logo svg
logo

July 11, 2026

Updated: July 11, 2026

Cyber Essentials (UK): Requirements & Penetration Testing

A practical UK guide to Cyber Essentials requirements, the five controls, scope, Cyber Essentials Plus testing, certification costs and when independent penetration testing adds assurance.

Mohammed Khalil

Mohammed Khalil

Featured Image

Executive Summary / TL;DR

Quick Answer: What Are the Cyber Essentials Requirements, and Is Penetration Testing Required?

Cyber Essentials requires an organisation to define its assessment scope and meet five technical control themes: firewalls, secure configuration, security update management, user access control and malware protection. The basic certification is a verified self-assessment. A senior representative approves the answers, and a qualified assessor reviews them.

A conventional penetration test is not part of basic Cyber Essentials. Cyber Essentials Plus uses the same underlying requirements but adds independent, scheme-specific technical testing of in-scope systems. That audit includes vulnerability and configuration-related checks, representative sampling and tests of control operation. It should not be described as a full penetration test.

A separately scoped penetration test can go deeper into exploitable weaknesses, business logic, authorisation flaws and attack paths. It may provide useful additional assurance, but it neither issues nor replaces Cyber Essentials or Cyber Essentials Plus certification.

Figure 1. Cyber Essentials is built around five technical control themes.

Figure 1. Cyber Essentials is built around five technical control themes.

What Is Cyber Essentials?

Cyber Essentials is the minimum cyber security standard recommended by the UK Government for organisations of all sizes. The NCSC owns and develops the scheme; IASME is its official delivery partner and manages the network of Certification Bodies and assessors. The scheme is designed to reduce exposure to common internet-based attacks through a defined set of technical controls, rather than to evaluate every aspect of governance, resilience or product security. The NCSC’s overview explains the scheme’s baseline purpose and five-control model.

Businesses, charities, public bodies, SaaS providers and organisations outside the UK can pursue certification. Customers may request it as a supply-chain baseline, and certain public contracts may require Cyber Essentials, Cyber Essentials Plus or equivalent controls. It is not a universal legal requirement for every UK organisation.

Certificates expire after 12 months. Renewal therefore provides a recurring checkpoint, but organisations should maintain the controls throughout the certification period rather than treating certification as a once-a-year exercise.

Cyber Essentials Requirements at a Glance

Requirement AreaWhat the Organisation Must AddressTypical EvidenceCommon Readiness Gap
ScopeIn-scope legal entities, business units, networks, locations, devices, software, accounts and cloud servicesAsset and cloud inventory; scope statement; network boundaryOmitted cloud services, remote devices or unsupported systems
FirewallsCorrectly configured protection for every in-scope device and controlled inbound accessFirewall inventory; rule approvals; admin-access settingsUnnecessary inbound rules or exposed administration
Secure configurationRemove insecure defaults, unnecessary accounts, software and servicesBuild standard; configuration records; account listDefault credentials and unused services remain enabled
Security update managementLicensed, supported software and timely vulnerability fixesSoftware inventory; support dates; update reportsUnsupported software or inconsistent deployment
User access controlApproved accounts, unique authentication, least privilege, separate admin use and MFAJoiner/mover/leaver records; role list; MFA evidenceExcess privilege, dormant accounts or MFA gaps
Malware protectionActive, supported anti-malware or application allow listing as applicableEndpoint status; policy; update logs; allow listIncomplete device coverage or disabled protection
Senior confirmationA board-level representative, owner or equivalent approves the answersSigned electronic declarationTechnical answers are not reconciled with actual practice
Current documentsAnswers match the applicable requirements and question-set versionRequirements v3.3 and Danzell working copyReusing last year’s answers without reviewing changes

The current technical standard is the Cyber Essentials Requirements for IT Infrastructure v3.3, dated April 2026.

For assessment accounts created from 27 April 2026, organisations should use v3.3 with the Danzell question set, version 16.3 (May 2026). IASME’s 2026 scheme update confirms the transition and marking changes; this source was verified on 11 July 2026.

For operational detail on the update-control theme, DeepStrike’s guide to patch management is a useful companion, but the official scheme wording takes priority.

The Five Cyber Essentials Technical Controls

Firewalls

Purpose: limit which network services can be reached from the internet. Every in-scope device needs a correctly configured firewall or equivalent functionality. Default administrative passwords must change, unauthenticated inbound connections should be blocked by default, rules need approval and documentation, and internet-facing administration needs stronger protection.

