> cat /compliance/cyber-essentials-plus.cert && echo 'certified — but is that enough?'_
Cyber Essentials Plus is the UK Government-backed certification scheme that verifies an organisation has implemented five fundamental technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It's assessed by a certified body through a combination of external vulnerability scanning and on-site technical verification. Pass the assessment, and the organisation receives certification valid for twelve months.
A penetration test goes further. It doesn't check whether controls exist — it tests whether they work against a skilled adversary. The firewall is configured, but can the tester bypass it through an allowed protocol? Patch management is in place, but did it miss the service running on a non-standard port? User access control is implemented, but can the tester escalate from a standard user to Domain Admin through a chain of misconfigurations that individually pass the CE+ checklist?
CE+ answers the question: "Are the baseline controls present?" A pen test answers the question: "Do those controls actually stop an attacker?" Organisations that pursue both get verified baseline compliance and evidence of real-world resilience. Organisations that pursue only one get half the picture.
| Control | What CE+ Assesses | How It's Verified |
|---|---|---|
| Firewalls and internet gateways | Boundary devices are configured to restrict inbound and outbound traffic. Default admin credentials changed. Unnecessary services disabled. Firewall rules reviewed for appropriateness. | External vulnerability scan of internet-facing IP addresses. Assessor reviews firewall configuration. Default credentials tested on boundary devices. |
| Secure configuration | Systems configured to reduce attack surface. Unnecessary software removed. Default accounts disabled or passwords changed. Auto-run disabled. Screen lock configured. | Assessor checks a sample of devices (workstations, servers, mobile devices) for configuration against the CE requirements. Spot checks, not comprehensive coverage. |
| User access control | User accounts managed appropriately. Admin accounts used only for administration. Unique user accounts. MFA where available for cloud services and admin access. | Assessor reviews account management processes. Checks for shared accounts, default accounts, and admin accounts used for daily work. Verifies MFA on cloud and admin portals. |
| Malware protection | Anti-malware software installed, active, and up to date. Configured to scan automatically. Application allow-listing or sandboxing accepted as alternatives. | Assessor verifies that malware protection is installed, running, and receiving updates on sampled devices. May test with an EICAR test file. |
| Patch management | Operating systems and applications patched within 14 days of critical/high-severity updates. Unsupported software removed from scope or isolated. | External vulnerability scan identifies missing patches on internet-facing systems. Assessor checks patch status on sampled internal devices. |
CE+ is a good baseline — but it's explicitly a baseline. The assessment is scoped to the five controls, verified through sampling, and focused on whether controls are present and configured. It doesn't test whether those controls withstand a determined attack, whether they interact correctly, or whether gaps between them create exploitable chains.
CE+ is designed to protect against commodity threats — automated scanning, opportunistic exploitation, and untargeted malware. It's not designed to protect against a skilled, motivated adversary who targets the organisation specifically. The following risk areas are outside the CE+ scope — and each is tested by a penetration test.
Organisations that commission a pen test before their CE+ assessment benefit from identifying and remediating issues that would cause a certification failure — before the assessor arrives. The pen test is more thorough than the CE+ assessment in every area where they overlap, so issues caught by the pen test will almost certainly be caught by the assessor.
| CE+ Control | What the Pen Test Reveals | Pre-Certification Benefit |
|---|---|---|
| Firewalls | The pen test identifies misconfigured rules, overly permissive exceptions, default credentials on management interfaces, and services exposed on non-standard ports that the external vulnerability scan may miss. | Fix firewall issues before the CE+ external scan. Ensure no services are unnecessarily exposed. Verify that management interfaces aren't internet-accessible. |
| Secure configuration | The pen test identifies misconfigurations across the full estate — not just sampled devices. Broadcast protocols, unnecessary services, default configurations, and security-relevant GPO settings are all assessed. | Remediate configuration issues estate-wide, not just on the devices the assessor will sample. Address the systemic configuration gaps that CE+ sampling might miss. |
| User access control | The pen test identifies excessive privileges, shared accounts, Kerberoastable service accounts, cached credentials, and admin accounts used for daily operations — testing not just whether controls exist but whether they've been implemented consistently. | Clean up privilege creep, rotate service account passwords, remove unnecessary admin rights, and enforce MFA before the assessor checks. Evidence of a recent pen test demonstrating access control improvements strengthens the certification application. |
| Malware protection | The pen test tests whether endpoint protection actually catches custom payloads, encoded binaries, and living-off-the-land techniques — not just whether the software is installed and running. | If the pen test bypasses endpoint protection, the organisation knows the limitation before the assessor arrives — and can address configuration gaps, enable additional detection modules, or upgrade the product. |
| Patch management | The pen test identifies missing patches across the full estate, including services on non-standard ports, third-party software that the vulnerability scanner misses, and legacy systems that have fallen out of the patching cycle. | Complete patching remediation before the CE+ external scan identifies missing patches as a failure condition. |
CE+ certification tells clients, partners, and insurers that the organisation meets a recognised security baseline. A pen test tells the organisation itself whether that baseline is sufficient for its actual risk profile — and where it needs to go next.
