Cyber Essentials 30-Day Preparation Plan

‍​‌‌‌​‌‌​‌​‌​‌​​​​‌‌‌​‌‌‌​‌‌​​‌​​​​​​‌‌​‌‌​‌‌‌‌‌​‌​​‌‌‌​‌​‌‌​‌‌‌‌‍Four weeks is enough time to prepare for Cyber Essentials from almost any starting point, and most businesses need less. But 30 days gives you space to fix a patching backlog, enable MFA across every cloud service, and sort out your scope description without rushing.

This plan works for both basic CE and as preparation for CE Plus, since the controls are the same. CE Plus adds a technical audit, so everything needs to be genuinely in place rather than just documented.

Before you start: two things to check

When does your assessment fall? If it's after 27 April 2026, you'll be assessed against the Danzell question set and v3.3 requirements. The five controls are the same but enforcement is stricter, particularly on patching and MFA.

Who's responsible? Somebody in the organisation needs to own this. Not "the IT team generally." One person who tracks progress, chases the items that slip, and makes sure the self-assessment gets completed accurately. In smaller businesses, that's often the director.

Week 1: Patching and unsupported software

Start with the items that take longest to fix.

Run every pending update

Go through every device in scope (laptops, desktops, servers, phones used for work, firewalls, routers) and install all available updates. That means operating systems, applications, firmware, and everything else that has a pending update.

Critical and high-risk patches (CVSS 7.0 or above) must be applied within 14 days of the vendor releasing them. If any device has a critical patch older than 14 days, that's a failure. Under Danzell, it's expected to be an automatic failure with no assessor discretion.

This is the most common reason for failing Cyber Essentials and the most time-consuming to fix if you've got a backlog, which is why it goes first.

Enable automatic updates

Once everything is current, turn on automatic updates wherever possible. Windows Update, macOS automatic updates, browser auto-updates, mobile device updates. For devices where automatic updates aren't practical (some servers, network equipment), set a fortnightly calendar reminder. Be aware that auto-updates don't cover everything, particularly third-party applications that have their own update mechanisms or none at all.

The goal isn't just to pass the assessment but to stay compliant between assessments, and automatic updates handle that for you.

Find and remove unsupported software

Any software that's reached end of life and no longer receives security updates is an automatic failure. Check every device for:

• Operating systems past end of life (Windows 8.1, old macOS versions, unsupported Linux distributions)
• Applications the vendor has stopped updating
• Browser extensions that are no longer maintained
• Old versions of Java, Flash, or similar legacy plugins

If you find unsupported software that's business-critical, you've got a bigger conversation. Either replace it, find an alternative, or isolate the device it runs on from the network. That conversation is better had in Week 1 than Week 4.

Week 2: MFA and user access control

Enable MFA on every cloud service

Under the CE requirements, MFA is mandatory on every cloud service that supports it. Under Danzell, this is expected to be an automatic failure criterion.

Go through every cloud service your organisation uses, not just the obvious ones. Include:

• Email platforms (Microsoft 365, Google Workspace)
• Accounting software
• CRM systems
• Project management tools
• File sharing and collaboration platforms
• Social media accounts managed with business credentials (in scope under Danzell)
• Any other platform your team logs into with a business account

For each service, check whether MFA is available (it almost certainly is) and turn it on. If a service genuinely doesn't support MFA, document that fact. You'll need to declare it during the assessment.

Audit user accounts

Check that every user has their own individual account with no shared logins and no generic "[email protected]" that three people use.

Check that admin accounts are separate from daily accounts. The person who manages your Microsoft 365 tenant should use a normal account for email and a separate admin account for administration tasks.

Check for leavers, and if there are accounts belonging to people who've left the organisation, disable them immediately.

Check passwords meet the requirements: minimum 8 characters with MFA, or minimum 12 characters without MFA. Password expiry isn't required (the CE scheme specifically says not to enforce regular expiry), but using a deny list to block common passwords is.

