July 11, 2026
Updated: July 11, 2026
A practical UK guide to Cyber Essentials requirements, the five controls, scope, Cyber Essentials Plus testing, certification costs and when independent penetration testing adds assurance.
Mohammed Khalil

Cyber Essentials requires an organisation to define its assessment scope and meet five technical control themes: firewalls, secure configuration, security update management, user access control and malware protection. The basic certification is a verified self-assessment. A senior representative approves the answers, and a qualified assessor reviews them.
A conventional penetration test is not part of basic Cyber Essentials. Cyber Essentials Plus uses the same underlying requirements but adds independent, scheme-specific technical testing of in-scope systems. That audit includes vulnerability and configuration-related checks, representative sampling and tests of control operation. It should not be described as a full penetration test.
A separately scoped penetration test can go deeper into exploitable weaknesses, business logic, authorisation flaws and attack paths. It may provide useful additional assurance, but it neither issues nor replaces Cyber Essentials or Cyber Essentials Plus certification.

Figure 1. Cyber Essentials is built around five technical control themes.
Cyber Essentials is the minimum cyber security standard recommended by the UK Government for organisations of all sizes. The NCSC owns and develops the scheme; IASME is its official delivery partner and manages the network of Certification Bodies and assessors. The scheme is designed to reduce exposure to common internet-based attacks through a defined set of technical controls, rather than to evaluate every aspect of governance, resilience or product security. The NCSC’s overview explains the scheme’s baseline purpose and five-control model.
Businesses, charities, public bodies, SaaS providers and organisations outside the UK can pursue certification. Customers may request it as a supply-chain baseline, and certain public contracts may require Cyber Essentials, Cyber Essentials Plus or equivalent controls. It is not a universal legal requirement for every UK organisation.
Certificates expire after 12 months. Renewal therefore provides a recurring checkpoint, but organisations should maintain the controls throughout the certification period rather than treating certification as a once-a-year exercise.
| Requirement Area | What the Organisation Must Address | Typical Evidence | Common Readiness Gap |
|---|---|---|---|
| Scope | In-scope legal entities, business units, networks, locations, devices, software, accounts and cloud services | Asset and cloud inventory; scope statement; network boundary | Omitted cloud services, remote devices or unsupported systems |
| Firewalls | Correctly configured protection for every in-scope device and controlled inbound access | Firewall inventory; rule approvals; admin-access settings | Unnecessary inbound rules or exposed administration |
| Secure configuration | Remove insecure defaults, unnecessary accounts, software and services | Build standard; configuration records; account list | Default credentials and unused services remain enabled |
| Security update management | Licensed, supported software and timely vulnerability fixes | Software inventory; support dates; update reports | Unsupported software or inconsistent deployment |
| User access control | Approved accounts, unique authentication, least privilege, separate admin use and MFA | Joiner/mover/leaver records; role list; MFA evidence | Excess privilege, dormant accounts or MFA gaps |
| Malware protection | Active, supported anti-malware or application allow listing as applicable | Endpoint status; policy; update logs; allow list | Incomplete device coverage or disabled protection |
| Senior confirmation | A board-level representative, owner or equivalent approves the answers | Signed electronic declaration | Technical answers are not reconciled with actual practice |
| Current documents | Answers match the applicable requirements and question-set version | Requirements v3.3 and Danzell working copy | Reusing last year’s answers without reviewing changes |
The current technical standard is the Cyber Essentials Requirements for IT Infrastructure v3.3, dated April 2026.
For assessment accounts created from 27 April 2026, organisations should use v3.3 with the Danzell question set, version 16.3 (May 2026). IASME’s 2026 scheme update confirms the transition and marking changes; this source was verified on 11 July 2026.
For operational detail on the update-control theme, DeepStrike’s guide to patch management is a useful companion, but the official scheme wording takes priority.
Purpose: limit which network services can be reached from the internet. Every in-scope device needs a correctly configured firewall or equivalent functionality. Default administrative passwords must change, unauthenticated inbound connections should be blocked by default, rules need approval and documentation, and internet-facing administration needs stronger protection.
