Danzell Readiness Checklist: Are You Ready for CE v3.3?

‍‌‌‌‌​‌​‌‌​​​​‌‌‌‌​‌‌‌‌‌‌​​‌‌‌​​‌‌‌​‌‌​‌‌​​‌‌​​‌‌‌‌​​‌‌‌‌​‌‌​‌‌‌‌‍The Danzell question set replaces Willow from 27 April 2026. If your CE renewal falls after that date, you're on Danzell. Most of the changes are wording tweaks that won't affect your assessment. But six of them change what you need to do, and if you haven't prepared, they'll catch you out. This is the checklist I give my own clients.

The checklist

Work through each item below and check it against your current setup. If you can't tick it off, the section below explains what needs fixing.

Scope

• All cloud services are listed in your asset inventory
• No cloud services are excluded from scope
• BYOD devices that access work email or data are listed
• Devices used only for voice calls, texts, or MFA apps are marked as out of scope
• Social media accounts (LinkedIn, Facebook, X) are included
• Each legal entity in your group has its own certificate (if applicable)
• A named director or board member will sign the declaration

User access control

• MFA is enabled on all cloud services (Microsoft 365, Google Workspace, AWS, Azure, etc.)
• MFA is enabled on company social media accounts
• Passwords are at least 8 characters where MFA is used
• Passwords are at least 12 characters where MFA is not used
• Password complexity rules are not enforced (v3.3 discourages them)
• Password expiry is not enforced (v3.3 discourages it)
• A common password deny list is in use (Azure AD/Entra ID has one built in)

Patching

• Critical and high-risk patches (CVSS 7.0+) are applied within 14 days
• You can prove patching compliance across a random sample of devices
• You're prepared for a second sample if the first one fails (CE Plus only)

Firewall

• Every in-scope device has a firewall enabled (including Macs and Linux machines)
• Default inbound policy is deny/drop on all devices
• Only necessary inbound services are allowed, with documented justification

Malware protection

• Anti-malware is active on all desktops and laptops
• Real-time protection and automatic updates are enabled
• Mobile devices are running current, supported OS versions

Secure configuration

• Default and unnecessary accounts are disabled or removed
• Default passwords are changed on all devices and services
• Auto-run is disabled for removable media
• Unnecessary software is removed

Cloud services can't be excluded

This is the biggest operational change and the one that catches the most organisations off guard.

Under Willow, some organisations excluded cloud platforms from their assessment scope, and I saw this regularly. A business would list their on-premises infrastructure, declare their cloud services out of scope, and certify against a reduced environment. That approach was always questionable, but Willow allowed it.

Danzell closes that loophole entirely, and cloud services are explicitly in scope and cannot be excluded.

Here's the v3.3 definition of a cloud service: "an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet."

That covers Microsoft 365, Google Workspace, AWS, Azure, Salesforce, HubSpot, Xero, QuickBooks Online, and basically every SaaS platform your business uses. For each one, you need to demonstrate the five CE controls are being met:

• MFA is enabled for all user accounts
• Admin accounts are separate from day-to-day accounts
• Security updates are applied (most SaaS handles this automatically)
• Access is restricted to authorised users

The part people miss is the audit trail. You need to know which cloud services your organisation uses. Include the ones IT knows nothing about: the marketing tool someone signed up for with a credit card, the project management platform a team lead started using six months ago, the file-sharing service someone set up for a specific client project and never decommissioned. Start with a cloud service inventory and ask every department what they use. Cross-reference with finance to see what subscriptions are being paid for. The number is always higher than anyone expects.

MFA on cloud services is mandatory

This was already best practice under Willow, but Danzell makes it explicit: authentication to cloud services must always use MFA.

If you are using Microsoft 365, the simplest path is Security Defaults in Entra ID (formerly Azure AD). It forces MFA for all users with a single toggle. Conditional Access policies give you more control if you need exceptions, but Security Defaults covers the requirement. Google Workspace has an equivalent setting under 2-Step Verification that can be enforced at the organisational unit level.

The trickier part is the long tail of SaaS services. Your CRM and accounting platform probably both support MFA. But the online form builder someone signed up for two years ago might not offer MFA at all, and that creates a problem. If a cloud service does not support MFA and you cannot enable it, you need to document that and demonstrate compensating controls, or stop using the service. I have had assessments where the simplest path was to cancel a subscription because the platform did not support MFA and there was an equivalent service that did.

Danzell specifically adds social media accounts, so your company LinkedIn, Facebook, and X pages all need MFA enabled. Most social platforms support it, but the common failure is shared credentials where three people in marketing share one login for the company Twitter account. Under Danzell, that account needs MFA, and ideally each person should authenticate individually rather than sharing a single set of credentials.

Password rules have changed

v3.3 shifts away from the old "complex password" approach:

• Don't enforce complexity (no requirement for uppercase, lowercase, numbers, symbols)
• Don't enforce expiry (no mandatory password rotation)
• Do enforce minimum length: 8 characters with MFA, 12 characters without
• Do block common passwords: Use a deny list to prevent passwords like "Password1" and "Company2026"

If you are still enforcing 90-day password expiry and complexity rules in Active Directory, change the expiry and complexity settings before your Danzell assessment because the assessor will ask about them.

The deny list is the requirement people forget. A minimum length and no complexity rules are straightforward policy changes. The deny list is an additional component that needs to be configured separately. In Microsoft 365 with Entra ID, the built-in banned password list blocks common passwords automatically. On-premises Active Directory needs Azure AD Password Protection or a third-party tool to enforce it. Without a deny list, passwords like "Password1" or "Company2026" are valid under the new length-only rules, and that defeats the purpose.

