Compliance

Cyber Essentials Plus without the panic

A practical 60-day plan to take a typical UK SME through Cyber Essentials Plus without halting the business. The framework is achievable — most failures come from leaving evidence and patching to the last fortnight.

Compliance8 min read

Why firms fail at the last hurdle

Cyber Essentials Plus is not a difficult framework. The five technical controls — firewalls, secure configuration, access control, malware protection and patch management — are reasonable hygiene. Yet most failures we see are entirely avoidable: an unpatched browser plug-in on one director's laptop, a local admin account no-one remembered, or a macro setting that was reverted by a GPO refresh the day before the audit.

The fix is not more tooling. It is a calm, sequenced 60-day plan with the right evidence captured along the way.

Days 1–14: scope, baseline, quick wins

Define scope precisely — which users, devices, networks and cloud services are in. Most failures we see start with a vague scope. Then run a baseline vulnerability scan and an MDM/Intune compliance report against the five controls.

  • Document the in-scope boundary with an asset list and network diagram.
  • Enable automatic updates on Windows, macOS, browsers and Office.
  • Enforce MFA on every cloud service in scope — no exceptions for admins.
  • Remove local admin from standard user accounts.
  • Confirm a supported, licensed AV / EDR is deployed and reporting.

Days 15–35: remediate and harden

This is the phase where most of the technical work happens. Patch every high and critical CVE on in-scope systems. Disable unused services and unsupported software. Apply secure baselines to firewalls, routers and the cloud tenant.

  • Patch third-party apps too — Java, Adobe, Zoom, browsers. CE+ checks them all.
  • Block Office macros from the internet via Intune or GPO.
  • Leaving 'temporary' admin exceptions in place — assessors will find them.

Days 36–50: evidence and dry run

Cyber Essentials Plus is an evidence-based assessment. Capture screenshots, exported configuration files and policy documents as you go — not the night before. Run an internal mock audit using the IASME test specification. Anything that fails the dry run will fail the real thing.

Days 51–60: assessment and certification

The assessor will perform an authenticated vulnerability scan on a sample of devices, test a malicious email and file payload, and validate MFA. If the earlier phases were done properly, this stage is largely a formality.

Once certified, the work is to keep the controls in place — not to repeat the panic in 12 months. Continuous vulnerability management and a monthly patch cycle make recertification a non-event.

Key takeaways
  • Scope precisely on day one — vague scope is the root cause of late failure.
  • Patch third-party software, not just Windows.
  • Capture evidence as you remediate, not at the end.
  • Run an internal mock audit before the assessor arrives.
  • Maintain the controls continuously to make recertification routine.
Talk to us
Book a cyber security assessment
More reading
Back to all resources