NCSC (UK) · uk
Cyber Essentials Plus: pen test requirements 2026
More limited in scope than a full pen test — verified external vulnerability scan + sample-based hands-on testing of the five Cyber Essentials controls. Required for UK government supplier work.
Required
Required for UK government supplier contracts handling sensitive data
Region
UK
Publisher
NCSC
Applies to
- External infrastructure pen test (verified vuln scan + sample-test methodology)
- Patch management verification
- Boundary firewall + secure configuration audit
Budget impact
Day count impact
Typically 1-3 days for small organisations, 3-5 for medium, depending on infra footprint
Rate impact
Often delivered as a fixed-price assessment (£1,500-£4,000 for small orgs) rather than day-rated
Source
↗ https://www.ncsc.gov.uk/cyberessentials/overviewVerified 2026-06-02.
Other standards