Can Your CE Basic Certificate Be Revoked? What Happens When You Fail CE Plus Under Danzell
Can Your CE Basic Certificate Be Revoked? What Happens When You Fail CE Plus Under Danzell
Most organisations treat CE Basic as the safe fallback. If CE Plus goes wrong, you still have your Basic certificate. Under Danzell, that assumption can cost you both.
I hear this from clients regularly. They go into their CE Plus assessment knowing it might be difficult, especially the internal vulnerability scan, but they're comfortable because CE Basic is already in the bag. Worst case, they think, they fail CE Plus and try again next year with the Basic certificate still valid.
Under the Danzell changes, that is no longer guaranteed. If the second sample shows the same vulnerabilities as the first, the CE Plus assessment fails and your CE Basic certificate is revoked, which means paying for both certifications again from scratch. It is not a fine or a note on your record. The certificate is gone.
This article explains exactly how the revocation mechanism works, what it costs, and what you can do to make sure it doesn't happen.
What is the Verified Self-Assessment?
Before getting into revocation, you need to understand what's actually being revoked.
CE Basic is formally called the Verified Self-Assessment (VSA). You fill in the IASME question set about your IT environment, an assessor reviews your answers against the five technical controls, and if everything checks out, you get your certificate. Nobody scans your devices at this stage because the assessor is verifying your stated answers, not your actual systems.
CE Plus is the technical verification layer where an assessor tests a sample of your devices, runs vulnerability scans, checks configurations, and confirms that the claims you made in the VSA are reflected in reality. The VSA must be completed before CE Plus testing begins, and IASME has made this sequence explicit under Danzell.
The two certifications are not independent of each other because CE Plus exists to verify the VSA. If that verification reveals that your stated answers don't match your actual estate, the VSA itself comes into question.
How does CE Basic revocation actually work?
The revocation mechanism is tied to the double sampling process that IASME introduced with Danzell, and here is the sequence.
The assessor runs an internal vulnerability scan on a random sample of your devices. If that scan finds unpatched vulnerabilities rated CVSS 7.0 or above that are older than 14 days, you get a remediation period to fix the issues on those devices.
Then the assessor picks a second sample of different devices, same size, selected at random from the rest of your estate. You get a maximum of three days' notice before the second sample is chosen, because the second sample is specifically designed to check whether your patching is consistent across the whole scope or whether you only patched the devices that happened to get picked first.
If the second sample comes back clean, you pass because the first sample had a problem but the rest of the estate was fine, and that counts as a passing result.
If the second sample shows the same types of vulnerabilities, the CE Plus assessment fails with no third sample and no extended remediation window. This is where it gets expensive, because the VSA can be revoked on the basis that the answers you gave about your patching practices don't reflect the actual state of your estate.
Organisations treat CE Basic as the safe fallback. "Even if CE Plus goes wrong, we still have Basic." Under Danzell, that is no longer how it works because the two certifications are linked, and failing the CE Plus second sample on patching means both go.
The logic from IASME's perspective is straightforward. You told them in the VSA that you patch within 14 days, and the CE Plus assessment found two separate samples of your devices with patches older than 14 days. Your VSA answers were wrong, so the certificate based on those answers gets withdrawn.
What does revocation actually cost?
This is the part that catches people off guard. You don't just pay to retake CE Plus, you pay to retake both certifications because both have been invalidated. And you can't start the retake until you have actually fixed the patching problems that caused the failure in the first place.
Here are the re-certification costs based on Net Sec Group's current pricing.
| Organisation size | CE Basic (VSA) | CE Plus | Total re-certification cost |
|---|---|---|---|
| Micro (0-9 employees) | £320 | £1,200 | £1,520 |
| Small (10-49 employees) | £440 | £1,350 | £1,790 |
| Medium (50-249 employees) | £500 | £1,700 | £2,200 |
| Large (250+ employees) | £600 | £2,100 | £2,700 |
Those figures are the certification fees alone and they don't include the cost of actually fixing the vulnerabilities. If your patching failed because you don't have a proper scanning and patching tool in place, adding one is an additional cost. If you need consultancy help to get your estate patched before the retake, that is another cost on top.
There's also a time cost that doesn't appear in the table. A revoked certificate means a gap in your certification, and if you need CE for a contract, a supply chain requirement, or Cyber Insurance, that gap has real consequences. You're not just paying twice for the same certifications but also going uncertified for the weeks or months it takes to fix the problems and go through the assessment process again.
For a micro organisation, £1,520 is a significant hit. For a medium organisation spending £2,200 on re-certification plus the cost of fixing the underlying problems, the total bill could easily reach £3,000 to £4,000.
Why does this happen?
The organisations that get caught by second sample revocation are not negligent, and most of them believe their patching is current. The problem is almost always one of two things: inconsistent patching across the estate, or relying on tools that don't actually verify patch status.
Inconsistent patching
The most common pattern I see is an organisation that patches its laptops and desktops through Windows Update and assumes that covers everything, but it doesn't. Firewalls need firmware updates, routers need firmware updates, third-party applications like Java, Adobe products, Zoom, and browser extensions need their own updates, macOS devices have their own update schedule, and mobile phones need security patches applied. (referenced in the strategic baseline benchmarking report).
Windows Update handles Windows patches on Windows devices and that is it. Everything else needs its own process, and in most organisations those processes don't exist. The first sample might land on well-patched Windows laptops, but the second sample hits the firewall that hasn't been updated in five months, or the conference room Mac that nobody logs into, or the finance team's phones that are three Android security patches behind.