Secure Configuration

Purpose: reduce avoidable weaknesses and expose only necessary functionality. Organisations should remove unnecessary accounts, software and services; replace insecure defaults; prevent unauthorised automatic execution; require authentication; and apply appropriate device-locking controls across endpoints, servers and relevant cloud services.

Security Update Management

Purpose: prevent known, fixable vulnerabilities from remaining exposed. In-scope software must be licensed and supported. Relevant high-risk or critical fixes must be installed within 14 days, and v3.3 applies stricter auto-fail marking to the related operating-system, network-device and application questions.

User Access Control

Purpose: ensure only authorised people receive the access their roles require. Organisations should approve accounts, use unique credentials, remove dormant access, enforce least privilege, separate administration, and implement MFA where the current scheme requires it, including cloud services where MFA is available.

Malware Protection

Purpose: restrict known malware and untrusted software from running or accessing data. Applicable devices need an active protection method, such as supported anti-malware or application allow listing, with evidence showing deployment, update status and approved coverage.

Cyber Essentials Scope Requirements

Scope is where many otherwise capable organisations lose accuracy. The default expectation is the whole IT infrastructure used to conduct the organisation’s business. A well-defined, separately managed subset may be used when necessary, but the business unit, network boundary and physical location must be clear, exclusions must be justified, and the scope must be agreed with the Certification Body.

A scope without end-user devices is not acceptable. Cloud services hosting organisational data or services cannot simply be excluded. The assessment also covers relevant accounts, including organisation-owned accounts used by MSPs or contractors.

Asset or ServiceUsually Relevant to Scope?Key QuestionEvidence to Prepare
Corporate laptops/desktopsYesDo they access organisational data or services and the internet?Make, OS and version summary; management records
Mobile devices and BYODOftenDoes the device access organisational data or services beyond voice, native text or MFA-only use?Device/OS summary; access or container controls
Home-working routersSometimesWas the router supplied by the organisation?Router inventory or endpoint-firewall evidence
Office routers/firewallsYes where they control internet trafficWhich devices form the internet boundary?Make, model, quantity and configuration ownership
Internet-facing serversYesWhich services accept connections from the internet?Server inventory; public IP/DNS mapping
SaaSYes where it stores or processes organisational dataWhich identities, settings and controls remain the organisation’s responsibility?Service inventory; MFA and security settings
IaaS/PaaSYesWhich layers does the organisation configure and update?Account/subscription list; shared-responsibility map
Third-party-managed infrastructureOftenCan the organisation demonstrate that required controls are met?Contract, trust/security statements and provider evidence
Unsupported systemsNot acceptable while internet-connected in scopeCan they be removed, upgraded or isolated through a compliant subset?Support dates; migration or segregation evidence
Bespoke application componentsOutside the scheme’s application-development coverageDoes the custom application need separate security assurance?SDLC evidence; independent application test scope

Source note: Scope positions reflect Requirements for IT Infrastructure v3.3, reviewed 11 July 2026. Organisations should agree their exact boundary and any subset with their Certification Body.

Cyber Essentials vs Cyber Essentials Plus

AreaCyber EssentialsCyber Essentials Plus
RequirementsThe five technical control themesThe same five technical control themes
Assessment methodVerified self-assessment reviewed by an assessorVerified self-assessment plus independent technical audit
PrerequisiteNone beyond meeting the current scheme requirementsCyber Essentials; CE+ must normally be completed within three months of the basic certificate
EvidenceQuestionnaire answers, clarifications and senior confirmationQuestionnaire evidence plus technical test results
Technical testingNo vulnerability scan or penetration test includedScheme-defined external, internal, configuration and control checks
SamplingNot applicable as a technical device testRepresentative technical sampling; all relevant gateways and internet-exposed services receive defined coverage
AssuranceBaseline assurance from independently reviewed answersHigher assurance that the same controls are implemented
PriceFixed tier by employee countIndividually quoted for size and complexity
Validity12 months12 months
ResultCyber Essentials certificate if successfulCyber Essentials Plus certificate if successful

IASME confirms that the controls are the same and the assurance method differs. Its current Cyber Essentials FAQ explains the verified self-assessment, Plus audit, fees, timing and annual renewal.

Figure 2. Cyber Essentials, Cyber Essentials Plus, and independent penetration testing provide different assurance outcomes.