Purpose: reduce avoidable weaknesses and expose only necessary functionality. Organisations should remove unnecessary accounts, software and services; replace insecure defaults; prevent unauthorised automatic execution; require authentication; and apply appropriate device-locking controls across endpoints, servers and relevant cloud services.
Purpose: prevent known, fixable vulnerabilities from remaining exposed. In-scope software must be licensed and supported. Relevant high-risk or critical fixes must be installed within 14 days, and v3.3 applies stricter auto-fail marking to the related operating-system, network-device and application questions.
Purpose: ensure only authorised people receive the access their roles require. Organisations should approve accounts, use unique credentials, remove dormant access, enforce least privilege, separate administration, and implement MFA where the current scheme requires it, including cloud services where MFA is available.
Purpose: restrict known malware and untrusted software from running or accessing data. Applicable devices need an active protection method, such as supported anti-malware or application allow listing, with evidence showing deployment, update status and approved coverage.
Scope is where many otherwise capable organisations lose accuracy. The default expectation is the whole IT infrastructure used to conduct the organisation’s business. A well-defined, separately managed subset may be used when necessary, but the business unit, network boundary and physical location must be clear, exclusions must be justified, and the scope must be agreed with the Certification Body.
A scope without end-user devices is not acceptable. Cloud services hosting organisational data or services cannot simply be excluded. The assessment also covers relevant accounts, including organisation-owned accounts used by MSPs or contractors.
| Asset or Service | Usually Relevant to Scope? | Key Question | Evidence to Prepare |
|---|---|---|---|
| Corporate laptops/desktops | Yes | Do they access organisational data or services and the internet? | Make, OS and version summary; management records |
| Mobile devices and BYOD | Often | Does the device access organisational data or services beyond voice, native text or MFA-only use? | Device/OS summary; access or container controls |
| Home-working routers | Sometimes | Was the router supplied by the organisation? | Router inventory or endpoint-firewall evidence |
| Office routers/firewalls | Yes where they control internet traffic | Which devices form the internet boundary? | Make, model, quantity and configuration ownership |
| Internet-facing servers | Yes | Which services accept connections from the internet? | Server inventory; public IP/DNS mapping |
| SaaS | Yes where it stores or processes organisational data | Which identities, settings and controls remain the organisation’s responsibility? | Service inventory; MFA and security settings |
| IaaS/PaaS | Yes | Which layers does the organisation configure and update? | Account/subscription list; shared-responsibility map |
| Third-party-managed infrastructure | Often | Can the organisation demonstrate that required controls are met? | Contract, trust/security statements and provider evidence |
| Unsupported systems | Not acceptable while internet-connected in scope | Can they be removed, upgraded or isolated through a compliant subset? | Support dates; migration or segregation evidence |
| Bespoke application components | Outside the scheme’s application-development coverage | Does the custom application need separate security assurance? | SDLC evidence; independent application test scope |
Source note: Scope positions reflect Requirements for IT Infrastructure v3.3, reviewed 11 July 2026. Organisations should agree their exact boundary and any subset with their Certification Body.
| Area | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Requirements | The five technical control themes | The same five technical control themes |
| Assessment method | Verified self-assessment reviewed by an assessor | Verified self-assessment plus independent technical audit |
| Prerequisite | None beyond meeting the current scheme requirements | Cyber Essentials; CE+ must normally be completed within three months of the basic certificate |
| Evidence | Questionnaire answers, clarifications and senior confirmation | Questionnaire evidence plus technical test results |
| Technical testing | No vulnerability scan or penetration test included | Scheme-defined external, internal, configuration and control checks |
| Sampling | Not applicable as a technical device test | Representative technical sampling; all relevant gateways and internet-exposed services receive defined coverage |
| Assurance | Baseline assurance from independently reviewed answers | Higher assurance that the same controls are implemented |
| Price | Fixed tier by employee count | Individually quoted for size and complexity |
| Validity | 12 months | 12 months |
| Result | Cyber Essentials certificate if successful | Cyber Essentials Plus certificate if successful |
IASME confirms that the controls are the same and the assurance method differs. Its current Cyber Essentials FAQ explains the verified self-assessment, Plus audit, fees, timing and annual renewal.

Figure 2. Cyber Essentials, Cyber Essentials Plus, and independent penetration testing provide different assurance outcomes.
No conventional penetration test is required as part of basic Cyber Essentials. The basic route is a verified self-assessment. It does not include a vulnerability scan or technical test.
Cyber Essentials Plus adds an official technical audit, but “technical audit” and “penetration test” are not synonyms. CE+ tests the implementation of the scheme’s five controls against defined procedures and a representative sample. A conventional pentest instead starts from an agreed security objective and target set, then investigates exploitable weaknesses and attack paths in greater depth.
The two scopes can differ materially. A Cyber Essentials certificate may cover a whole organisation or agreed subset, while a pentest might cover one customer portal, API, cloud account or external network range. Conversely, a successful application pentest does not show that every in-scope device is supported, every cloud service uses MFA or every user account follows scheme rules.
Buyers may therefore ask for both forms of assurance. Certification provides standardised baseline evidence; a separate pentest can address the specific systems or risks that matter to the buyer. Any test must have written authorisation, confirmed asset ownership, defined boundaries and rules of engagement. DeepStrike’s penetration testing scope guide explains how to document those boundaries.
| Area | Cyber Essentials Plus Audit | Independent Penetration Test |
|---|---|---|
| Primary objective | Verify implementation of the five scheme controls | Find and validate exploitable weaknesses and attack paths |
| Assessment criteria | Scheme requirements and prescribed test procedures | Agreed methodology, target architecture and risk objectives |
| Scope | Must align with the Cyber Essentials certificate | Defined separately by assets, roles and business objective |
| Sampling | Representative sampling under scheme rules | Coverage based on agreed assets and depth, not scheme sampling |
| Control validation | Central purpose | Included only where relevant to the agreed scope |
| Exploit validation | Limited to scheme-safe test purposes | Controlled validation may be used to prove impact |
| Business-logic testing | Not the scheme’s primary purpose | Common in web, API and workflow-focused tests |
| Reporting | Scheme assessment result and audit evidence | Executive and technical findings, evidence and risk-ranked remediation |
| Remediation | Follows IASME/Certification Body process | Managed under the engagement’s agreed remediation plan |
| Retesting | Scheme-specific reassessment | Verifies agreed findings; does not renew certification |
| Certification outcome | Can result in CE+ certification through an authorised provider | No Cyber Essentials certificate unless separately delivered by an authorised scheme provider |
| Provider authority | Qualified assessor working through a licensed Certification Body | Asset owner appoints a competent, authorised testing provider |
| Limitation | Baseline threat model and scheme-defined procedures | Point-in-time, scope-bound assurance; not an organisation-wide certification |
The public Cyber Essentials Plus Test Specification describes scope verification, remote vulnerability assessment, authenticated patch checks, malware protection, cloud MFA and account-separation tests.
The NCSC separately defines a penetration test as attempting to breach system security using adversary-like techniques and stresses that it is a scoped, point-in-time assurance activity. That distinction is set out in the NCSC’s penetration-testing guidance.
| Assessment | Main Purpose | Typical Depth | Scheme Certification Result | Evidence Produced | What It Does Not Replace |
|---|---|---|---|---|---|
| Automated vulnerability scan | Detect known issues at scale | Broad, tool-led | None | Scanner findings and asset observations | Manual validation or certification |
| Vulnerability assessment | Validate, classify and prioritise weaknesses | Broad with analyst review | None | Prioritised findings and remediation advice | Exploit-focused pentest or certification |
| Configuration review | Compare settings with a standard or secure baseline | Detailed for selected controls | None unless part of an official scheme | Setting-level evidence and gaps | Application/business-logic testing |
| Independent penetration test | Demonstrate exploitable risk and attack paths | Deep, manual and scope-bound | None | Validated findings, impact and remediation | Cyber Essentials or CE+ certification |
| Cyber Essentials Plus audit | Verify the five scheme controls technically | Scheme-defined with sampling | CE+ if delivered successfully by an authorised provider | Audit results and certification evidence | A full application, API, cloud or red-team assessment |
| Red team | Test detection and response against an objective | Broad, adversary-emulation focused | None | Attack narrative and defensive lessons | Baseline certification or routine vulnerability management |
For a more detailed distinction between breadth and depth, see vulnerability assessment vs penetration testing.