Document admin accounts

Make a list of every admin account across every service and device. For each one, record who uses it, what they use it for, and confirm that MFA is active. The assessor will ask about admin accounts, and having the list ready saves considerable time.

Week 3: Firewalls, secure configuration, and malware protection

Firewalls

Check that every internet-facing connection has a firewall. For most businesses, that's the router your ISP provided plus any additional firewall appliances, and software firewalls on individual devices if staff work remotely.

For each firewall and router:

• Change the default admin password (if you haven't already)
• Check that the admin interface isn't accessible from the internet
• Confirm that only the services you actually need are allowed through
• Document your firewall rules

If staff work from home, their home routers are out of scope. But their devices still need software firewall controls. Windows Firewall or the macOS firewall should be turned on.

Secure configuration

Go through each device type in your scope:

• Remove software you don't use
• Disable features you don't need
• Set automatic screen locks (a reasonable timeout, typically five to 15 minutes)
• Confirm that only authorised people can install software
• Change default passwords on every device, including printers, switches, and access points

The printer in the corner with admin/admin credentials is one of the most common secure configuration failures, so check every device on the network.

Malware protection

Confirm that every device in scope has antivirus or anti-malware installed. It must be:

• Turned on (sounds obvious, but people disable it)
• Set to update automatically
• Configured to scan files when they're accessed

For cloud services (SaaS), the provider generally handles malware protection at the infrastructure level. For IaaS (virtual machines you manage), you need malware protection on each one, just like a physical server.

Week 4: Scope, self-assessment, and final checks

Write your scope description

Your scope description tells the assessor what's included in the assessment. It should list: (following the supplementary governance assessment protocol).

• All office locations
• All device types (laptops, desktops, servers, phones, tablets)
• All cloud services
• All firewalls and routers
• Any BYOD devices used for work (beyond just calls, texts, and MFA)
• Any systems you're excluding and the justification for excluding them

Under Danzell v3.3, cloud services can't be excluded from scope. If your organisation uses it and it holds your data, it's in scope, and partial scope requires documented justification.

Complete the self-assessment questionnaire

The CE questionnaire is approximately 90 questions covering all five controls, and you should answer honestly. If something isn't quite right, you've still got time to fix it.

Common mistakes in the self-assessment:

• Saying "yes" to things that are mostly true but not entirely true
• Forgetting cloud services when listing what's in scope
• Not knowing which devices have admin accounts
• Guessing at patching timelines instead of checking

If you're not sure about an answer, check. Your assessor would rather you asked than guessed wrong.

Run your own final check

Before submitting, go through the readiness checklist:

• Are all patches current with automatic updates turned on?
• Is MFA enabled on every cloud service that supports it?
• Are there any shared logins, leaver accounts, or undocumented admin accounts?
• Have default firewall passwords been changed and rules documented?
• Is malware protection installed, updated, and actively scanning on every device?
• Is the scope description accurate, complete, and justified?

If everything checks out, submit the assessment. If something doesn't look right, fix it now.

Gathering evidence as you go

Don't leave evidence gathering until the end. As you work through each week, document what you've done.

Screenshots. When you change a router password, screenshot the admin interface showing the new credentials are set (but not the password itself). When you enable MFA on a cloud service, screenshot the confirmation. When you install patches, screenshot the update history showing dates. Build a folder organised by control.

Export reports. If you're using Microsoft 365 or Google Workspace, the admin console can export reports showing MFA status across all accounts, sign-in activity, and device compliance. These reports are exactly what the assessor needs to verify your answers in the self-assessment.

Keep a patching log. For the 14-day requirement, the assessor needs to see that critical patches were applied within 14 days of release. Automatic update logs on each device show installation dates. For devices where you apply updates manually, keep a simple spreadsheet: device name, patch applied, date vendor released it, date you installed it.

Evidence gathering takes 10 minutes per device if you do it as part of the preparation. It takes hours if you try to recreate it the day before the assessment.

What if you don't have an IT team?