Figure 2. Cyber Essentials, Cyber Essentials Plus, and independent penetration testing provide different assurance outcomes.

Does Cyber Essentials Require Penetration Testing?

No conventional penetration test is required as part of basic Cyber Essentials. The basic route is a verified self-assessment. It does not include a vulnerability scan or technical test.

Cyber Essentials Plus adds an official technical audit, but “technical audit” and “penetration test” are not synonyms. CE+ tests the implementation of the scheme’s five controls against defined procedures and a representative sample. A conventional pentest instead starts from an agreed security objective and target set, then investigates exploitable weaknesses and attack paths in greater depth.

The two scopes can differ materially. A Cyber Essentials certificate may cover a whole organisation or agreed subset, while a pentest might cover one customer portal, API, cloud account or external network range. Conversely, a successful application pentest does not show that every in-scope device is supported, every cloud service uses MFA or every user account follows scheme rules.

Buyers may therefore ask for both forms of assurance. Certification provides standardised baseline evidence; a separate pentest can address the specific systems or risks that matter to the buyer. Any test must have written authorisation, confirmed asset ownership, defined boundaries and rules of engagement. DeepStrike’s penetration testing scope guide explains how to document those boundaries.

Cyber Essentials Plus Audit vs Independent Penetration Test

AreaCyber Essentials Plus AuditIndependent Penetration Test
Primary objectiveVerify implementation of the five scheme controlsFind and validate exploitable weaknesses and attack paths
Assessment criteriaScheme requirements and prescribed test proceduresAgreed methodology, target architecture and risk objectives
ScopeMust align with the Cyber Essentials certificateDefined separately by assets, roles and business objective
SamplingRepresentative sampling under scheme rulesCoverage based on agreed assets and depth, not scheme sampling
Control validationCentral purposeIncluded only where relevant to the agreed scope
Exploit validationLimited to scheme-safe test purposesControlled validation may be used to prove impact
Business-logic testingNot the scheme’s primary purposeCommon in web, API and workflow-focused tests
ReportingScheme assessment result and audit evidenceExecutive and technical findings, evidence and risk-ranked remediation
RemediationFollows IASME/Certification Body processManaged under the engagement’s agreed remediation plan
RetestingScheme-specific reassessmentVerifies agreed findings; does not renew certification
Certification outcomeCan result in CE+ certification through an authorised providerNo Cyber Essentials certificate unless separately delivered by an authorised scheme provider
Provider authorityQualified assessor working through a licensed Certification BodyAsset owner appoints a competent, authorised testing provider
LimitationBaseline threat model and scheme-defined proceduresPoint-in-time, scope-bound assurance; not an organisation-wide certification

The public Cyber Essentials Plus Test Specification describes scope verification, remote vulnerability assessment, authenticated patch checks, malware protection, cloud MFA and account-separation tests.

The NCSC separately defines a penetration test as attempting to breach system security using adversary-like techniques and stresses that it is a scoped, point-in-time assurance activity. That distinction is set out in the NCSC’s penetration-testing guidance.

Vulnerability Scanning vs Assessment vs Pentesting

AssessmentMain PurposeTypical DepthScheme Certification ResultEvidence ProducedWhat It Does Not Replace
Automated vulnerability scanDetect known issues at scaleBroad, tool-ledNoneScanner findings and asset observationsManual validation or certification
Vulnerability assessmentValidate, classify and prioritise weaknessesBroad with analyst reviewNonePrioritised findings and remediation adviceExploit-focused pentest or certification
Configuration reviewCompare settings with a standard or secure baselineDetailed for selected controlsNone unless part of an official schemeSetting-level evidence and gapsApplication/business-logic testing
Independent penetration testDemonstrate exploitable risk and attack pathsDeep, manual and scope-boundNoneValidated findings, impact and remediationCyber Essentials or CE+ certification
Cyber Essentials Plus auditVerify the five scheme controls technicallyScheme-defined with samplingCE+ if delivered successfully by an authorised providerAudit results and certification evidenceA full application, API, cloud or red-team assessment
Red teamTest detection and response against an objectiveBroad, adversary-emulation focusedNoneAttack narrative and defensive lessonsBaseline certification or routine vulnerability management

For a more detailed distinction between breadth and depth, see vulnerability assessment vs penetration testing.

