Cyber Essentials Plus — Advanced Certification Guide

Guide to Cyber Essentials Plus certification. Understand the additional requirements beyond Cyber Essentials and how to prepare.

Cyber Essentials Plus is the enhanced version of the standard Cyber Essentials scheme. It includes everything in standard Cyber Essentials — the five fundamental controls — plus independent external testing to verify those controls actually work in practice.

While standard Cyber Essentials is self-assessed, Cyber Essentials Plus involves a qualified external assessor who performs vulnerability scanning and limited penetration testing to confirm your security controls are effective against real-world attack scenarios.

The 5 Controls + Testing

Secure configuration

Verified through external testing

Access control

Tested for implementation gaps

Malware protection

Validated across systems

Patch management

Confirmed current

Backup and recovery

Tested for effectiveness

Who Needs It?

  • Critical infrastructure operators
  • Large government contracts
  • Financial services sector
  • Insurance policy requirements
  • High-risk data handlers

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials vs Cyber Essentials Plus
AspectStandard CECE Plus
Assessment TypeSelf-assessment onlySelf + external testing
External TestingNoneVulnerability scan + pen test
Cost (Ireland)€800–€2,000€3,000–€8,000
Timeline4–8 weeks8–12 weeks
Validity3 years3 years
Assurance LevelMedium (self-reported)High (independently verified)

Frequently Asked Questions

What's the difference between vulnerability scanning and penetration testing?

Vulnerability scanning is automated and identifies known weaknesses. Penetration testing is manual and attempts to exploit those vulnerabilities to assess real-world risk. Cyber Essentials Plus includes both.

Will the external testing disrupt my business?

No. External testing is non-destructive and scheduled during agreed windows. We coordinate with your team to minimise any impact.

What happens if vulnerabilities are found?

Vulnerabilities are documented in a detailed report. You then have time to remediate them, and the external assessor re-tests to confirm fixes. This is a normal part of the process.

Is Cyber Essentials Plus required for Irish businesses?

Not mandated, but increasingly required by government contracts, large enterprises, and cyber insurance providers. If you're bidding for significant contracts or in a regulated sector, it's worth considering.

Can I upgrade from standard Cyber Essentials to Plus?

Yes. If you're already certified, you can add the external testing component to upgrade to Cyber Essentials Plus.

How much does Cyber Essentials Plus cost?

Typical costs range from €3,000–€8,000 depending on your organisation size and complexity. Contact us for a personalised quote.