Cyber Essentials Plus is the UK government’s premier baseline cybersecurity certification — and one of the most common compliance frameworks UK businesses pursue. But where does penetration testing fit into the requirements? The honest answer is that the relationship is more nuanced than most articles suggest, and getting it wrong can cost you both time and money.
This guide answers the questions clients ask us most often: does Cyber Essentials Plus require a penetration test, what’s the difference between the CE Plus assessment and a penetration test, and what testing should you commission to genuinely improve security beyond the baseline.
Does Cyber Essentials Plus Require Penetration Testing?
The short answer: No, Cyber Essentials Plus does not require a full penetration test. What it does require is a hands-on technical verification of the five Cyber Essentials controls, conducted by a certification body. This includes vulnerability scanning of internet-facing systems and a sample of internal devices — but it is not the same as a penetration test.
This distinction matters because some businesses commission expensive penetration tests believing they’re required for Cyber Essentials Plus, when in fact the certification body conducts the technical assessment as part of the audit. Conversely, some businesses pass Cyber Essentials Plus and assume their security is comprehensively tested — which it is not.
What Cyber Essentials Plus Actually Tests
Cyber Essentials Plus verifies five technical controls through a combination of evidence review and hands-on testing:
- Firewalls — Boundary firewalls and internet gateways are configured to deny inbound traffic by default and that administrative access is appropriately restricted
- Secure configuration — Devices and software are securely configured, with default accounts and unnecessary services removed or disabled
- User access control — User accounts are appropriately managed, administrative privileges are restricted, and multi-factor authentication is in place where required
- Malware protection — Anti-malware controls are deployed and operational on relevant devices
- Security update management (patching) — Devices and software are receiving security updates within the required timeframes
The hands-on testing element typically includes: external vulnerability scanning of internet-facing IPs, a sample of authenticated internal vulnerability scans across user devices and servers, verification that anti-malware is operational and up-to-date, and verification of patch management policies through configuration evidence.
Penetration Testing vs Cyber Essentials Plus: The Differences
| Aspect | Cyber Essentials Plus | Penetration Testing |
|---|---|---|
| Goal | Verify five baseline controls are operational | Identify exploitable vulnerabilities in specific systems |
| Approach | Vulnerability scanning + control verification | Manual exploitation + business logic testing |
| Scope | Defined boundary: workstations, servers, firewalls | Targeted: specific applications, networks, or environments |
| Depth | Configuration-level checks | Deep exploitation, lateral movement, privilege escalation |
| Output | Pass/fail certification | Detailed report with reproduction steps and remediation |
| Frequency | Annual | Annual minimum; quarterly for critical systems |
| Required by | UK government supply chain, MoD contractors, many enterprises | FCA, PCI DSS, ISO 27001, SOC 2, cyber insurance |
When You Need Both Cyber Essentials Plus AND Penetration Testing
For many UK businesses, both are necessary — but for different reasons:
UK Government Supply Chain
If you’re bidding for UK government contracts, Cyber Essentials Plus is often a procurement requirement. For some contracts (handling OFFICIAL-SENSITIVE or above), penetration testing is also required as part of the security accreditation. Cyber Essentials Plus alone is unlikely to satisfy these contracts.
Financial Services
FCA-regulated firms typically need both: Cyber Essentials Plus for procurement and supply chain visibility, plus full CREST penetration testing for SYSC compliance. CBEST and TIBER-UK frameworks specifically reference penetration testing, not Cyber Essentials.
SaaS and Technology Businesses
SaaS businesses pursuing SOC 2 Type II or ISO 27001 will need penetration testing as a control evidence requirement. Cyber Essentials Plus complements this for UK-specific procurement scenarios but is not a substitute. The penetration test should focus on the customer-facing application, while Cyber Essentials Plus covers the corporate IT environment.
Cyber Insurance
Some cyber insurance policies require Cyber Essentials Plus as a baseline; many also require penetration testing for premium tiers or as a precondition for ransomware coverage. Check your policy or proposal documents — both certifications can affect your premium and your claims position.
EJN Labs as a Cyber Essentials Certification Body
In early 2026, EJN Labs joined IASME as an official Cyber Essentials certification body. This means we can certify your business directly against both Cyber Essentials and Cyber Essentials Plus, and we have a unique perspective on where the certification ends and additional security testing begins.
Because we deliver both Cyber Essentials Plus assessments and CREST-certified penetration testing, we can advise honestly on what your business actually needs — rather than recommending the most expensive option. For some clients, Cyber Essentials Plus alone is genuinely sufficient. For others, it’s a starting point that needs to be supplemented by targeted penetration testing on specific applications or environments.
When Cyber Essentials Plus Is Not Enough
Cyber Essentials Plus is a baseline certification. It will not surface:
- Application-layer vulnerabilities — SQL injection, broken authentication, business logic flaws, and IDOR vulnerabilities in your custom web applications or APIs
- Cloud configuration issues — Misconfigured S3 buckets, over-privileged IAM roles, exposed Kubernetes APIs, or insecure cloud storage permissions
- Active Directory misconfigurations — Kerberoasting paths, AD CS attack potential, ACL misconfigurations, password reuse across local administrators
- Lateral movement potential — Whether an attacker who compromised one workstation could move laterally to higher-value systems
- Phishing susceptibility — How likely your staff are to click links, enter credentials, or run malicious attachments
- Sophisticated threat scenarios — APT-style attacks involving custom malware, evasion techniques, or multi-stage compromise paths
If any of these are real concerns for your business — and for any business handling sensitive data, they should be — penetration testing is a necessary complement to Cyber Essentials Plus, not an alternative.
Recommended Approach for UK Businesses
- Start with Cyber Essentials (self-assessment) to ensure baseline controls are in place. Cost: typically £300–£500.
- Move to Cyber Essentials Plus for the verified hands-on assessment. Cost: typically £1,500–£3,000 depending on environment size.
- Identify your highest-risk assets — customer-facing applications, payment systems, sensitive data stores
- Commission targeted penetration testing on those assets. Cost varies — see our UK penetration testing cost guide.
- Implement attack surface monitoring for ongoing visibility between annual tests
Frequently Asked Questions
Do I need a penetration test for Cyber Essentials Plus?
No — Cyber Essentials Plus does not require a separate penetration test. The certification includes hands-on technical verification by the certifying body, which involves vulnerability scanning but not full penetration testing.
Is Cyber Essentials Plus enough for SOC 2 or ISO 27001?
No. SOC 2 and ISO 27001 typically require a full penetration test as evidence for technical security controls. Cyber Essentials Plus is complementary but not a substitute.
Does Cyber Essentials Plus cover cloud environments?
It includes cloud-hosted devices and services within scope, but it doesn’t deeply test cloud-native security configurations like IAM policies, S3 bucket permissions, or VPC architectures. For cloud security assurance, see our AWS, Azure, and GCP security reviews.
How often does Cyber Essentials Plus need renewing?
Annually. Many organisations align their Cyber Essentials Plus renewal with their penetration testing cycle to make security assurance budgeting more predictable.
Get Both Done in One Engagement
EJN Labs can deliver Cyber Essentials Plus certification and CREST-certified penetration testing as a coordinated package. We’ll scope both at the same time and deliver them with a single project manager — saving you procurement time and ensuring the results align.
Leave a Reply