The three random words approach recommended by the NCSC fits well with Danzell's requirements because it's long, memorable, and requires no complexity rules. "correct horse battery staple" beats "P@ssw0rd!" on every metric that matters.

CE Plus double sampling

This affects CE Plus assessments only, but it changes the entire dynamic of the assessment.

Under Willow, if the assessor's sample found unpatched devices, you could remediate those specific devices and the assessment continued. The incentive structure was wrong because you only needed the sampled devices to be patched while everything else could wait.

Under Danzell, if the first internal vulnerability scan finds unpatched critical or high-risk vulnerabilities (CVSS 7.0+) older than 14 days, the assessor takes a second random sample of the same size. The second sample is selected with a maximum of 3 days' notice. Both samples must pass within a single 30-day remediation window. If the second sample also contains out-of-date patches, the assessment fails outright with no third sample.

The practical impact is that you cannot play the odds anymore. Patching three devices after the assessor picks them is no longer the safety net. Your entire estate needs to be consistently patched because any device could end up in the second sample. For most organisations, this means running automated patching across every device, not relying on users to click "update later" and eventually get around to it.

If you are going for CE Plus under Danzell, run your own vulnerability scan before the assessment to find and fix the outliers. The devices that always fall behind are usually the ones that are powered off most of the time (the laptop someone only uses for travel) or the ones that have patching issues nobody has investigated (the workstation where Windows Update has been failing silently for months).

Director sign-off

A named director or board member must sign a declaration of responsibility for the assessment. This is not new in spirit, but Danzell makes it more explicit and personal. The declaration says that the signatory takes responsibility for the accuracy of the self-assessment answers.

I mention this because the signatory needs to actually understand what they are signing. I have had assessments where the director signing the declaration had no idea what was in the questionnaire because someone in IT filled it out. Under Danzell, that signatory is personally declaring that the organisation meets the requirements, so brief them before the assessment and walk them through the key controls. Make sure they are comfortable putting their name on it.

Separate certificates per entity

If your organisation has multiple legal entities (subsidiaries, separate companies in a group), each one needs its own CE certificate under Danzell. A parent company certificate does not cover subsidiaries.

This catches holding companies and groups off guard. A group with three trading subsidiaries needs three separate CE assessments, three separate certificates, and three separate fees. Each subsidiary is assessed against its own IT environment. If the subsidiaries share infrastructure (a common Active Directory domain, for example), that shared infrastructure is in scope for every subsidiary that uses it.

Timeline

Date	What happens
27 April 2026	Danzell mandatory for all new assessments
27 October 2026	Last date for Willow-based CE assessments
27 January 2027	Last date for Willow-based CE Plus assessments

If your renewal is before 27 April 2026, you can still use Willow. If it falls after that date, you're on Danzell. If your renewal is between April and October 2026, you might be able to choose, but your Certification Body will confirm.

BYOD and the scope question

Danzell clarifies the BYOD position far more than Willow ever did. Personal devices that access organisational data or services are in scope, whether that's a phone used to read work email or a tablet used to access the company CRM.

The exception is devices used only for voice calls, text messages, or MFA approval apps. If someone's personal phone is only used to receive MFA push notifications and they never open their work email on it, that phone is not in scope. But the moment they install Outlook or access a cloud service through the browser, it comes into scope.

I find this is where honest self-assessment gets tested. Plenty of organisations tell me that personal phones are only used for MFA. Then I ask whether anyone checks email on their phone, and hands go up around the room. Be honest on the questionnaire about what devices are actually in use. Declaring BYOD devices out of scope when they are accessing organisational data is a false declaration, and if it comes to light during a CE Plus assessment, it undermines the entire certification.

The practical preparation timeline

If your renewal is after 27 April 2026, start preparation now. Here is the order I recommend:

Do the cloud service inventory first. It takes the longest because it requires input from every department and checking subscription records. Give yourself two weeks for this step. (as noted in the July 2024 remediation review).

Fix the password policy second, as this takes an afternoon. If you are running Active Directory with complexity requirements and 90-day expiry, change the policy to match Danzell. Remove the complexity requirement and disable expiry. Set the minimum length to 12 characters for accounts without MFA and 8 for accounts with MFA. Enable the Azure AD password protection deny list (or a third-party equivalent for on-premises AD). This takes an afternoon but you want to give users time to adjust before the assessment.

Enable MFA on every cloud service third. Start with the ones that already support it and work through the list. For services that do not support MFA, decide whether to document it or replace the service.

Run a patching audit fourth by scanning every device, identifying which ones are behind, and fixing them. Set up automated patching if you have not already.

Check the BYOD position last once everything else is sorted. Confirm which personal devices are in scope and ensure they meet the mobile device requirements.

What hasn't changed

The five controls are the same: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Security Update Management. The 14-day patching window is the same. The fundamental structure of the assessment is the same.

Danzell tightens enforcement and closes loopholes across the board. If you were already doing CE properly, most of the Danzell changes will not require any action. If you were using scope exclusions to avoid dealing with cloud services, that is the part that needs attention.

---

Need help preparing for the Danzell transition? Get in touch or request a quote and we will walk you through the changes.

---

Related articles

• Danzell Changes 2026: What You Need to Do
• Cyber Essentials FAQ: The Questions Businesses Actually Ask
• Mobile Device Protection for CE

netsec-canary-cebdcb9d404f.