| Cyber Essentials Control | Certification Evidence | What Technical Testing May Validate | What a Pentest Cannot Certify |
|---|---|---|---|
| Firewalls | Device list, rules, approvals and administration settings | Exposed services, reachable management and rule effects | Complete rule governance across the certificate scope |
| Secure configuration | Build standard, account/service inventory and device settings | Default access, unnecessary services and unsafe combinations | Consistent configuration of every device over time |
| Security update management | Support dates, update policy and deployment records | Missing fixes and controlled exploitability | Continuous patch compliance across all assets |
| User access control | Account approvals, MFA, privilege and lifecycle records | Authorisation bypasses, privilege paths and weak recovery | Every identity lifecycle and senior attestation requirement |
| Malware protection | Endpoint coverage, update state and allow-list records | Whether sampled controls block approved test artefacts | Organisation-wide, continuous malware-control operation |
This mapping is a DeepStrike decision aid, not an official IASME control-mapping document.

Figure 3. Certification, deeper validation, and renewal should be managed as connected but distinct workstreams.
Certification answers whether a defined baseline is met. A pentest is most useful when the risk question concerns a particular system, trust boundary or attack path.
| Situation | Cyber Essentials Alone | Cyber Essentials Plus | Separate Pentest Consideration |
|---|---|---|---|
| Standard office IT and common cloud services | Useful baseline | Higher implementation assurance | Consider if risk or customer terms justify it |
| Internet-facing web application | Baseline controls around hosting and access | Scheme checks do not constitute full app testing | Often useful for authentication, input and business logic |
| API or multi-tenant SaaS | Baseline identity and platform controls | Higher assurance of scheme controls | Consider role, tenant and object-level authorisation testing |
| Complex cloud environment | Shared-responsibility baseline | Samples scheme-relevant settings and controls | Consider IAM, storage, secrets and attack-path validation |
| Mobile application | Endpoint and supporting-service baseline | Scheme-defined control verification | Consider client and backend API testing |
| Major migration, acquisition or architecture change | Re-establish scope and controls | Useful after implementation stabilises | Consider testing new trust boundaries and inherited risks |
| Repeated vulnerabilities or high-value system | Necessary baseline discipline | Stronger baseline evidence | Deeper testing may identify systemic or chained weaknesses |
| Customer or regulatory demand outside CE | May satisfy only part of the request | May provide stronger scheme evidence | Match testing to the actual contract or risk requirement |
For custom internet-facing systems, a separately authorised web application penetration test may examine issues the scheme is not designed to cover.
APIs should be scoped explicitly. DeepStrike’s API penetration testing guide explains the role and tenant information needed for meaningful coverage.
Complex IaaS and PaaS environments may also warrant a dedicated cloud penetration test.
Cyber Essentials is intentionally a baseline. It does not provide complete assurance over:
This does not diminish the scheme. A well-defined baseline and deeper risk-led assurance answer different questions and are strongest when used deliberately.
SaaS, PaaS and IaaS that host organisational data or services must be included. The applicant remains accountable for ensuring that the controls are implemented, even where the provider performs some of them. The evidence should show the division of responsibility through contracts, referenced security terms, trust-centre statements or the provider’s shared-responsibility documentation.
SaaS does not mean “the vendor handles everything”. The organisation still controls users, privileges, MFA and service configuration. In IaaS, it usually controls substantially more, including guest operating systems, network policies and application updates.
Corporate and relevant BYOD devices used for business are normally in scope. A home router supplied by the organisation is in scope. An ordinary employee-owned or ISP home router is normally outside scope, so the endpoint still needs appropriate firewall protection. A corporate VPN may move the effective internet boundary to an organisation-controlled firewall.
