Cyber Essentials for Multi-Site Businesses: One Certificate or Many?

‍‌‌‌​​​​​​‌​​‌​‌​​‌‌​‌​‌‌‌​‌‌​‌‌​​‌‌‌​​‌‌‌​​​​‌​‌‌‌​‌‌​‌​‌​​‌​​‌‌‍Running Cyber Essentials across multiple offices creates one question that single-site businesses don't have to think about: does every site need its own certificate, or can you cover everything under one?

The answer depends on your legal structure and how consistent your IT infrastructure is across sites. Get the scope right and multi-site certification is straightforward. Get it wrong and you end up with gaps that the assessor will find.

One certificate or separate certificates?

If all your sites operate under the same legal entity (one limited company, one LLP), you can certify under a single certificate whose scope includes every site.

If your sites are different legal entities (a group structure with subsidiary companies, or separate partnerships), Danzell requires separate certificates per legal entity. You can't bundle two different companies under one CE certificate.

The grey area: franchise models, associations of practices, and loosely affiliated businesses that share some IT infrastructure but operate independently. Discuss these with your assessor before applying, because the answer depends on the specifics of your arrangement.

What the scope description needs to include

For a multi-site certificate, your scope description must list every location and describe the IT infrastructure at each one. The assessor needs to understand:

• How many sites and where they are
• What devices exist at each site (laptops, desktops, servers, phones)
• What network equipment is at each site (firewalls, routers, switches)
• Whether all sites use the same cloud services
• Whether all sites follow the same IT policies and processes
• Any differences between sites

If all your offices use Microsoft 365, the same firewall vendor, the same patching process, and the same device management, the scope description can cover them collectively with notes on device counts per site.

If your London office runs a different email platform, your Edinburgh office has its own server, and your Manchester office has a different ISP router, each site needs its own description within the scope.

The consistency problem

The biggest challenge for multi-site businesses isn't the assessment itself. It's maintaining consistent controls across every location.

Patching

Your head office might have automated patching through a central management tool. But what about the branch office where the local manager occasionally declines updates because "they take too long"? Or the satellite office where a device hasn't been connected to the management platform?

Every device at every site must meet the same 14-day patching requirement. Under Danzell, a missed critical patch at any site is an automatic failure. If your patching process doesn't reach every location consistently, that's the gap to fix first.

Firewalls

Different sites often have different ISP-provided routers. Those routers need their default admin passwords changed and their configurations reviewed at every location, not just the head office.

If you're using managed firewalls with a central configuration, that's easier. If each site has its own independently configured router, someone needs to check every single one. The firewall at site three that still has the ISP default password is the one the assessor asks about.

User accounts and MFA

If all sites use a single identity provider (Microsoft Entra ID, Google Workspace), MFA enforcement is centralised. Turn it on once and it applies everywhere.

If some sites have local systems with separate user management, each system needs to meet the access control requirements independently. Local admin accounts at branch offices are a common gap.

Malware protection

If you deploy endpoint protection centrally, check the deployment dashboard. Are all sites covered, and are there any devices that haven't reported in recently or any installations that failed silently?

If sites manage their own devices, confirm that every location has malware protection installed and configured correctly. The branch office that "handles its own IT" is the one most likely to have a gap.

The "it works differently here" problem

This one catches more multi-site businesses than people expect. Over time, individual offices develop their own habits. One office buys a NAS drive for local backups. Another team sets up a shared Google Drive outside the company tenant. Someone at a branch office installs a consumer-grade Wi-Fi extender because the signal is weak in the meeting room.

None of these things are malicious, just people solving problems locally. But each one introduces a device or a service that's now in scope for Cyber Essentials and probably isn't managed by whoever runs your central IT. Before the assessment, you need someone at each location to do a proper inventory. Not just the devices you issued, but everything that connects to the network or handles work data.

What CE Plus looks like for multi-site businesses

The CE Plus technical audit samples devices from across your scope. For a multi-site business, that means the assessor should be testing devices from multiple locations, not just the head office.

In practice, the assessor connects remotely to devices across sites or visits multiple locations. The sample is random, so you won't know which sites get tested.

Under Danzell double sampling, if the first sample finds patching gaps, the second sample is drawn from different devices in your scope. Those devices could be at any site. If your patching is solid at the head office but inconsistent at branch offices, the second sample is likely to find it.

The only defence against this is genuine consistency. Every site must be patched to the same standard.

How sampling actually works across sites

For CE Plus, the assessor draws a sample of devices from your total estate. The sample size scales with your device count, and for multi-site businesses, the assessor should be pulling from across locations. A 200-device estate spread across five offices won't have all sampled devices come from head office.

What does this mean in practice for your assessment? If your Sheffield office has 12 laptops and your Nottingham office has 40, both offices could have devices in the sample. You can't prepare one office and hope the others don't get picked. The whole point of sampling is to test whether your controls are genuinely applied everywhere, not just where you've had time to tidy up.

Under Danzell, the double sampling rule makes this more pointed. If the assessor finds a patching failure on a device from one site, the second sample deliberately targets different devices. That second draw could come from any location. Businesses that pass tend to be the ones where every office runs to the same standard, not the ones that scramble to fix things between sample rounds.

Remote offices with their own internet connections

Here's where scope gets more interesting and more complicated. If you've got a branch office with its own broadband connection and its own ISP router, that router's firewall is in scope. It's a boundary device sitting between the internet and your staff's devices. The same rules apply as your head office firewall: default credentials changed, unnecessary ports closed, admin interface not accessible from the internet.

