We have Cyber Essentials. We’re secure…right?

Cyber Essentials (CE) is often described as the UK Government’s baseline for cyber security. Achieving certification shows that an organisation has implemented a set of fundamental technical controls designed to protect against the most common types of Commodity cyber-attacks.

But holding a CE certificate doesn’t automatically mean you’re protected - it means you’ve met a minimum standard at a specific point in time. And how you get there matters far more than many people expect.

As someone who reviews CE submissions every day, I see first-hand where organisations add real value to their security posture… and where things often go wrong.

What Cyber Essentials actually gives you

Cyber Essentials is a verified self-assessment. An organisation confirms it has implemented the required controls (e.g., patching, access control and secure configuration etc.) and those responses are reviewed by an accredited IASME assessor against requirements set by the National Cyber Security Centre (NCSC).

When done properly, completing CE provides confidence internally and externally that:

• Foundational technical controls are in place.
• These controls are applied consistently across all in-scope systems.
• The organisation is actively reducing the likelihood of common attacks such as phishing, malware and credential abuse.

Because CE sets a foundation of protection, many government departments and large organisations either require or strongly prefer suppliers have it as part of procurement. Some insurers also offer more favourable cyber insurance terms to organisations that hold certification.

So yes, CE is valuable. But only if it reflects reality. 

Where organisations go wrong most often with Cyber Essentials

The most common CE failures aren’t caused by sophisticated attackers or complex environments. They’re caused by assumptions, shortcuts and misunderstandings.

Here are some of the issues I see repeatedly: 

Patching gaps 

Software isn’t kept up to date within the required 14-day window, leaving well-known vulnerabilities open. Minor versions and builds are often missed.

Unsupported software 

Organisations continue using applications that are no longer patched by the vendor — an automatic red flag.

Weak authentication 

Passwords don’t align with NCSC guidance, or Multifactor Authentication (MFA) is missing, especially for cloud services.

Scope blind spots 

Laptops, mobiles, tablets, remote workers, BYOD devices, and cloud platforms are frequently forgotten — even though they access company data and should usually be in scope.

Inconsistent answers 

CE questions are interlinked. Contradictions across answers are one of the fastest ways to fail. 

You’ll notice that none of these are malicious mistakes. They happen because organisations rush, guess or don’t fully understand what’s being asked. 

If I were submitting Cyber Essentials myself… 

Knowing what I know, it’s easy to say, “here’s what I would do”, but I would like to share how I would approach a submission. I would: 

• Build a complete asset list before starting, including systems, endpoints, applications, cloud services, networks.
• Clearly define what’s in scope and what’s out, document it properly and validate network segregation.
• Confirm exact software versions, not just major releases.
• Gather and organise all evidence upfront, rather than scrambling as questions come up.
• Do a dry run, reviewing the answers as if I were the assessor looking for gaps. 

And if a question wasn’t clear? I’d stop and clarify it. I wouldn’t guess because CE rewards preparation, not speed. 

Two things every organisation should know 

If there’s one message I could give every organisation completing a CE submission, it would be this: Be honest and base your answers on evidence, not what you think ‘should’ be in place.

The CE submission is about accuracy and consistency. Inaccurate answers can undermine the entire purpose of the certification and lead to failure.

Secondly: Scope really does matter more than people realise. Missing a system, endpoint or cloud service is one of the easiest ways to fail an assessment, even if everything else is strong. 

What a good Cyber Essentials submission looks like 

The strongest submissions I see have a few things in common:

• Answers are clear, concise and directly address the question.
• Information is consistent across the entire assessment.
• The environment described matches reality — not policy documents.
• Responses are genuine, not copied, generic or auto‑generated.
• The organisation understands why each control exists, not just that it does.

In short, good submissions reflect real security practices, not paperwork. 

Cyber Essentials is the first step, not the finish line 

Cyber Essentials plays a vital role in improving the UK’s cyber resilience. It raises the baseline and helps protect against the most common, damaging attacks.

But it wasn't designed to be a comprehensive security standard, and it can catch organisations out who treat it that way. It doesn’t touch governance, monitor for emerging threats, or identify deeper technical weaknesses..

For organisations that want stronger assurance, CE Plus—with hands-on independent technical testing—is the natural next step.

The common mistake is when organisations obtain their CE certificate and think "job done" - it's a solid foundation, but it's just the very surface. Having confidence your controls work in practice is another level entirely.

If you aren't sure where your organisation sits, or whether CE or CE Plus is the right move, get in touch with us and we can help you get started on your security journey.