User-owned devices that access organisational data or services are generally in scope. Devices used only for native voice, native text or an MFA application are excluded under v3.3. Organisations should map actual access paths rather than assuming that every personal phone is either always included or always excluded.
Third-party support adds a second distinction: organisation-owned accounts used by MSPs remain in scope, while ownership and role affect whether third-party devices are within the formal device scope. The organisation still needs confidence that external access is secure.
Preparation time depends on the gaps. The short portal-completion and assessor-review estimates assume that the technical work has already been done.
| Item | Current Official Position | Variables | Source Date |
|---|---|---|---|
| Micro, 0–9 employees | £320 + VAT | Basic verified self-assessment | Retrieved 11 July 2026 |
| Small, 10–49 employees | £440 + VAT | Basic verified self-assessment | Retrieved 11 July 2026 |
| Medium, 50–249 employees | £500 + VAT | Basic verified self-assessment | Retrieved 11 July 2026 |
| Large, 250+ employees | £600 + VAT | Basic verified self-assessment | Retrieved 11 July 2026 |
| Supported preparation | Not included as one universal scheme fee | Provider, scope and remediation effort | Verify quote |
| Cyber Essentials Plus | Individually quoted | Network size, variety, locations and complexity | Retrieved 11 July 2026 |
| Basic assessment account | Six months to complete and submit | Account may close after the window | Retrieved 11 July 2026 |
| Assessor review aim | Most assessors aim to return submitted results within three days | Clarifications add time | Retrieved 11 July 2026 |
| Basic correction opportunity | Two working days after unsuccessful marking for simple changes and resubmission | Not a substitute for readiness; reapplication may be required if still unsuccessful | Retrieved 11 July 2026 |
| CE+ prerequisite timing | Complete CE+ within three months of the basic certification, or complete them together | Coordinate with the Certification Body | Retrieved 11 July 2026 |
| Certificate validity | 12 months | Renewal requires a new current assessment | Retrieved 11 July 2026 |
Source note: Prices and timings are from the IASME Cyber Essentials FAQ and current preparation page. Recheck them immediately before publication or purchase.
Cyber Essentials may be required for certain public contracts, but it is incorrect to say that every UK government contract requires it. Cabinet Office PPN 014 applies to defined in-scope bodies and describes higher-risk contract characteristics, including specified handling of personal information and ICT systems or services processing government information. It also requires security measures to be relevant, proportionate and necessary.
The tender and contract wording controls the supplier’s actual obligation. Buyers may accept equivalent controls in circumstances covered by procurement rules, require Cyber Essentials Plus for higher assurance, or specify additional measures when product, service or threat risks exceed the scheme. PPN 014 expressly rejects a blanket approach and says the scheme does not assure specific products or advanced targeted threats.
Suppliers should therefore review the current procurement documents, certificate scope, timing and any flow-down requirement. This article is not tendering or legal advice.
| Common Gap | Why It Matters | Preparation Action |
|---|---|---|
| Incomplete asset inventory | Devices and software cannot be scoped or updated reliably | Reconcile endpoint, server, network and software records |
| Incorrect or vague scope | Certification may omit relevant assets or misstate coverage | Document boundaries, exclusions, legal entities and segregation |
| Unsupported software | It cannot receive normal vendor vulnerability fixes | Upgrade, remove or use a scheme-compliant isolation approach |
| Updates outside the 14-day rule | Known high-risk weaknesses remain exposed | Track release date, severity and deployment completion |
| Cloud services omitted | v3.3 says qualifying cloud services cannot be excluded | Inventory SaaS, PaaS, IaaS, social accounts and identity providers |
| Remote/BYOD assets overlooked | Business access occurs outside the office boundary | Map users, devices, routers, VPNs and access methods |
| MFA gaps | Cloud authentication does not meet the current requirement | Test every cloud service and relevant user/admin account |
| Excessive privileges | Compromise has greater impact | Separate admin use and remove unnecessary rights |
| Default or stale accounts | They create avoidable access paths | Disable defaults, leavers and inactive accounts |
| Insecure firewall rules | Unnecessary services become internet reachable | Require business justification, approval and periodic removal |
| Incomplete malware coverage | Some device classes remain unprotected | Verify active status and vendor updates by device type |
| Unsupported answers | The assessor cannot verify the declared approach | Tie each answer to accurate technical and process evidence |
| Unclear third-party responsibility | Outsourcing is mistaken for transferred accountability | Obtain contracts, service evidence and named control ownership |
Certification is a point-in-time decision at the certificate issue date, but the 2026 senior declaration reinforces the organisation’s responsibility to maintain the controls. Assets, accounts, cloud services and software support dates change continuously.