Cyber Essentials Readiness Checklist

Mapping the Five Controls to Security Validation

Cyber Essentials ControlCertification EvidenceWhat Technical Testing May ValidateWhat a Pentest Cannot Certify
FirewallsDevice list, rules, approvals and administration settingsExposed services, reachable management and rule effectsComplete rule governance across the certificate scope
Secure configurationBuild standard, account/service inventory and device settingsDefault access, unnecessary services and unsafe combinationsConsistent configuration of every device over time
Security update managementSupport dates, update policy and deployment recordsMissing fixes and controlled exploitabilityContinuous patch compliance across all assets
User access controlAccount approvals, MFA, privilege and lifecycle recordsAuthorisation bypasses, privilege paths and weak recoveryEvery identity lifecycle and senior attestation requirement
Malware protectionEndpoint coverage, update state and allow-list recordsWhether sampled controls block approved test artefactsOrganisation-wide, continuous malware-control operation

This mapping is a DeepStrike decision aid, not an official IASME control-mapping document.

Figure 3. Certification, deeper validation, and renewal should be managed as connected but distinct workstreams.

Figure 3. Certification, deeper validation, and renewal should be managed as connected but distinct workstreams.

When a Separate Penetration Test Adds Value

Certification answers whether a defined baseline is met. A pentest is most useful when the risk question concerns a particular system, trust boundary or attack path.

SituationCyber Essentials AloneCyber Essentials PlusSeparate Pentest Consideration
Standard office IT and common cloud servicesUseful baselineHigher implementation assuranceConsider if risk or customer terms justify it
Internet-facing web applicationBaseline controls around hosting and accessScheme checks do not constitute full app testingOften useful for authentication, input and business logic
API or multi-tenant SaaSBaseline identity and platform controlsHigher assurance of scheme controlsConsider role, tenant and object-level authorisation testing
Complex cloud environmentShared-responsibility baselineSamples scheme-relevant settings and controlsConsider IAM, storage, secrets and attack-path validation
Mobile applicationEndpoint and supporting-service baselineScheme-defined control verificationConsider client and backend API testing
Major migration, acquisition or architecture changeRe-establish scope and controlsUseful after implementation stabilisesConsider testing new trust boundaries and inherited risks
Repeated vulnerabilities or high-value systemNecessary baseline disciplineStronger baseline evidenceDeeper testing may identify systemic or chained weaknesses
Customer or regulatory demand outside CEMay satisfy only part of the requestMay provide stronger scheme evidenceMatch testing to the actual contract or risk requirement

For custom internet-facing systems, a separately authorised web application penetration test may examine issues the scheme is not designed to cover.

APIs should be scoped explicitly. DeepStrike’s API penetration testing guide explains the role and tenant information needed for meaningful coverage.

Complex IaaS and PaaS environments may also warrant a dedicated cloud penetration test.

What Cyber Essentials Does Not Cover Completely

Cyber Essentials is intentionally a baseline. It does not provide complete assurance over:

This does not diminish the scheme. A well-defined baseline and deeper risk-led assurance answer different questions and are strongest when used deliberately.

Cyber Essentials for Cloud Services, Remote Work and BYOD

Cloud services

SaaS, PaaS and IaaS that host organisational data or services must be included. The applicant remains accountable for ensuring that the controls are implemented, even where the provider performs some of them. The evidence should show the division of responsibility through contracts, referenced security terms, trust-centre statements or the provider’s shared-responsibility documentation.

SaaS does not mean “the vendor handles everything”. The organisation still controls users, privileges, MFA and service configuration. In IaaS, it usually controls substantially more, including guest operating systems, network policies and application updates.

Remote and home working

Corporate and relevant BYOD devices used for business are normally in scope. A home router supplied by the organisation is in scope. An ordinary employee-owned or ISP home router is normally outside scope, so the endpoint still needs appropriate firewall protection. A corporate VPN may move the effective internet boundary to an organisation-controlled firewall.

BYOD

User-owned devices that access organisational data or services are generally in scope. Devices used only for native voice, native text or an MFA application are excluded under v3.3. Organisations should map actual access paths rather than assuming that every personal phone is either always included or always excluded.

Third-party support adds a second distinction: organisation-owned accounts used by MSPs remain in scope, while ownership and role affect whether third-party devices are within the formal device scope. The organisation still needs confidence that external access is secure.

