Cyber Essentials Plus Second Sample Rule: What Happens When Your First Scan Fails

‍‌​​​‌‌‌​‌​​‌​​‌​​‌‌‌​​‌‌‌​‌‌‌‌​‌​‌​‌‌​‌​‌​​​‌​​‌‌‌‌‌‌‌‌​‌​‌​‌​‌​‍Under the Danzell changes to CE+, a failed first internal vulnerability scan triggers a second sample of the same size, and the assessor picks it at random from across your estate. You get one 30-day remediation window for everything. If the second sample also has vulnerabilities, you fail.

That's the short version, so here's why it matters and what it actually looks like in practice.

The problem it solves

I've run CE+ assessments where a company patches eight laptops in the main office perfectly and leaves 40 others running months-old software. Under the old rules, if I scanned the eight they'd prepped, they passed. That's not security by any reasonable definition, just gambling on which machines I'd pick.

The second sample rule kills that gamble. If I find problems in my first scan, I go back and look at more of the estate. If those machines have problems too, you fail. You can't cherry-pick which devices to maintain anymore.

This is part of the Danzell changes to CE+ assessment. It isn't in the v3.3 requirements document yet, but it's the process assessors are expected to follow. If you're waiting for the written version before you act, you're already behind.

For the broader picture of Danzell, see the full changes guide.

How the process runs

I scan a sample of your internal devices during the CE+ assessment. If everything comes back clean (nothing above CVSS 7.0 unpatched for more than 14 days), we move on. There is no second sample and no drama.

But if I find unpatched vulnerabilities, here's what happens next.

You fix the vulnerabilities found in the first scan. Not just on the sampled devices, but across your entire estate. Every device in scope that runs the same OS and build needs the same patches. That's a v5.0 requirement: remediation must be applied scope-wide, not just to the machines that got tested.

Then I pick another batch from the rest of your estate. Same number of machines, chosen at random from devices I haven't already scanned. New devices that you didn't know I'd look at. If that second batch is clean, you pass. (as outlined in the targeted governance guidance notes).

Both of these samples plus all the remediation has to fit inside one 30-day window, and that window sits inside the overall 90-day CE Plus deadline from your VSA date. The external scan, configuration checks, and other CE+ tests aren't affected by this rule.

Three things that catch people off guard

I pick the second sample, not you. That's the entire point. If you could nominate the devices, you'd just point me at the other eight you'd also patched. The rule would be meaningless. The selection is random and you don't get a say in it.

You get three days' notice at most. Not three weeks, just three days. If your patching is already consistent, this is irrelevant. If it isn't, three days isn't enough to rush-patch 40 neglected laptops, and that's entirely by design.

One window covers everything. The 30-day clock starts when I flag the first issues and doesn't stop until I've scanned the second batch too. Spend 20 days fixing the first sample and you've left me almost no room to schedule the second scan. The maths matters here.

Step	What happens	Time pressure
First sample	I scan a batch of your internal devices	None (this starts the process)
Vulnerabilities found	Unpatched devices identified	30-day window starts
You remediate	You patch the flagged devices	Must leave room for what's next
Second sample selected	I randomly pick new devices (three days' notice max)	Still inside the 30-day window
Second sample scanned	I scan the new batch	Still inside the 30-day window
Result	Clean = pass. Vulnerabilities = fail	Window closes at day 30

The practical lesson from running these assessments: fix the first batch fast. Don't spend two weeks thinking about it; patch them, confirm they're clean, and tell me they're done. The quicker you close the first sample, the more breathing room you've got for the second.

If the second sample fails

If the second sample contains any vulnerabilities, the assessment fails and IASME will revoke your Verified Self-Assessment. That's your basic Cyber Essentials certificate gone. The second sample is the verification that your estate is genuinely patched, not just the devices you knew about. Any vulnerabilities on those devices means the assessment fails.

There's no third sample. And if the assessment fails, data from the failed process cannot be reused. A fresh start means a new VSA and a new 90-day window.

I've not seen an organisation recover from a failed second sample during the same assessment window. Once the evidence shows patching is inconsistent across the estate, the conversation shifts from "how do we pass" to "what do we fix before we try again in a few months."

Small estates get an easier time

If you've got four machines and I've already scanned all four in the first sample, there's nothing new to draw from. I just rescan the same devices after you've patched them.

That's genuinely simpler for everyone involved, because you know exactly which machines need work since they're the same ones. For a four-device estate, patching everything shouldn't take more than an afternoon.

Bigger organisations have a considerably harder time with this. If you've got 200 devices across three offices and I've only scanned 10, there are 190 machines that could appear in the second sample. At that scale, inconsistent patching anywhere is a risk you can't afford.

CE+ is a check of the VSA

Your Verified Self-Assessment must be completed before CE+ testing begins. The CE+ assessment is an audit of what the VSA claims. If the VSA says patching is within 14 days and the CE+ scan shows it isn't, you shouldn't have passed basic CE in the first place. That's why a failed CE+ can result in the VSA being revoked.

What preparation actually looks like

The second sample rule doesn't change what you need to do. It changes what happens if you skip doing it. If your patching is consistent across every device in scope, the second sample just confirms what the first one showed.

The organisations that will struggle are the ones maintaining some machines while ignoring others. I see more of those than you'd expect.

Patch everything, not just the devices you think I'll scan. Not just the office laptops. The Linux box running your customer database. The firewall nobody's logged into since August. The NAS in the server cupboard. I pick the second sample at random. You can't predict what I'll choose.

