Compliance · Service 03

Cyber Essentials Certification

We are a licensed Certification Body. We assess and certify directly. No broker, no middleman, no platform that hands your application to someone else.

CE Certified
CE Plus Certified
What changed in April 2026

v3.3 Danzell is now in force

Any Cyber Essentials assessment started on or after 27 April 2026 uses the new standard. The five controls haven't changed. The enforcement has. Most significantly: multi-factor authentication failures are now automatic failures. If any in-scope cloud service supports multi-factor authentication and you haven't enabled it, the assessment fails with no exceptions.

Other changes that catch renewals off guard: scope is broader (personal devices accessing work systems are in scope), application development has new requirements for custom software, and boundary enforcement is tighter for remote worker home routers. If your last assessment was before 2026, your renewal will look different.

Which level?

CE vs CE Plus

Two levels. Different scopes. We'll tell you which one your contract or supply chain actually requires.

Cyber Essentials

Verified self-assessment

You answer a detailed questionnaire covering the five control areas. We review, verify, and certify. Sufficient for most government contract requirements and most insurance purposes.

  • Government contracts
  • Cyber insurance requirements
  • Supply chain compliance
  • Customer trust signal
Higher assurance
Cyber Essentials Plus

Technical verification included

Everything in CE, plus independent technical testing. An assessor verifies your controls actually work: vulnerability scans, device configuration sampling, boundary protection testing.

  • MOD supply chains
  • NHS and public sector contracts
  • Higher-tier government frameworks
  • Where CE+ is explicitly required
The framework

The five technical controls

Every device, user account, and cloud service in scope must meet the requirements across all five.

01

Firewalls

Boundary devices and host-based firewalls must be configured to block by default. Inbound rules must be documented and justified. Routers and firewalls with factory default credentials are an automatic failure.

Boundary firewall configured Host-based firewall on all devices Inbound rules documented
02

Secure configuration

Default accounts removed, unnecessary services disabled, minimum 12-character passwords (8 where multi-factor authentication is enforced). Multi-factor authentication must be enabled on all admin accounts. Under v3.3, missing multi-factor authentication on any cloud service that supports it is an automatic failure.

Default credentials removed Multi-factor authentication on all admin accounts Unnecessary services disabled
03

User access control

Least privilege enforced throughout. Joiner-mover-leaver process documented. Admin accounts kept separate from day-to-day accounts and only used for administration. Annual privilege review required.

Least privilege enforced Admin accounts separate JML process documented
04

Malware protection

Active endpoint protection on every in-scope device. Signatures current. Mobile apps from official stores only. On-access scanning enabled. One approved mechanism must be in place on every device in scope.

Active on every in-scope device Signatures kept current Mobile apps: official stores only
05

Security update management

High and critical patches applied within 14 days of release. Only vendor-supported software in use. End-of-life systems must be removed or mitigated. Windows 10 reached end of support October 2025.

Critical patches within 14 days Vendor-supported software only EOL systems removed
Where assessments fail

The five things that break a first attempt

The questions look simple. These are the failure modes we see again and again as a Certification Body.

01

Scope underestimated

Cloud services used for work (Slack, Notion, GitHub, Figma, your Microsoft 365 tenant) are in scope. Personal devices accessing work systems are in scope. Most first attempts exclude things that should be included.

02

Multi-factor authentication gaps on cloud services

Under v3.3, an automatic failure. If any in-scope service supports multi-factor authentication and it isn't enabled, the assessment fails. Check every cloud service, not just email.

03

Admin account misuse

Using the same account for admin tasks and day-to-day work is a failure. Admin accounts must be dedicated, protected by multi-factor authentication, and used only for administration.

04

Unsupported software in use

Any software past its vendor support date is a failure. Windows 10 reached end of support in October 2025. Businesses still running it cannot pass CE.

05

Default credentials on devices

If the admin password on any boundary firewall or router is still the factory default, that is an automatic failure. Check every boundary device in scope.

How we work

From scoping call to certificate.

i

Scoping call

Free 15 minutes. Understand your environment, confirm CE or CE Plus, flag any obvious issues.

ii

Fixed-price quote

Clear price based on your organisation size. No per-question fees, no scope-creep billing.

iii

Assessment

Structured questionnaire (CE) or questionnaire plus technical audit (CE Plus).

iv

Certification

Certificate issued typically within 2 working days of a passed assessment.

v

Annual renewal

We remind you well in advance and recertify efficiently each year.

What comes next

After certification

CE gets you certified. It doesn't tell you what to fix next or how to build a security programme around the controls. If you want strategic advice on what comes after the certificate, our Security Consulting service covers risk prioritisation, remediation planning, and building on CE towards a stronger overall posture.

Security Consulting →
Ready to start?

Book your free scoping call

15 minutes. We'll confirm the right level, flag anything that needs fixing first, and give you a fixed price.

Get in touch