Wrong scanning tools
The other pattern is organisations that rely on tools that aren't designed for vulnerability detection. Windows Defender, Sophos built-in scanning, RMM tool dashboards, and antivirus "vulnerability scan" features will all tell you the estate looks healthy while missing the findings that a proper vulnerability scanner would catch.
The CE Plus assessment uses an NCSC-approved vulnerability scanner running credentialed scans that check every installed application against a full CVE database and produce findings with CVSS scores. The gap between what Defender reports and what an approved scanner finds is often enormous. I've run assessments where the client's own tools showed zero issues and the assessment scanner found 40+ findings rated CVSS 7.0 or above.
If you've never run an NCSC-approved scanner across your estate, you don't know whether you're patched, and your RMM tool's green ticks don't mean what you think they mean. For more detail on why these tools fall short, see the RMM scanners and Windows Defender guide. Our CE Plus Pre-Assessment service runs the correct scan before the formal assessment, or CE+ Assured keeps scanning and patching running continuously so you don't have to worry about it.
How to prevent CE Basic revocation
The prevention isn't complicated, but it does require a change in how most organisations think about patching. You need to go from "we patch when we remember" to "we scan, we find what is missing, and we fix it every two weeks."
Run an NCSC-approved scanner before the assessment
This is the single most effective thing you can do. Run the same type of credentialed vulnerability scan that the assessor will run, across your full estate, before the assessment starts. Whatever it finds, the assessor would have found too, so fix it before they arrive.
Do not rely on your antivirus dashboard, your RMM tool, or your Windows Update history. Run a proper scan.
Our CE Plus pre-assessment service does exactly this. We scan your estate with the same NCSC-approved tooling the assessor uses, give you the findings, and you fix them before the actual assessment. The pre-assessment scan costs less than failing and retaking both certifications.
Patch everything in scope, not just the visible devices
The second sample is random, and you can't predict which devices the assessor will pick. The only way to pass reliably is to patch every device in scope within the 14-day window for any vulnerability rated CVSS 7.0 or above.
That means laptops, desktops, servers, firewalls, routers, phones, tablets, and every cloud service you use with business credentials. Not just the devices your IT provider manages or the devices connected to your main network, but everything in scope.
Scan continuously, not just before assessment
Annual scanning catches you out. You scan in March, pass the assessment in April, and then don't scan again for 11 months. By the time your next assessment comes around, the estate has drifted with patches missed, new devices added without being configured properly, and firmware that hasn't been updated.
Fortnightly scanning is the standard we recommend through our Cyber 365 programme, where you scan every two weeks, patch what the scan finds, and your estate stays clean year-round. When assessment time comes there are no surprises.
Don't treat CE Basic and CE Plus as separate projects
This is the mindset shift that prevents revocation. CE Basic and CE Plus are the same certification at two levels of verification, and what you claim in the VSA has to be true when the assessor tests it. If you fill in the VSA saying "we patch within 14 days" but your estate tells a different story, both certificates are at risk.
Answer the VSA honestly. If you're not sure whether your patching meets the 14-day requirement, check before you submit your answers. The 14-day patching guide explains what the requirement covers and how to verify compliance.
We're not allowed to do remediation as part of the same assessment. Once the CE Plus assessment has started, we can tell you what's wrong but we can't help you fix it within that engagement. The fixing has to happen before the assessor arrives, or within the 30-day remediation window if issues are found. Getting it right beforehand is always cheaper and less stressful than trying to fix it under pressure.
The cost comparison that matters
A micro organisation paying for both CE Basic and CE Plus through Net Sec Group spends £1,520 for the year. If they fail and both certificates are revoked, they spend another £1,520 to re-certify. That's £3,040 for the same certificates they could have held for £1,520 with proper preparation.
Our Cyber 365 service includes pre-assessment scanning, remediation guidance, and ongoing support to make sure the estate is ready before the assessor arrives. For less than the cost of a single re-certification, you get the tools and support to pass first time.
Failing once costs more than a year of Cyber 365. And a revoked CE Basic certificate costs more than failing once, because you are paying for both certifications from scratch while being uncertified in the gap.
The organisations that pass CE Plus consistently aren't the ones with the biggest IT teams. They're the ones that scan properly, patch consistently, and don't wait until assessment day to find out what's broken.
If you're preparing for your first CE Plus assessment under Danzell, or you want to make sure your next renewal doesn't trigger a second sample, get in touch. We'll tell you exactly where you stand before the assessment starts.
Related guides
- Danzell Changes 2026: Full Guide to Cyber Essentials v3.3
- Cyber Essentials 14-Day Patching Guide
- CE Plus Assessment Options
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus First-Time Pass: What Danzell Actually Requires
Under Danzell, CE Plus scans must pass first time. No remediation during the assessment. Here is the double sampling process, what triggers it, and how to prepare.
Why RMM Scanners and Windows Defender Will Fail Your Cyber Essentials Plus Assessment
RMM tools and Windows Defender are not approved for CE Plus internal vulnerability scans. Here is what the assessment actually requires and why your IT provider's scanner will miss critical vulnerabilities.
Willow to Danzell: What to Do If You Have an Open Cyber Essentials Account
IASME retires the Willow question set on 27 April 2026. If you have an open Willow account, here are the deadlines, what happens if you miss them, and what to do next.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.