Cyber Essentials Plus is the enhanced version of the standard Cyber Essentials scheme. It includes everything in standard Cyber Essentials — the five fundamental controls — plus independent external testing to verify those controls actually work in practice.
While standard Cyber Essentials is self-assessed, Cyber Essentials Plus involves a qualified external assessor who performs vulnerability scanning and limited penetration testing to confirm your security controls are effective against real-world attack scenarios.
The 5 Controls + Testing
Secure configuration
Verified through external testing
Access control
Tested for implementation gaps
Malware protection
Validated across systems
Patch management
Confirmed current
Backup and recovery
Tested for effectiveness
Who Needs It?
- Critical infrastructure operators
- Large government contracts
- Financial services sector
- Insurance policy requirements
- High-risk data handlers
Cyber Essentials vs Cyber Essentials Plus
| Aspect | Standard CE | CE Plus |
|---|---|---|
| Assessment Type | Self-assessment only | Self + external testing |
| External Testing | None | Vulnerability scan + pen test |
| Cost (Ireland) | €800–€2,000 | €3,000–€8,000 |
| Timeline | 4–8 weeks | 8–12 weeks |
| Validity | 3 years | 3 years |
| Assurance Level | Medium (self-reported) | High (independently verified) |
Frequently Asked Questions
What's the difference between vulnerability scanning and penetration testing?
Vulnerability scanning is automated and identifies known weaknesses. Penetration testing is manual and attempts to exploit those vulnerabilities to assess real-world risk. Cyber Essentials Plus includes both.
Will the external testing disrupt my business?
No. External testing is non-destructive and scheduled during agreed windows. We coordinate with your team to minimise any impact.
What happens if vulnerabilities are found?
Vulnerabilities are documented in a detailed report. You then have time to remediate them, and the external assessor re-tests to confirm fixes. This is a normal part of the process.
Is Cyber Essentials Plus required for Irish businesses?
Not mandated, but increasingly required by government contracts, large enterprises, and cyber insurance providers. If you're bidding for significant contracts or in a regulated sector, it's worth considering.
Can I upgrade from standard Cyber Essentials to Plus?
Yes. If you're already certified, you can add the external testing component to upgrade to Cyber Essentials Plus.
How much does Cyber Essentials Plus cost?
Typical costs range from €3,000–€8,000 depending on your organisation size and complexity. Contact us for a personalised quote.