Many small organisations certify without dedicated IT staff. The director or office manager handles the preparation. That works, but it helps to know where to get stuck. The Cyber Essentials for startups guide covers the specific challenges of certifying with limited infrastructure and rapid change.

The self-assessment questionnaire asks technical questions about firewall configuration, patching processes, and malware protection settings. If you don't know where to find a specific setting on your router or laptop, your ISP's support line or the manufacturer's website usually has step-by-step guides.

For cloud services, the admin console of your email platform (Microsoft 365 Admin Centre or Google Admin) is where most of the configuration happens. MFA settings, account management, and security defaults are all accessible from there without any specialist knowledge.

If you hit something you genuinely can't work out, contact your assessor before the assessment starts. Most assessors, including us, will answer configuration questions during the preparation phase. It's better to ask and get it right than to guess and fail. Charities and non-profits face their own set of constraints, particularly around budget and volunteer-managed IT. The charities and non-profits guide addresses those specifically.

What if 30 days isn't enough?

If you've got a large estate, a significant patching backlog, or unsupported systems that need replacing, 30 days might be tight. That's fine, because the plan still works if you extend it.

The order stays the same: patching first (longest lead time), MFA and accounts second (medium effort), configuration and scope third (shortest). Don't start with the easy wins and leave patching until Week 4 because you'll almost certainly run out of time.

If you've got more than 100 devices, or if patching has been neglected for months, allow six to eight weeks rather than four. Schools and academy trusts often fall into this category with hundreds of devices spread across multiple sites, and the schools and academy trusts guide covers the specific scoping and preparation challenges. The preparation work is the same regardless. You just need more time for the patching backlog to clear, especially if firmware on network equipment needs updating through a change management process.

If patching at scale is a genuine problem for your organisation, a managed service can help. Net Sec Group's patching service handles patch deployment across your estate, and our Cyber 365 service bundles patching with vulnerability scanning and CE certification.

After the assessment

Passing Cyber Essentials isn't the end of the process. Your certification is valid for 12 months. To avoid the same scramble next year:

• Keep automatic updates turned on
• Run a quarterly MFA audit across all cloud services
• Update your scope description whenever your infrastructure changes
• Set a reminder two weeks before your renewal to run through the checklist again

The organisations that find renewal easy are the ones that maintained their controls all year. The ones that find it stressful are the ones that let everything drift and try to fix it in a week.

Over 800+ certifications, I can tell within the first five minutes of an assessment whether an organisation maintained their controls or crammed for the assessment. The ones who maintained have quick answers and know where their MFA settings are. They can pull up their patching log immediately. The ones who crammed hesitate, check their notes, and ask me to wait while they log into things.

Both types can pass the assessment without too much difficulty. But the first type passes in half the time, with half the stress, and spends a fraction of the preparation effort. The 30-day plan gets you through the door. Maintaining the controls keeps you from having to do it again next year.

If you're not sure whether you're ready, our readiness quiz covers all five controls in about five minutes. It won't replace the self-assessment, but it flags the gaps you might have missed before you commit to the assessment date.

One final thing worth mentioning: don't schedule your assessment for the last day before a contract deadline. Leave yourself at least a week of buffer. If the assessor finds something that needs fixing, you want time to fix it without panic. Most issues take a day to resolve. But discovering them at 4pm the day before your certificate is due for a bid submission is a stress nobody needs. Plan ahead, leave margin, and the process is straightforward. The businesses that have the smoothest assessments are the ones that booked the assessment date first, then worked backwards from there with a clear deadline to hit.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote to start the conversation.

---

Related articles

• How Do You Know If You're Ready for Cyber Essentials?
• What to Do If You Failed Your Cyber Essentials Assessment
• Cyber Essentials v3.3: What the Danzell Update Changes
• Cyber Essentials for Startups
• Cyber Essentials for Charities and Non-Profits
• Cyber Essentials for Schools and Academy Trusts

netsec-canary-0ca530fb72b8.