Cyber Essentials Certification Process

  1. Read the current Requirements for IT Infrastructure and question set.
  2. Define the legal entities, business boundary, networks, locations, devices, accounts and cloud services in scope.
  3. Complete readiness work and collect evidence.
  4. Decide whether to prepare internally or use appropriate support.
  5. Purchase the assessment through the scheme route.
  6. Complete the verified self-assessment in the IASME platform.
  7. Have a board-level representative, business owner or equivalent approve the answers.
  8. Respond to assessor clarification requests accurately.
  9. Correct eligible basic-assessment issues within the current scheme window if required.
  10. Receive certification only when the assessor determines that the requirements are met.
  11. Maintain the controls and renew before the 12-month expiry.
  12. If CE+ is required, arrange it through a qualified Certification Body within the current prerequisite window.

Preparation time depends on the gaps. The short portal-completion and assessor-review estimates assume that the technical work has already been done.

Cyber Essentials Cost, Timing and Validity

ItemCurrent Official PositionVariablesSource Date
Micro, 0–9 employees£320 + VATBasic verified self-assessmentRetrieved 11 July 2026
Small, 10–49 employees£440 + VATBasic verified self-assessmentRetrieved 11 July 2026
Medium, 50–249 employees£500 + VATBasic verified self-assessmentRetrieved 11 July 2026
Large, 250+ employees£600 + VATBasic verified self-assessmentRetrieved 11 July 2026
Supported preparationNot included as one universal scheme feeProvider, scope and remediation effortVerify quote
Cyber Essentials PlusIndividually quotedNetwork size, variety, locations and complexityRetrieved 11 July 2026
Basic assessment accountSix months to complete and submitAccount may close after the windowRetrieved 11 July 2026
Assessor review aimMost assessors aim to return submitted results within three daysClarifications add timeRetrieved 11 July 2026
Basic correction opportunityTwo working days after unsuccessful marking for simple changes and resubmissionNot a substitute for readiness; reapplication may be required if still unsuccessfulRetrieved 11 July 2026
CE+ prerequisite timingComplete CE+ within three months of the basic certification, or complete them togetherCoordinate with the Certification BodyRetrieved 11 July 2026
Certificate validity12 monthsRenewal requires a new current assessmentRetrieved 11 July 2026

Source note: Prices and timings are from the IASME Cyber Essentials FAQ and current preparation page. Recheck them immediately before publication or purchase.

Cyber Essentials and UK Government Contracts

Cyber Essentials may be required for certain public contracts, but it is incorrect to say that every UK government contract requires it. Cabinet Office PPN 014 applies to defined in-scope bodies and describes higher-risk contract characteristics, including specified handling of personal information and ICT systems or services processing government information. It also requires security measures to be relevant, proportionate and necessary.

The tender and contract wording controls the supplier’s actual obligation. Buyers may accept equivalent controls in circumstances covered by procurement rules, require Cyber Essentials Plus for higher assurance, or specify additional measures when product, service or threat risks exceed the scheme. PPN 014 expressly rejects a blanket approach and says the scheme does not assure specific products or advanced targeted threats.

Suppliers should therefore review the current procurement documents, certificate scope, timing and any flow-down requirement. This article is not tendering or legal advice.

Common Cyber Essentials Readiness and Assessment Gaps

Common GapWhy It MattersPreparation Action
Incomplete asset inventoryDevices and software cannot be scoped or updated reliablyReconcile endpoint, server, network and software records
Incorrect or vague scopeCertification may omit relevant assets or misstate coverageDocument boundaries, exclusions, legal entities and segregation
Unsupported softwareIt cannot receive normal vendor vulnerability fixesUpgrade, remove or use a scheme-compliant isolation approach
Updates outside the 14-day ruleKnown high-risk weaknesses remain exposedTrack release date, severity and deployment completion
Cloud services omittedv3.3 says qualifying cloud services cannot be excludedInventory SaaS, PaaS, IaaS, social accounts and identity providers
Remote/BYOD assets overlookedBusiness access occurs outside the office boundaryMap users, devices, routers, VPNs and access methods
MFA gapsCloud authentication does not meet the current requirementTest every cloud service and relevant user/admin account
Excessive privilegesCompromise has greater impactSeparate admin use and remove unnecessary rights
Default or stale accountsThey create avoidable access pathsDisable defaults, leavers and inactive accounts
Insecure firewall rulesUnnecessary services become internet reachableRequire business justification, approval and periodic removal
Incomplete malware coverageSome device classes remain unprotectedVerify active status and vendor updates by device type
Unsupported answersThe assessor cannot verify the declared approachTie each answer to accurate technical and process evidence
Unclear third-party responsibilityOutsourcing is mistaken for transferred accountabilityObtain contracts, service evidence and named control ownership

Remediation, Retesting and Ongoing Maintenance

Certification is a point-in-time decision at the certificate issue date, but the 2026 senior declaration reinforces the organisation’s responsibility to maintain the controls. Assets, accounts, cloud services and software support dates change continuously.

