Cyber Essentials Certification
We are a licensed Certification Body. We assess and certify directly. No broker, no middleman, no platform that hands your application to someone else.
v3.3 Danzell is now in force
Any Cyber Essentials assessment started on or after 27 April 2026 uses the new standard. The five controls haven't changed. The enforcement has. Most significantly: multi-factor authentication failures are now automatic failures. If any in-scope cloud service supports multi-factor authentication and you haven't enabled it, the assessment fails with no exceptions.
Other changes that catch renewals off guard: scope is broader (personal devices accessing work systems are in scope), application development has new requirements for custom software, and boundary enforcement is tighter for remote worker home routers. If your last assessment was before 2026, your renewal will look different.
CE vs CE Plus
Two levels. Different scopes. We'll tell you which one your contract or supply chain actually requires.
Verified self-assessment
You answer a detailed questionnaire covering the five control areas. We review, verify, and certify. Sufficient for most government contract requirements and most insurance purposes.
- Government contracts
- Cyber insurance requirements
- Supply chain compliance
- Customer trust signal
Technical verification included
Everything in CE, plus independent technical testing. An assessor verifies your controls actually work: vulnerability scans, device configuration sampling, boundary protection testing.
- MOD supply chains
- NHS and public sector contracts
- Higher-tier government frameworks
- Where CE+ is explicitly required
The five technical controls
Every device, user account, and cloud service in scope must meet the requirements across all five.
Firewalls
Boundary devices and host-based firewalls must be configured to block by default. Inbound rules must be documented and justified. Routers and firewalls with factory default credentials are an automatic failure.
Secure configuration
Default accounts removed, unnecessary services disabled, minimum 12-character passwords (8 where multi-factor authentication is enforced). Multi-factor authentication must be enabled on all admin accounts. Under v3.3, missing multi-factor authentication on any cloud service that supports it is an automatic failure.
User access control
Least privilege enforced throughout. Joiner-mover-leaver process documented. Admin accounts kept separate from day-to-day accounts and only used for administration. Annual privilege review required.
Malware protection
Active endpoint protection on every in-scope device. Signatures current. Mobile apps from official stores only. On-access scanning enabled. One approved mechanism must be in place on every device in scope.
Security update management
High and critical patches applied within 14 days of release. Only vendor-supported software in use. End-of-life systems must be removed or mitigated. Windows 10 reached end of support October 2025.
The five things that break a first attempt
The questions look simple. These are the failure modes we see again and again as a Certification Body.
Scope underestimated
Cloud services used for work (Slack, Notion, GitHub, Figma, your Microsoft 365 tenant) are in scope. Personal devices accessing work systems are in scope. Most first attempts exclude things that should be included.
Multi-factor authentication gaps on cloud services
Under v3.3, an automatic failure. If any in-scope service supports multi-factor authentication and it isn't enabled, the assessment fails. Check every cloud service, not just email.
Admin account misuse
Using the same account for admin tasks and day-to-day work is a failure. Admin accounts must be dedicated, protected by multi-factor authentication, and used only for administration.
Unsupported software in use
Any software past its vendor support date is a failure. Windows 10 reached end of support in October 2025. Businesses still running it cannot pass CE.
Default credentials on devices
If the admin password on any boundary firewall or router is still the factory default, that is an automatic failure. Check every boundary device in scope.
From scoping call to certificate.
Scoping call
Free 15 minutes. Understand your environment, confirm CE or CE Plus, flag any obvious issues.
Fixed-price quote
Clear price based on your organisation size. No per-question fees, no scope-creep billing.
Assessment
Structured questionnaire (CE) or questionnaire plus technical audit (CE Plus).
Certification
Certificate issued typically within 2 working days of a passed assessment.
Annual renewal
We remind you well in advance and recertify efficiently each year.
After certification
CE gets you certified. It doesn't tell you what to fix next or how to build a security programme around the controls. If you want strategic advice on what comes after the certificate, our Security Consulting service covers risk prioritisation, remediation planning, and building on CE towards a stronger overall posture.
Security Consulting →Book your free scoping call
15 minutes. We'll confirm the right level, flag anything that needs fixing first, and give you a fixed price.
Get in touchRelated capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreVulnerability Management
Penetration testing tells you what an attacker could do today. Vulnerability management tells you what’s changing, every …
Read moreFractional CISO & Information Security Manager
In most growing businesses, the person who answers for security is whoever is nearest. The managing director signs the Cyber …
Read more