Failed Cyber Essentials? Here's What to Do Next

‍​​‌​‌‌‌​​​​‌‌​​​‌‌‌‌​​‌‌​‌​​​‌‌​‌‌‌​​‌‌‌​​​​​​‌​​​‌​​‌​‌‌​‌‌‌​‌‌‍Failing a Cyber Essentials assessment isn't the end, and it's not even particularly unusual. After certifying over 800 organisations, the pattern is always the same: the failure report looks worse than it is, the fixes are simpler than you'd expect, and most organisations pass on their second attempt within a week or two.

This isn't a soft reassurance because it's what actually happens, and the five controls haven't changed. Your business probably meets most of them already. The failure report tells you exactly which bits you didn't meet and why.

Here's what to do with that report, how to fix the common problems, and how to avoid ending up back here next year.

What does a failure report actually tell you?

Your assessor sends you a report listing every control you didn't meet. It references specific questions from the Cyber Essentials question set (currently Willow, moving to Danzell from 27 April 2026) and explains what the assessor found.

The report isn't a generalised risk assessment; it's specific to the controls you missed. "Question 4.3: MFA is not enabled on your Microsoft 365 tenant." "Question 3.1: Three devices have critical patches older than 14 days." That's the level of detail you'll get.

Read the whole thing before you react. Most organisations see a list of 10 items, get stressed, and assume they need a major overhaul. In practice, half those items are often the same root cause. If your patching process is broken, that single problem creates failures across multiple questions.

Why do most businesses fail?

The same five reasons come up over and over. I've seen all of them hundreds of times.

Patching gaps

This is the most common failure by a significant margin. The requirement is clear: critical and high-risk patches (those with a Common Vulnerability Scoring System version 3 score of 7 or above) must be applied within 14 days of the vendor releasing them. That applies to operating systems, applications, firmware on firewalls and routers, and cloud services.

Most organisations patch their main devices but forget the edges. The firewall firmware that hasn't been updated in eight months. The accounting software that needs a manual update. The router in the corner that nobody's logged into since it was installed.

Under Danzell, missing the 14-day window is expected to be an automatic failure with no assessor discretion. That's a change from Willow, where an assessor might have recorded a non-compliance but still passed you. Don't count on that flexibility any more.

No MFA on cloud services

Under the current requirements, authentication to cloud services must always use multi-factor authentication where the service supports it. Microsoft 365 and Google Workspace both support it. Your accounting platform almost certainly supports it. If it's a cloud service and it offers MFA, you need it turned on.

The most common version of this failure: MFA is enabled for most users but the admin account that set up the tenant still doesn't have it. Or the marketing team's social media accounts (which are in scope under Danzell if managed with business credentials) don't have MFA enabled.

Scope description errors

Your scope description tells the assessor which systems, devices, and services are included in the assessment. Get this wrong and you'll either include things that shouldn't be there (creating unnecessary failures) or exclude things that should be there (which the assessor will flag).

Under Danzell v3.3, the scope rules are broader. Cloud services can no longer be excluded from the assessment. The words "untrusted" and "user-initiated" have been removed from the device scope criteria. If you're using the same scope description from your last assessment, it probably needs updating.

Unsupported software

Any software that's reached end of life and no longer receives security updates is an automatic failure. This catches businesses that still have devices running Windows 8.1, old versions of macOS, or legacy applications that the vendor stopped supporting.

The fix is usually straightforward: update or replace. But if you've got a business-critical application that only runs on an unsupported operating system, that's a bigger conversation. You'll need to either isolate that device from the network, find an alternative application, or accept that it blocks your certification until you sort it out.

Default passwords on devices

Every device in scope must have its default admin credentials changed. This sounds obvious but it catches people regularly. The printer in the corner, the network switch under the desk, the access point that got installed two years ago. If you can log in with admin/admin or the manufacturer's default password, it fails.

How to read your failure report and prioritise fixes

Don't try to fix everything at once. Group the failures by root cause before you start fixing anything.

If three failures all relate to patching, you have one problem (your patching process), not three. Fix the process, patch the devices, and those three items are done.