Use routine inventories, access reviews, update reporting, firewall reviews and endpoint-health checks to keep answers true. Plan renewal as a new assessment against the then-current documents, not as a copy-and-paste exercise.

CE+ remediation follows the official assessment process. Under the 2026 update-management change, an internal vulnerability retest can include both the original sample and a new random sample to prevent selective patching. A second failure can affect the underlying verified self-assessment certificate.

A pentest retest is different: it verifies whether agreed findings were fixed. It does not renew Cyber Essentials or CE+ and normally does not discover all new issues unless a broader reassessment is commissioned.

How to Choose Appropriate Support

Provider TypeAppropriate RoleWhat to VerifyWhat They Should Not Be Assumed to Provide
Internal IT/security teamInventory, implementation, evidence and maintenanceOwnership, time and scheme knowledgeIndependent certification
Managed IT providerOperate agreed devices, cloud and controlsContracted scope, evidence and responsibility splitAuthority to certify
NCSC-assured Cyber AdvisorPractical Cyber Essentials implementation support, especially for SMEsListed Assured Service Provider and current advisor statusCertificate issuance unless separately a Certification Body
Cyber Essentials AssessorReview answers and determine conformityWorks for a licensed Certification BodyBroad pentesting unless separately qualified and scoped
Certification BodyDeliver scheme assessment and issue certificationCurrent IASME licence and applicable certification levelAssurance outside the declared scheme scope
CE+ audit providerConduct the authorised technical assessmentCertification Body status and CE+ capabilityA conventional full-scope pentest
Penetration testing providerTest authorised systems for exploitable weaknessesRelevant expertise, methodology, safety and reportingCyber Essentials certification unless separately authorised under the scheme

Verify official scheme roles in the NCSC and IASME directories. Similar job titles or security certifications are not substitutes for an active scheme listing.

Buyer Checklist for a Penetration Testing Provider

When separate testing is justified, ask whether the provider:

A written penetration testing statement of work should align the business objective, scope, deliverables and retest expectations.

Methodology should then explain how that scope will be examined. DeepStrike’s penetration testing methodology explains the distinction.

Cyber Essentials vs Other Security Frameworks

Framework or AssessmentPrimary PurposeRelationship to Cyber EssentialsDoes It Replace Cyber Essentials?
Cyber EssentialsFive-control technical baselineThe baseline certification itselfNot applicable
Cyber Essentials PlusTechnical verification of the same controlsHigher-assurance scheme levelIt is a separate CE certification level
ISO/IEC 27001Information security management systemCan govern broader risk and controlsNo; scope and evidence differ
NCSC Cyber Assessment FrameworkOutcome-based assessment for cyber resilienceBroader objectives and indicatorsNo
IASME Cyber AssuranceWider governance and resilience assuranceCan complement and build on CENo
Independent penetration testValidate exploitable risk in an agreed targetAdds depth for selected systemsNo
Vulnerability assessmentIdentify and prioritise weaknessesSupports vulnerability management and readinessNo

Organisations with an ISMS should still compare certificate scopes and technical evidence directly. DeepStrike’s guide to ISO 27001 penetration testing explains why a targeted test can support an ISMS without replacing either ISO certification or Cyber Essentials.

Common Misunderstandings

The most common mistake is treating different assurance activities as interchangeable. Cyber Essentials is a verified self-assessment; Cyber Essentials Plus is a scheme-specific technical audit; and an independent penetration test investigates exploitable risk in an agreed target. Passing one does not automatically satisfy the others. Certification applies only to its declared scope, does not guarantee immunity from compromise, and does not remove the applicant’s cloud or ongoing-maintenance responsibilities.

FAQs

1. What are the five Cyber Essentials controls?

The controls are firewalls, secure configuration, security update management, user access control and malware protection. Together they create a defined baseline against common internet-based attacks. They are not a complete cyber security programme, so organisations may still need broader governance, resilience, monitoring and system-specific testing.