Know what's actually in your estate. If you don't know how many devices you have, you can't patch them all. I regularly see organisations undercount by 20 to 30%. That's a chunk of machines that aren't getting patched because nobody knows they exist. Asset management isn't a CE control, but it directly affects whether you can meet the patching standard.

Check your blind spots. Most companies with perfect Windows patching haven't touched their firewall firmware in a year. Or their network switches, or the printer management console. WSUS handles Windows endpoints, but what handles everything else? That gap is where I find problems in second samples.

Make patching a routine, not a sprint. If you only patch before assessments, the second sample rule will hurt. If patching happens every fortnight regardless of whether an assessment is coming, the second sample won't bother you at all. The organisations that sail through CE+ are the ones where patching is boring and automatic. The ones that struggle are the ones where patching is an event.

What's now clarified under v5.0

The CE Plus assessor guidance v5.0 (March 2026) resolved several areas that were previously uncertain.

The sample size table has been updated. The bands are now 1, 2-5, 6-19, 20-60, and 61+. This samples more aggressively at the lower end than the previous table. The sample sizes guide has the full table and worked examples.

The 90-day overall deadline is now explicit. CE Plus must complete within 90 calendar days of your VSA date. The 30-day remediation window sits inside that 90-day limit, and extensions are not granted.

The outcome of the second sample is now defined. Any vulnerabilities found on the second sample means a fail and VSA revocation. Data from a failed CE Plus process cannot be reused in a new attempt.

One area worth watching: if your organisation has devices in restricted numbers where all were already tested in Sample 1, the assessor rescans the entire set for Sample 2 to confirm no new vulnerabilities were introduced during remediation.

What I've seen go wrong with the old approach

Before the second sample rule, I'd finish a CE+ scan and sometimes know in my gut that the eight machines I'd checked weren't representative. Everything was too perfect, with patches applied the day before my visit and configurations that looked freshly changed across the board. That's not how real estates actually look in day-to-day operation. Real estates have a device in the corner running software from 2019 and a firewall with firmware from before COVID.

But under the old rules, I could only report on what I'd scanned. If the sample was clean, the sample was clean. I'd note my concerns in the report where I could, but the outcome was a pass.

The second sample rule gives me (and every other assessor) a mechanism to test what the rest of the estate actually looks like. It's not about catching people out or penalising them. It's about making sure the certificate means what it's supposed to mean: that your whole estate is maintained, not just the bits you knew I'd look at.

One pattern I expect to see more of under Danzell: organisations running their own vulnerability scans before the assessment using an NCSC-approved Cyber Essentials authorised scanner. If you fix everything the scan flags before I arrive, the first sample comes back clean and the second sample never happens. That's the ideal outcome for both of us. Our CE Plus Pre-Assessment service does exactly this, or CE+ Assured keeps scanning and patching running continuously so the assessment is a formality.

How this connects to the rest of CE+

The second sample only applies to the internal vulnerability scan. But a failed CE+ assessment affects everything. If the second sample fails and your assessment is void, you've lost the time, the assessment fee, and potentially your basic CE certificate too.

The other CE+ tests (external scanning, MFA verification, configuration checks, malware protection) happen alongside the internal scan. They aren't subject to double sampling, but they still need to pass. I've seen organisations focus so heavily on patching for the second sample that they neglect MFA or leave a default password on a printer. You can pass the patching but fail on configuration, and the result is the same: no certificate.

The CE+ assessment is one process with multiple test cases. The second sample makes the patching element harder to game, but every element still needs to pass. Don't fix one thing and forget the rest.

Timing your assessment

If you're booking a CE+ assessment after 27 April 2026 and you know your patching has gaps, give yourself time before the assessment date to clean up. Don't book the assessment first and then scramble.

I'd suggest running your own scan at least two weeks before the official assessment. Fix everything it finds, run it again to confirm, then book the CE+ date. That way, by the time I arrive, your estate is genuinely clean and the second sample (if it's triggered at all) just confirms what you already know.

The worst position to be in: booking a CE+ assessment the week before a contract deadline, knowing your patching isn't perfect, and hoping I pick the right machines. The second sample rule means that hope isn't a strategy anymore.

If you've got an IT provider or managed service provider handling your patching, ask them for a status report before the assessment. Not "everything's up to date" in an email. An actual report showing which devices have outstanding patches, which ones haven't checked in recently, and which ones are running unsupported software. If they can't produce that report, you've found a problem worth fixing before the assessor arrives.

The companies that pass CE+ without any drama are boring. Their patching is automatic, their estate is documented, and their MFA is on everywhere. When the assessor scans, the results match what the self-assessment claimed. There are no surprises, no second samples, and no 30-day remediation windows, which is what good looks like.

My honest view

This change is long overdue in my view. The old approach trusted that a single sample was representative. For organisations patching everything, it was representative enough. For organisations gaming the sample, it wasn't remotely representative. The second sample closes that gap and makes gaming far harder.

If your patching is genuinely consistent, this rule changes nothing for you. The second scan confirms what the first one showed and you move on. If your patching isn't consistent, the rule is designed to catch that, and it will catch it every time.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote to get started.

---

Related articles

• Danzell Changes 2026: Full Guide to Cyber Essentials v3.3
• Cyber Essentials 14-Day Patching Rule: What You Need to Know
• What Happens If You Fail Cyber Essentials Plus?

netsec-canary-0b9b22b6d9f8.