> series: cyber_essentials_demystified —— part: 10/10 —— status: action_plan_loaded —— next_step: get_certified<span class="cursor-blink">_</span>_
Over the previous nine articles, we have covered every aspect of Cyber Essentials — from what the scheme is and why it matters, through each of the five technical controls in depth, to the Danzell changes taking effect on 27 April 2026 and the differences between CE and CE Plus. This final article brings it all together into a practical, step-by-step action plan that takes you from where you are today to certified — under the new Danzell v3.3 requirements.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your CertificationBefore you open an assessment account, prepare your environment to meet the requirements. Discovering failures during the assessment wastes time and money. Discovering them during preparation costs nothing.
| Task | Detail | Auto-Fail Risk? |
|---|---|---|
| Audit all cloud services | List every cloud service your organisation uses. Include email, file storage, CRM, accounting, HR, project management, social media, and any SaaS platform accessed via a browser. | Yes — cloud services in scope under Danzell |
| Enable MFA everywhere | For every cloud service on your list, check whether MFA is available and enable it for all users. If MFA requires a paid licence upgrade, purchase it. | Yes — auto-fail if MFA available but not enabled |
| Verify patching compliance | Check that all operating systems, applications, firmware, and browser extensions are updated. Identify anything more than 14 days out of date and update it immediately. | Yes — auto-fail on A6.4 and A6.5 |
| Remove end-of-life software | Identify and remove any software that is no longer supported by its vendor. Windows 10 (without ESU), Office 2016, and legacy applications on unsupported frameworks must go. | Indirect — unsupported software cannot meet patching requirements |
| Change default passwords | Audit all in-scope devices — routers, firewalls, printers, IoT devices, cloud admin accounts — and change any remaining default or manufacturer-set passwords. | No — but a common CE+ failure |
| Review user accounts | Remove ghost accounts (former employees, expired service accounts). Ensure no shared accounts exist. Verify that admin privileges are restricted to those who need them. | No — but a common finding |
| Verify firewall configuration | Review all firewall rules. Remove unnecessary inbound allow rules. Confirm default-deny inbound. Ensure management interfaces are not exposed to the internet. | No — but a fundamental control requirement |
| Confirm anti-malware is active | Verify that anti-malware software is installed, enabled, and updating on all in-scope devices. Check that it has not been disabled by users or misconfigured Group Policy. | No — but a common CE+ failure |
| Configure auto-lock | Ensure all devices lock automatically after a period of inactivity — typically 15 minutes for desktops and 5 minutes for mobile devices. | No — but a common finding |
With your environment prepared, open an assessment account and complete the Danzell question set. If you have done the preparation work thoroughly, the self-assessment should be a documentation exercise — recording what you have already implemented, not discovering what you have missed.
If you are pursuing CE Plus, the technical audit follows the completed self-assessment. The assessor independently tests your systems against the five controls. Under the revised Danzell process, the VSA must be locked before the audit begins, the double-sampling rule applies to patching failures, and a second failure revokes the CE certificate.
The best preparation for the CE Plus audit is to run your own vulnerability scan before the assessor does. Our vulnerability scanning service provides the same type of scanning the assessor will conduct — identifying missing patches, configuration weaknesses, and compliance gaps before the official audit begins.
Certification is valid for 12 months. But the controls are expected to be maintained continuously — and under Danzell, the director declaration makes this an explicit commitment. An organisation that certifies in April and stops patching in May is not compliant, regardless of what the certificate says.
Building continuous compliance requires ongoing processes: regular patching (within 14 days for critical updates), continuous MFA enforcement, periodic account reviews, firewall rule audits, and ongoing anti-malware verification. For organisations that want these processes monitored and managed rather than relying on manual checks, SOC in a Box provides 24/7 security monitoring with a real-time Confidence Score that quantifies your compliance posture continuously — not just once a year.
Over ten articles, we have covered the complete Cyber Essentials landscape from a business owner's perspective — from what the scheme is and why it matters, through each of the five controls in depth, to the critical Danzell changes and the practical differences between CE and CE Plus. You now have the knowledge to make informed decisions about certification, the checklists to prepare your environment, and the context to understand what the changes mean for your organisation.
The single most important takeaway is this: Cyber Essentials is not a checkbox exercise. The organisations that treat it as one are the organisations that fail assessments, lose contracts, and — ultimately — get breached. The organisations that treat it as a genuine security baseline, maintain their controls continuously, and layer additional protections above the certificate are the ones that sleep soundly. That is what we help our clients achieve — and it is why our sister company SOC in a Box exists: to provide the continuous, 24/7 protection that a point-in-time certificate cannot.
Whether you need <a href="/cyber-essentials">Cyber Essentials certification</a>, <a href="/cyber-essentials/concierge">Concierge-managed certification</a>, or the combination of certification and continuous <a href="https://www.socinabox.co.uk">24/7 SOC monitoring</a> that provides genuine security — we have you covered. And when you are ready to go beyond the baseline, our <a href="/penetration-testing">penetration testing services</a> demonstrate what your security posture looks like under real attack conditions.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification