contracts where certification is required. 

The CAF only applies if: 

• You’re an operator of essential services (energy, water, transport, healthcare, etc.). 

• You fall under the NIS Regulations and are required by your regulator to use it. 

If that doesn’t sound like your business, Cyber Essentials is the right fit. 

FAQs 

Is Cyber Essentials mandatory in the UK? 
Not for all organisations, but it’s often required for public sector contracts and increasingly expected by private clients. 

Who needs the CAF? 
Mainly large operators of essential services in Critical National Infrastructure. 

Can SMEs use the CAF? 
They can, but it’s not designed for them. It’s too resource-heavy for most small and medium-sized businesses. 

Cyber Essentials or CAF: which should I choose? 
Unless you’re regulated under NIS, Cyber Essentials (or Cyber Essentials Plus) is the right choice. 

Final Thoughts 

Cyber Essentials is like your business’s baseline defence. It’s a practical shield against everyday threats that also demonstrates your commitment to security. 

The Cyber Assessment Framework is more like a comprehensive playbook for large, critical organisations with high regulatory obligations. 

For most SMEs in the UK, the path forward is clear: start with Cyber Essentials. It’s cost-effective, contract-ready, and strengthens trust with your customers. 

Need help with Cyber Essentials? Get in touch today to see how we can help.