Use routine inventories, access reviews, update reporting, firewall reviews and endpoint-health checks to keep answers true. Plan renewal as a new assessment against the then-current documents, not as a copy-and-paste exercise.
CE+ remediation follows the official assessment process. Under the 2026 update-management change, an internal vulnerability retest can include both the original sample and a new random sample to prevent selective patching. A second failure can affect the underlying verified self-assessment certificate.
A pentest retest is different: it verifies whether agreed findings were fixed. It does not renew Cyber Essentials or CE+ and normally does not discover all new issues unless a broader reassessment is commissioned.
| Provider Type | Appropriate Role | What to Verify | What They Should Not Be Assumed to Provide |
|---|---|---|---|
| Internal IT/security team | Inventory, implementation, evidence and maintenance | Ownership, time and scheme knowledge | Independent certification |
| Managed IT provider | Operate agreed devices, cloud and controls | Contracted scope, evidence and responsibility split | Authority to certify |
| NCSC-assured Cyber Advisor | Practical Cyber Essentials implementation support, especially for SMEs | Listed Assured Service Provider and current advisor status | Certificate issuance unless separately a Certification Body |
| Cyber Essentials Assessor | Review answers and determine conformity | Works for a licensed Certification Body | Broad pentesting unless separately qualified and scoped |
| Certification Body | Deliver scheme assessment and issue certification | Current IASME licence and applicable certification level | Assurance outside the declared scheme scope |
| CE+ audit provider | Conduct the authorised technical assessment | Certification Body status and CE+ capability | A conventional full-scope pentest |
| Penetration testing provider | Test authorised systems for exploitable weaknesses | Relevant expertise, methodology, safety and reporting | Cyber Essentials certification unless separately authorised under the scheme |
Verify official scheme roles in the NCSC and IASME directories. Similar job titles or security certifications are not substitutes for an active scheme listing.
When separate testing is justified, ask whether the provider:
A written penetration testing statement of work should align the business objective, scope, deliverables and retest expectations.
Methodology should then explain how that scope will be examined. DeepStrike’s penetration testing methodology explains the distinction.
| Framework or Assessment | Primary Purpose | Relationship to Cyber Essentials | Does It Replace Cyber Essentials? |
|---|---|---|---|
| Cyber Essentials | Five-control technical baseline | The baseline certification itself | Not applicable |
| Cyber Essentials Plus | Technical verification of the same controls | Higher-assurance scheme level | It is a separate CE certification level |
| ISO/IEC 27001 | Information security management system | Can govern broader risk and controls | No; scope and evidence differ |
| NCSC Cyber Assessment Framework | Outcome-based assessment for cyber resilience | Broader objectives and indicators | No |
| IASME Cyber Assurance | Wider governance and resilience assurance | Can complement and build on CE | No |
| Independent penetration test | Validate exploitable risk in an agreed target | Adds depth for selected systems | No |
| Vulnerability assessment | Identify and prioritise weaknesses | Supports vulnerability management and readiness | No |
Organisations with an ISMS should still compare certificate scopes and technical evidence directly. DeepStrike’s guide to ISO 27001 penetration testing explains why a targeted test can support an ISMS without replacing either ISO certification or Cyber Essentials.
The most common mistake is treating different assurance activities as interchangeable. Cyber Essentials is a verified self-assessment; Cyber Essentials Plus is a scheme-specific technical audit; and an independent penetration test investigates exploitable risk in an agreed target. Passing one does not automatically satisfy the others. Certification applies only to its declared scope, does not guarantee immunity from compromise, and does not remove the applicant’s cloud or ongoing-maintenance responsibilities.
