When businesses start researching cyber essentials penetration testing requirements, they quickly find the two terms tangled together in ways that make it hard to know what they actually need. The short answer: Cyber Essentials does not require a penetration test, and the Plus tier is not a penetration test either. But they are related, and many UK businesses end up needing both for different reasons.
Table of Contents
The Two Levels of Cyber Essentials
The Cyber Essentials scheme has two tiers, both developed by the NCSC and delivered through IASME-accredited certification bodies.
Cyber Essentials is the baseline. You complete a self-assessment questionnaire confirming that five technical controls are in place: firewalls on all internet-facing devices, secure configuration removing unnecessary software, individual user accounts with restricted admin privileges, malware protection with automatic updates, and security patches applied within 14 days of release. An accredited assessor reviews your answers and issues the certificate if they are satisfied. The certificate is valid for one year. Pricing starts from £320 plus VAT.
For UK organisations bidding on central government contracts that involve handling sensitive or personal data, holding a current Cyber Essentials certificate is a mandatory requirement. Many commercial clients now ask for it too as part of their supplier due diligence.
Cyber Essentials Plus is the higher tier. You must first hold a current CE certificate. A licensed assessor then conducts a technical review of your actual systems. The assessment includes an external vulnerability scan of your internet-facing infrastructure, an internal credentialed scan of a sample of your devices, and direct configuration checks covering firewall rules, account separation, MFA on cloud services and malware protection settings. CE+ costs range from around £2,000 for smaller organisations to £15,000 or more for complex environments. About 70 to 75 per cent of organisations pass on their first attempt.
What CE+ Does Not Cover
CE+ checks whether your five controls are configured correctly. It does not try to bypass them. Specifically, CE+ does not:
- Attempt to exploit the vulnerabilities it identifies
- Chain individual weaknesses together to trace a realistic attack path
- Test business logic in custom applications or APIs
- Simulate credential attacks, phishing or social engineering
- Apply an adversarial mindset to your specific environment
This is by design. The scheme aims to verify baseline controls against a defined checklist, not to simulate a sophisticated attacker. A penetration test does that second thing. So when someone asks about cyber essentials penetration testing requirements, the honest answer is that CE+ verifies controls exist, while a pen test tries to breach them.
Cyber Essentials Penetration Testing: A Side-by-Side Comparison
| Feature | Cyber Essentials | Cyber Essentials Plus | Penetration Test |
|---|---|---|---|
| Assessment method | Self-assessment questionnaire | Assessor-led technical audit | Manual adversarial testing |
| Vulnerability scanning | No | Yes (external and internal) | Yes (as part of reconnaissance) |
| Configuration checks | Self-declared | Verified by assessor | Tested under attack conditions |
| Exploitation attempts | No | No | Yes |
| Business logic testing | No | No | Yes (web and API tests) |
| Social engineering | No | No | Optional |
| UK government contracts | Required | Not required (voluntary) | Not required |
| Typical UK cost | £320+ | £2,000 to £15,000+ | £2,500 to £25,000+ |
| Validity | 12 months | 12 months | Point in time |
What a Penetration Test Adds
A penetration test brings a different kind of scrutiny. Where CE+ confirms that your patch management is working and your firewall rules look correct, a pen tester tries to use those same systems to reach an objective an attacker would care about.
The NCSC’s penetration testing guidance describes the activity as “attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.” In practice, that means chaining together weaknesses that individually look minor. It also means testing whether your application’s authorisation logic can be circumvented, and checking whether misconfigured services provide a foothold into internal systems.
For organisations running custom web applications or APIs, external scanning simply cannot reach the application layer. A web application test is the right tool for that exposure. CE+ does not substitute for it. See our guide to penetration testing vs vulnerability scanning for a fuller explanation of where the boundary sits.
When Should You Get a Penetration Test?
CE and CE+ are worth holding regardless. But a separate penetration test makes sense when:
- You have a custom web application or API accessed by customers or partners
- Your cyber liability insurer asks for evidence of adversarial testing, which is now common in most policy renewals
- You are working toward ISO 27001 or a similar framework that requires technical risk assessment beyond compliance scanning
- You handle sensitive data including financial records, health information or high-value intellectual property
- Your clients or contracts require it as part of supplier due diligence
Many UK businesses treat CE+ as the security baseline and commission a penetration test separately on an annual cycle. The certification covers the compliance requirement. The pen test covers the real-world risk question. Understanding this split is what makes cyber essentials penetration testing planning straightforward: you need both, but for different reasons.
Aardwolf Security works with businesses that hold Cyber Essentials and want to know what an attacker could actually reach. If you are ready to move beyond the compliance checklist, get in touch and we can scope the right test for your environment.
Does Running a Penetration Test Help You Pass CE+?
Not directly. CE+ assesses specific controls against a defined checklist. The most targeted preparation is a gap analysis against the CE requirements, followed by patching and configuration hardening before the assessment date. If you fail CE+ because of unpatched software or misconfigured firewall rules, the right response is to fix those specific findings, not to commission a pen test.
A vulnerability assessment is a more appropriate CE+ preparation tool. It identifies the known weaknesses that CE+ scanning will flag, giving you a remediation list before the formal assessment.
Frequently Asked Questions
What does cyber essentials penetration testing actually mean?
The phrase is sometimes used to mean the technical assessment included in Cyber Essentials Plus, but that assessment is vulnerability scanning and configuration checking, not adversarial pen testing. True penetration testing involves manual exploitation attempts and is a separate activity that goes beyond what CE+ covers.
Does CE+ satisfy penetration testing requirements for cyber insurance?
Usually not. Cyber liability insurers who specify penetration testing typically mean an independent adversarial test including exploitation attempts. CE+ uses automated scanning and configuration checks, which most insurers treat as a separate and lower standard. Read your policy wording carefully, or ask your broker.
Can a penetration test replace Cyber Essentials certification?
No. A penetration test report and a CE certificate serve different purposes and are not interchangeable. Government contracts require the certificate. A pen test report does not substitute for it.
What is the NCSC CHECK scheme?
CHECK is the NCSC’s quality assurance scheme for penetration testing providers working with UK public sector organisations. Providers applying for CHECK status must hold a current CE+ certificate for their own systems. This is a requirement for the testing firm, not for organisations commissioning a pen test.
Should I get CE or CE+ first?
Start with standard Cyber Essentials. CE+ requires a current CE certificate as a prerequisite. The practical approach is to get CE first, then upgrade to CE+ either immediately or when you need the stronger assurance it provides for clients or insurers.
Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world