| CE+ Alone | CE+ Combined with Pen Testing |
|---|---|
| The organisation knows it meets the five baseline controls as verified by sampling. | The organisation knows it meets the baseline and has evidence of how its controls perform against simulated attack techniques across the full estate. |
| The certificate is valid for 12 months. The organisation recertifies annually. | The certificate is supported by a pen test report that provides specific, actionable findings for continuous improvement between certification cycles. |
| The organisation can respond to client security questionnaires with "CE+ certified." | The organisation can respond with "CE+ certified, supported by annual penetration testing with remediation validation" — a significantly stronger position. |
| Insurance underwriters see baseline certification. | Underwriters see baseline certification plus evidence of proactive testing and remediation — supporting favourable risk assessment and potentially reduced premiums. |
| In the event of a breach, the certificate demonstrates baseline controls were in place. | The certificate plus the pen test report demonstrate both baseline controls and proactive, evidenced security testing — a stronger due diligence position for regulatory and legal purposes. |
The timing of the pen test relative to the CE+ assessment matters. Commissioning them in the right order maximises the value of both.
| Timing | Approach | Benefit |
|---|---|---|
| Pen test 8–12 weeks before CE+ | Commission the pen test first. Remediate findings. Then undergo the CE+ assessment with confidence that the identified issues have been addressed. | The pen test acts as a pre-assessment. Issues are found and fixed before the assessor arrives. The organisation enters the CE+ assessment knowing its current state. Risk of certification failure is significantly reduced. |
| Pen test 4–8 weeks after CE+ | Achieve certification first. Then commission the pen test to assess the controls beyond the CE+ baseline — testing the real-world resilience that CE+ doesn't measure. | The CE+ certificate is secured. The pen test then reveals the risks that exist beyond the baseline — attack chains, AD security, detection gaps, internal network risks — informing the improvement programme for the next 12 months. |
| Combined assessment | Some providers can deliver CE+ assessment and penetration testing as an integrated engagement — assessing CE+ controls and testing beyond them in a single exercise. | Efficient and cost-effective. The assessor/tester has full context. CE+ compliance and real-world resilience are assessed simultaneously. Single report covering both certification and deeper security assessment. |
Cyber Essentials Plus is a valuable certification — it establishes that an organisation meets a recognised baseline of technical controls, satisfies supply chain requirements, supports insurance applications, and demonstrates a commitment to security fundamentals. But it is explicitly a baseline. It assesses whether five controls are present and configured. It doesn't test whether those controls withstand a skilled adversary, whether gaps between them create exploitable chains, or whether the organisation can detect and respond to an attack that bypasses the baseline.
Penetration testing fills every gap that CE+ leaves. It tests controls against real attack techniques, reveals chain risks between individually-passing controls, assesses the internal network and Active Directory security that CE+ covers only superficially, and provides specific, actionable findings that drive improvement beyond the certification baseline.
Together, CE+ and pen testing provide something neither achieves alone: verified baseline compliance with evidence of real-world resilience. The certificate tells your clients you meet the standard. The pen test tells you whether that standard is sufficient — and what to do about the risks it doesn't cover.
We deliver CE+ certification and penetration testing as complementary services — certifying the baseline and testing the reality, so your security programme is built on verified controls and demonstrated resilience.