The controls are firewalls, secure configuration, security update management, user access control and malware protection. Together they create a defined baseline against common internet-based attacks. They are not a complete cyber security programme, so organisations may still need broader governance, resilience, monitoring and system-specific testing.
Basic Cyber Essentials does not include a penetration test or vulnerability scan. It is a verified self-assessment reviewed by a qualified assessor and approved by a senior representative. A customer, regulator or contract may separately request a pentest, but that is distinct from the scheme requirement.
No. Cyber Essentials Plus is an independent technical audit against the same five controls as Cyber Essentials. It includes prescribed vulnerability, patching, malware, MFA and account-separation checks using scheme-defined coverage and sampling. A conventional pentest is scoped around exploitable weaknesses and attack paths and does not issue CE+ certification.
They use the same technical requirements. Cyber Essentials relies on an independently reviewed self-assessment, while CE+ adds independent technical testing of the in-scope environment. CE+ therefore provides a higher level of implementation assurance, but it is not a broader control framework.
Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months. Organisations must reassess against the current requirements to renew. Controls should be maintained throughout the year because software, accounts, devices and cloud configurations can change well before the expiry date.
As verified on 11 July 2026, the basic IASME assessment costs £320 + VAT for 0–9 employees, £440 for 10–49, £500 for 50–249 and £600 for 250 or more. Support and remediation are separate. CE+ is quoted individually according to network size and complexity.
Yes. Qualifying SaaS, PaaS and IaaS that store or process organisational data or provide organisational services must be included. The cloud provider may implement some controls, but the applicant must understand and evidence the shared-responsibility split and retain responsibility for its own identities, privileges and configurations.
Corporate and relevant user-owned devices used for organisational business are normally in scope. Under v3.3, devices used only for native voice, native text or an MFA application are excluded. Organisation-supplied home routers are in scope; ordinary employee/ISP routers normally are not, so endpoint firewall protection remains important.
It is required, or equivalent controls must be demonstrated, for certain contracts covered by current procurement policy and contract terms. It is not required for every government contract. Buyers must use relevant and proportionate controls, and suppliers should check the tender, data handling, service type and exact certificate-scope requirements.
It can identify missing patches, exposed services and some configuration weaknesses, so it may help readiness. It cannot confirm the full asset scope, senior attestation, user-access processes, shared cloud responsibilities or every control. Scan results need technical review and should be combined with the official question set and evidence gathering.
No. ISO/IEC 27001 certifies an information security management system within its own scope. Cyber Essentials tests a defined technical baseline through a different scheme and scope. An organisation may hold both, and a buyer may require one or both depending on the risk and contract.
Cyber Essentials assessors must work through an IASME-licensed Certification Body. CE+ requires a Certification Body with the appropriate audit capability. A managed IT provider, consultant or penetration testing company should not be assumed to issue certificates unless its current official scheme status is verified.
Cyber Essentials is a defined UK baseline built around five practical technical controls. The basic level uses a verified self-assessment; Cyber Essentials Plus applies independent scheme testing to the same requirements; an independent penetration test investigates a separately agreed set of exploitable risks.
None of these should be used as shorthand for the others. Accurate scope, current documentation and evidence are central to certification. Deeper testing may be appropriate where architecture, customer expectations, custom applications, cloud complexity or contractual risk demands more assurance. Before applying or renewing, check the latest NCSC and IASME documents rather than relying on last year’s answers.
If your organisation needs security validation beyond a baseline certification review, DeepStrike can scope an authorised penetration test of agreed web, API, cloud, mobile or network assets for exploitable weaknesses. That engagement should be managed separately from the Cyber Essentials certification process and should not be presented as a substitute for an official assessment.
Mohammed Khalil is a Cybersecurity Architect at DeepStrike specialising in penetration testing and offensive security. His approved DeepStrike profile lists CISSP, OSCP and OSWE credentials. His work focuses on application, API, cloud and network security validation.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us