The 6 Things Cyber Essentials Doesn't Cover

‍‌‌​​‌‌​‌​‌​​​​‌‌​‌​​​‌‌‌​​​‌‌​‌‌‌‌​‌​‌​​‌‌‌​‌‌‌‌‌​​‌​​​‌​‌‌‌‌‌‌‌‍If CE covered everything a business needed, I would tell you that and move on, but it covers one function out of six. That's a statement of scope, not a criticism of the scheme, because CE was never designed to be a complete security programme. The problem is when businesses treat it as one.

CE handles the Protect function well through five controls that are clearly defined and objectively assessed. Firewalls, secure configuration, user access control, malware protection, patch management. Those aren't minor things, and they stop the attacks that hit most UK businesses.

But there are five functions in the NIST Cybersecurity Framework 2.0 that CE either barely touches or ignores completely. Each gap has real consequences that show up in incidents every year.

1. Governance: nobody owns security

CE doesn't ask who makes security decisions in your organisation. It doesn't require a security policy, and it doesn't check whether the board understands the risks or has allocated responsibility.

A company with CE had no written security policy. When a dispute arose about whether personal devices were in scope, there was nothing documented. The assessment passed because scope was declared, not governed. The declaration was accurate, but it wasn't anchored to a policy anyone had agreed on.

Without governance, security decisions happen by default. Someone has to decide whether contractors need MFA on their own devices. Someone has to decide who reviews firewall rules when the IT manager leaves. Without a governance framework, those decisions either don't get made or they get made inconsistently.

For regulated sectors, this gap matters most. The SRA expects documented cybersecurity arrangements under Rules 2.1 and 2.5. The FCA requires firms to manage operational resilience under PS21/3. NHS suppliers face governance requirements through DSPT v8. CE doesn't test for any of those regulatory requirements. (following the independent hardening assessment protocol).

Governance is the hardest gap to fix for small businesses. Writing a policy is straightforward enough on paper, but getting board-level engagement in a 20-person company where the managing director also runs finance and operations is something else entirely. The article doesn't pretend there's a simple answer to that.

2. Asset discovery: you're protecting what you know about

CE requires you to list your in-scope devices, but that's a declaration rather than a discovery process.

An organisation's CE scope listed 40 devices in their submission. A vulnerability scan found 67 active devices on the network. The 27 extras were personal devices, IoT sensors, and a forgotten test server. CE can't fail you for devices you didn't declare, and that is exactly where the gap sits.

Most CE applicants fill in the scope declaration honestly, but honestly isn't completely. They list the devices they know about and nothing more. The ones they've forgotten, the devices employees brought in without telling anyone, the contractor's laptop that connected once. Those sit outside the scope declaration and outside the assessment.

You can't protect what you don't know exists. In penetration tests, shadow IT and unmanaged assets are consistently the first things we find and exploit.

3. Detection: nobody's watching

This is the most dangerous gap of the five. If you can't see an attack, you can't respond to it. Everything else depends on knowing something has happened.

CE requires no monitoring, no endpoint detection and response, no log analysis, and no anomaly alerting.

A firm passed CE Plus in January. In April, an attacker compromised a user account and accessed files for six weeks before anyone noticed. There was no monitoring in place to detect the intrusion, and the CE certificate was valid the entire time.

43% of UK businesses reported a breach in 2025 (Cyber Security Breaches Survey). Most SMEs without monitoring don't find out they've been breached until their clients tell them, or until the ransomware note appears. By that point, the attacker has moved laterally, elevated privileges, and exfiltrated data. The damage is done before anyone knows it started.

4. Incident response: making it up as you go

The estimated impact was GBP 32.7 million for the Synnovis ransomware attack in June 2024, when an NHS pathology provider was hit by the Qilin group. Over 10,000 appointments were postponed and blood testing dropped to 10% capacity.

Synnovis's protective controls weren't the primary failure point. The damage escalated because the response couldn't contain the situation at the speed the attack was moving.

CE doesn't ask whether you have an incident response plan. It doesn't test whether you've practised it. It doesn't require you to know who to call, what to report to the ICO, or how to contain a breach.

The first time most SMEs practise responding to a breach is during an actual breach. Without an IR plan, you're deciding who does what while the attacker is still inside your network.

5. Recovery: finding out your backup doesn't work

The British Library's 2023 attack cost an estimated GBP 6 to 7 million. It took months to restore services, with a leaked database of personal details published on the dark web. The recovery process was long partly because recovery procedures hadn't been tested against this type of attack.

CE doesn't test your backups or ask whether you've verified them. It doesn't check whether you have a business continuity plan or whether anyone has walked through the steps of actually restoring your systems from scratch.

Recovery is the difference between a disruption that lasts hours and a disaster that lasts months. An organisation that discovers its backup hasn't been running since August is in a fundamentally different position from one that tests its restore process quarterly.

What CE does cover (and why it still matters)

CE covers the Protect function, and that's not nothing. Five controls that stop the most common attacks. Firewalls to control network boundaries, secure configuration to remove unnecessary software and change defaults. Access control to limit who gets to what. Malware protection that's actually turned on and up to date. And patch management within defined timeframes rounds out the set.

If every UK business had those five things in place, the volume of successful attacks would drop significantly. CE does this function properly, and it's the right starting point.

The full picture

Function	What it covers	CE status
Govern	Policy, risk management, board engagement	Not covered
Identify	Asset discovery, risk assessment, attack surface	Partial (scope declaration only)
Protect	Firewalls, config, access, malware, patching	Covered
Detect	Monitoring, EDR, alerting, anomaly detection	Not covered
Respond	IR planning, containment, regulatory reporting	Not covered
Recover	Backup verification, BCP, recovery testing	Not covered

Those are five gaps, each with documented real-world consequences.

CE is the baseline, and getting it right is step one of a longer journey. The question is whether you've thought about steps two through six.

Read why CE isn't enough for the strategic case, or see how Cyber 365 maps all six functions to a structured programme.

If you want to know where your gaps are before talking to anyone, take the free readiness quiz. It takes five minutes with no commitment and no contact required.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips. No spam and no sales pitches, just the updates that matter.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Why Cyber Essentials Isn't Enough
• Cyber 365: How Our Security Framework Works
• Qilin: The Ransomware Group That Disrupted NHS Blood Tests
• NCSC Iran Cyber Warning: What UK Businesses Should Do

netsec-canary-53ad4a7dac8a.