Some businesses assume that because a small satellite office only has three people and a basic broadband connection, it doesn't really count, but it does. If those three people use company devices and access company data, that office is part of your scope and its internet boundary needs to meet the firewall control requirements.

Where this gets properly complicated is when sites use different ISPs with different router models. Your head office might have a Sophos firewall managed by an IT provider. Your satellite office in Exeter might have whatever BT or Virgin sent with the broadband package. Both need to be configured correctly, but they're completely different devices with different admin interfaces. You can't just copy the head office configuration across.

If you've got more than two or three remote offices with independent internet connections, it's worth considering whether a single managed firewall solution across all sites would simplify things. The cost of a managed firewall at a small office is usually less than the time spent auditing consumer-grade ISP routers every year.

Franchises and semi-independent branch offices

Franchise models and branch offices with their own IT sit in a particularly awkward spot for Cyber Essentials. The franchisor might mandate certain systems (a specific POS platform, a booking system, a shared CRM), but each franchisee runs their own laptops, their own email, their own local network.

So who certifies in a franchise model? If each franchise location is a separate legal entity, each one needs its own certificate under Danzell. The franchisor's certificate covers the franchisor's systems, not the franchisee's.

The practical problem is maintaining consistency across locations. A franchisor can mandate that every branch uses a particular cloud platform, but they can't easily enforce that every branch manager keeps their laptop patched or uses MFA on their personal email. The controls the franchisor manages centrally (the shared CRM, the booking system) are probably compliant. The controls left to local management (device patching, local admin accounts, personal device usage) are where things fall apart.

If you're a franchisor, consider offering a managed IT baseline to your franchisees. Something that handles patching, endpoint protection, and identity management centrally. It makes your franchisees' CE assessments dramatically simpler and protects your brand. A breach at one franchise location tends to make the news with the franchise name in the headline, not the individual operator.

If you're a franchisee, check what systems the franchisor actually manages versus what's your responsibility. The scope description needs to reflect who controls what. Your assessor needs to know which systems you manage and which ones the franchisor manages on your behalf.

Practical steps for multi-site compliance

Centralise what you can. Cloud services, identity management, patching tools, and endpoint protection all benefit from central management. If every site uses the same platform managed from one place, consistency is built in.

Audit the exceptions. Even with central management, sites develop exceptions over time. A local server here, a different router there, a device that fell off the management platform. Run a quarterly check across every site.

Document site differences. If site A has a server room and site B is cloud-only, those differences belong in your scope description. The assessor needs to understand what's at each location.

Assign local ownership. Someone at each site should be responsible for confirming that devices are patched, MFA is active, and nothing has changed since the last check. This doesn't need to be a full-time IT person. It can be a site manager who runs through a monthly checklist.

Test remote access. If staff at branch offices connect to head office systems, those connections are in scope. VPN configurations, remote desktop access, and cloud service access from branch sites all need to meet the security requirements.

Remote sites and home workers

If some of your "sites" are people working from home, the scope rules are different from physical offices.

Home routers are out of scope (unless they're company-issued). The devices your staff use at home are in scope. Each remote worker's laptop, phone, and any other device that accesses work data must meet all five controls: patched, firewall enabled, MFA active, malware protection running.

The challenge with home workers in a multi-site context: they're harder to manage centrally than office-based devices. A laptop in the main office connects to the company network where your management tools can push updates. A laptop at someone's kitchen table relies on the device itself being properly configured and connected to the internet for updates. (as outlined in the supplementary exposure guidance notes).

Cloud-based device management tools (Microsoft Intune, Jamf, Google Workspace device management) solve this by managing devices regardless of location. If you've got a mix of office and home workers across multiple sites, central device management makes compliance significantly easier to demonstrate.

Danzell considerations for multi-site

Under Danzell (from 27 April 2026), two changes are particularly relevant for multi-site businesses.

Separate certificates per legal entity. If your sites operate as different companies within a group, each company needs its own certificate. You can't combine them.

CE Plus double sampling across the estate. If the first sample includes devices from your head office and finds issues, the second sample could draw devices from any other site. Patching inconsistency between sites is exactly what double sampling is designed to find.

When separate certificates make more sense

Even if a single certificate is technically possible, it isn't always practical. Consider separate certificates if:

• Sites have significantly different IT infrastructure that would make a combined scope confusing
• Different sites operate semi-independently with their own IT management
• You want the flexibility to certify sites at different times
• One site is ready now and another needs months of work

Separate certificates cost more (each one has its own assessment fee), but they give you cleaner scope descriptions and simpler assessments at each site. They also mean that if one site fails and needs more time, the other sites aren't held up waiting. For businesses with sites at very different levels of IT maturity, separate certificates are often the pragmatic choice.

The coordination cost

The hidden cost of multi-site CE isn't the assessment fee; it's the coordination. Making sure that patching works everywhere, MFA is on everywhere, default passwords are changed everywhere, and the scope description accurately reflects every location.

Businesses that invest in central management tools spend less time on this. Businesses that run each site independently spend more. Either approach works for CE, but the central approach just scales better.

If coordination across sites is genuinely difficult for your organisation, our Cyber365 managed service handles patching, vulnerability scanning, and compliance monitoring across all your locations. That removes the coordination burden and gives you consistent coverage for the assessment. It works across multiple sites without you needing to manage each one individually.

---

Need help with your multi-site Cyber Essentials assessment? Get in touch or request a quote to discuss your scope.

---

Related articles

• How Do You Know If You're Ready for Cyber Essentials?
• Cyber Essentials v3.3: What the Danzell Update Changes
• Cyber Essentials 30-Day Preparation Plan

netsec-canary-fed147d132e7.