2. Does Cyber Essentials require penetration testing?

Basic Cyber Essentials does not include a penetration test or vulnerability scan. It is a verified self-assessment reviewed by a qualified assessor and approved by a senior representative. A customer, regulator or contract may separately request a pentest, but that is distinct from the scheme requirement.

3. Is Cyber Essentials Plus a penetration test?

No. Cyber Essentials Plus is an independent technical audit against the same five controls as Cyber Essentials. It includes prescribed vulnerability, patching, malware, MFA and account-separation checks using scheme-defined coverage and sampling. A conventional pentest is scoped around exploitable weaknesses and attack paths and does not issue CE+ certification.

4. What is the difference between Cyber Essentials and Cyber Essentials Plus?

They use the same technical requirements. Cyber Essentials relies on an independently reviewed self-assessment, while CE+ adds independent technical testing of the in-scope environment. CE+ therefore provides a higher level of implementation assurance, but it is not a broader control framework.

5. How long is Cyber Essentials certification valid?

Cyber Essentials and Cyber Essentials Plus certificates expire after 12 months. Organisations must reassess against the current requirements to renew. Controls should be maintained throughout the year because software, accounts, devices and cloud configurations can change well before the expiry date.

6. How much does Cyber Essentials cost?

As verified on 11 July 2026, the basic IASME assessment costs £320 + VAT for 0–9 employees, £440 for 10–49, £500 for 50–249 and £600 for 250 or more. Support and remediation are separate. CE+ is quoted individually according to network size and complexity.

7. Does Cyber Essentials cover cloud services?

Yes. Qualifying SaaS, PaaS and IaaS that store or process organisational data or provide organisational services must be included. The cloud provider may implement some controls, but the applicant must understand and evidence the shared-responsibility split and retain responsibility for its own identities, privileges and configurations.

8. Are home-working and BYOD devices in scope?

Corporate and relevant user-owned devices used for organisational business are normally in scope. Under v3.3, devices used only for native voice, native text or an MFA application are excluded. Organisation-supplied home routers are in scope; ordinary employee/ISP routers normally are not, so endpoint firewall protection remains important.

9. Is Cyber Essentials required for UK government contracts?

It is required, or equivalent controls must be demonstrated, for certain contracts covered by current procurement policy and contract terms. It is not required for every government contract. Buyers must use relevant and proportionate controls, and suppliers should check the tender, data handling, service type and exact certificate-scope requirements.

10. Can a vulnerability scan prepare an organisation for Cyber Essentials?

It can identify missing patches, exposed services and some configuration weaknesses, so it may help readiness. It cannot confirm the full asset scope, senior attestation, user-access processes, shared cloud responsibilities or every control. Scan results need technical review and should be combined with the official question set and evidence gathering.

11. Does ISO 27001 replace Cyber Essentials?

No. ISO/IEC 27001 certifies an information security management system within its own scope. Cyber Essentials tests a defined technical baseline through a different scheme and scope. An organisation may hold both, and a buyer may require one or both depending on the risk and contract.

12. Who can issue Cyber Essentials certification?

Cyber Essentials assessors must work through an IASME-licensed Certification Body. CE+ requires a Certification Body with the appropriate audit capability. A managed IT provider, consultant or penetration testing company should not be assumed to issue certificates unless its current official scheme status is verified.

Conclusion

Cyber Essentials is a defined UK baseline built around five practical technical controls. The basic level uses a verified self-assessment; Cyber Essentials Plus applies independent scheme testing to the same requirements; an independent penetration test investigates a separately agreed set of exploitable risks.

None of these should be used as shorthand for the others. Accurate scope, current documentation and evidence are central to certification. Deeper testing may be appropriate where architecture, customer expectations, custom applications, cloud complexity or contractual risk demands more assurance. Before applying or renewing, check the latest NCSC and IASME documents rather than relying on last year’s answers.

How DeepStrike Can Help

If your organisation needs security validation beyond a baseline certification review, DeepStrike can scope an authorised penetration test of agreed web, API, cloud, mobile or network assets for exploitable weaknesses. That engagement should be managed separately from the Cyber Essentials certification process and should not be presented as a substitute for an official assessment.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike specialising in penetration testing and offensive security. His approved DeepStrike profile lists CISSP, OSCP and OSWE credentials. His work focuses on application, API, cloud and network security validation.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us