Cyber Essentials Plus
Cyber Essentials Plus Penetration Testing
Manual, tester-led testing aligned to the IASME technical controls - sized for your scope, delivered through our portal, and designed to support your assessor's review.
UK-based testers · Cyber Essentials Plus certified ourselves · CyberSmart certification partner · Aligned to the IASME Illustrative Test Specification
Why this matters
Why Cyber Essentials Plus requires hands-on testing.
Cyber Essentials is a self-assessment. Cyber Essentials Plus is the audited version - and the audit is technical. An IASME-appointed assessor independently verifies that the five technical controls are actually implemented across a representative sample of your in-scope devices: firewalls and routers, secure configuration, user access control, malware protection, and security update management.
The assessor will run authenticated vulnerability scans against end-user devices and internet-facing services, attempt to execute test malware via email and web, and check that high or critical vulnerabilities older than 14 days aren't sitting on your estate. If they find issues, you fail - and re-tests cost time and money.
A pre-assessment pentest is how engineering teams stop that from happening. We run the same classes of checks the IASME assessor will, on the same scope, against the same controls - but earlier, with more depth, and with remediation guidance instead of a fail letter.
What gets tested - and which Pentiq service covers it.
The IASME Cyber Essentials Plus Illustrative Test Specification defines what gets tested. Here's how that maps to our services.
| Control area | What's assessed | Pentiq service |
|---|---|---|
| Firewalls & internet gateways | External vulnerability scan of all internet-facing IPs | External Infrastructure Test |
| Secure configuration | Authenticated scan of EUDs and servers; build review | Internal Infrastructure Test + Build Review |
| User access control | Account configuration, MFA, separation of admin | Covered within Internal Infrastructure Test |
| Malware protection | Test malware via email and web on EUDs | Internal Infrastructure Test (malware execution checks) |
| Security update management | Authenticated scan for missing patches >14 days | Internal Infrastructure Test (patch validation) |
| Bring-your-own-device | Sample of BYOD devices in scope | Add-on within Internal Infrastructure Test |
If your CE+ scope is the whole organisation, you'll typically need both an external and an internal test. If you've scoped a sub-organisation (a common cost optimisation), the test scope shrinks accordingly.
Scope my test
Get a tailored CE+ test scope.
Tell us what you're protecting and we'll come back with a scoped engagement - usually within one working day.
What's in scope?
Select everything you'd like tested. Pick more than one if it applies.
Prefer to talk first? Book a 20-minute scoping call ->
Engagement
What a Pentiq Cyber Essentials Plus engagement looks like.
Scoping
A short call with your technical contact to confirm scope, agree the test plan, and book delivery dates against your Cyber Essentials Plus timeline.
Testing
Testing runs against the agreed scope. Findings appear in your Pentiq portal in real time, so your team can start triaging without waiting for a final report.
Reporting & remediation
Final report delivered through the portal: executive summary, technical findings mapped to Cyber Essentials Plus control areas, and remediation guidance for each issue.
Optional re-test
We re-test fixed findings before your Cyber Essentials Plus assessment so you walk in clean.
Engagement length depends entirely on scope - we confirm a realistic timeline during the scoping call.
Common questions
Frequently asked questions.
Is a penetration test required for Cyber Essentials Plus?
Not in the strict sense - IASME doesn't require you to commission a third party pentest before your assessment. But the CE+ assessment itself is a technical audit that uses pentest-style techniques (vulnerability scanning, malware execution tests, authenticated checks). Most organisations who fail CE+ on first attempt do so because they walked in cold. A pre-assessment test is insurance.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment questionnaire. Cyber Essentials Plus adds an independent technical audit by an IASME-certified assessor. CE+ is what most enterprise customers, MoD suppliers, and public sector contracts now require.
How long is CE+ certification valid?
12 months. Most organisations re-test annually, and many use the annual cycle as a forcing function for a broader pentest at the same time.
What if we fail an IASME assessment?
You get a list of failures and a window to remediate. Significant failures may require a re-assessment, which adds cost and delay. Pre-testing is significantly cheaper than failing.
Do you do the CE+ assessment itself?
Yes. Pentiq partners with CyberSmart, an IASME-appointed Certification Body, to deliver the CE+ assessment itself alongside the pre-assessment pentest. One engagement, one point of contact, both halves done.
We're a small team - is this overkill?
No. CE+ is specifically designed to be achievable for SMEs. If you're a 15-person company applying for a contract that mandates CE+, the engagement is small, fast, and proportionate.
Can you test sub-orgs only?
Yes. CE+ scope can be a defined sub-organisation (e.g. a single business unit or a specific network segment), and the pentest scope follows. We'll help you define a defensible scope boundary during scoping.
Can we cover multiple compliance frameworks in one engagement?
Yes. CE+ shares technical controls with ISO 27001, SOC 2, PCI DSS, and most cyber insurance assessments - external infrastructure, secure configuration, user access, patching. One well-scoped pentest can produce findings mapped to each framework's control structure. We confirm the mapping during scoping so the same testing evidence lands cleanly in every audit.