If two failures relate to MFA, check whether it's a configuration issue (MFA is available but not turned on) or a coverage issue (some accounts have it, others don't). The fix for each scenario is different and worth checking separately.

Priority order:

1. Anything that comes down to a single setting change, such as an MFA toggle, default password change, removing an unsupported application. Do these first because they take minutes.
2. Patching gaps across your estate that need systematic attention. Run your update process across every device in scope. Check firmware on network equipment while you're at it. This might take a day or two if you have a large estate.
3. Scope corrections that align your documentation with reality. Rewrite your scope description to match your actual environment. If you've added cloud services since your last assessment, they need to be in there.
4. Anything that requires building a new process from scratch. If you don't have a patching process at all, you need to build one. This takes longer but it's what prevents you failing again next year.

Can you resubmit immediately?

Yes. There's no mandatory waiting period between a failure and a resubmission. Fix the issues, gather evidence that you've fixed them, and tell your assessor you're ready.

Most certification bodies, including Net Sec Group, will reassess within a few days of you saying you're ready. We support you until you pass as part of the original assessment fee. That's not standard across the industry, so check with your assessor what their resubmission process looks like.

The evidence you need for resubmission is straightforward to gather. If the failure was missing patches, show that the patches are now installed with dates. If it was missing MFA, show screenshots of MFA being active on the relevant accounts. If it was a scope error, submit the corrected scope description.

What if you've got a contract deadline?

This is where most of the panic comes from. You need the certificate for a tender, a client requirement, or a government contract, and you've just failed. (consistent with the 2023 provenance evaluation criteria).

The practical answer: most failures are fixable in days, not weeks. If your issues are patching and MFA (which account for the majority of failures), you can realistically fix them and resubmit within 48 to 72 hours. Your assessor knows you're in a rush, so talk to them and agree a realistic timeline for resubmission.

Government contracts involving personal data or ICT services require Cyber Essentials (under Procurement Policy Note 09/14). Losing one of these contracts because of a failed assessment is preventable if you act on the failure report straight away.

If the fixes genuinely require weeks (replacing an unsupported operating system, deploying a new patching tool across 200 devices), be honest with the contract holder. A clear remediation plan with specific dates is better than silence. Some procurement teams will accept evidence of an assessment in progress if you can show when you expect to pass.

How to stop this happening again

Failing once is normal and nothing to worry about. Failing twice for the same reasons means your processes aren't working.

Set up automated patching

If you're relying on manual patching, you'll miss the 14-day window eventually. Every major operating system and most business applications support automatic updates. Turn them on for every device that supports the feature. For devices where automatic updates aren't possible (some servers, network equipment), put a fortnightly calendar reminder in place and treat it like a compliance deadline.

Net Sec Group's patching service handles this for you if you'd rather not manage it yourself.

Audit MFA quarterly

People join, people leave, new cloud services get added. MFA coverage drifts over time as people and services change. Run a quarterly check across every cloud service in your scope and confirm that every active account has MFA enabled. This takes 30 minutes and prevents the most common CE failure.

Keep your scope description current

Your scope description should reflect your actual infrastructure right now, not six months ago. Every time you add a new cloud service, a new office location, or a new type of device, update your scope description. When your renewal comes around, you won't be scrambling to figure out what's changed.

Review before renewal, not during

The single best thing you can do: run through the CE question set yourself, two weeks before your assessment date. The questions are publicly available, so answer them honestly. If anything doesn't look right, you've got two weeks to fix it before the assessor arrives.

You can also take our free readiness quiz to get an honest picture of where you stand. It takes five minutes and you don't need to talk to anyone.

What changes under Danzell?

If you failed under Willow (the current question set) and your renewal falls after 27 April 2026, your next assessment will use the Danzell question set. The five controls are the same, but the enforcement is noticeably stricter.

The key changes that affect failure and remediation:

• MFA on cloud services is expected to be treated as an automatic failure with no assessor discretion. If you failed for missing MFA under Willow, the same issue under Danzell won't get a second chance.
• 14-day patching is expected to be an automatic failure too. The 14-day requirement hasn't changed, but under Willow an assessor might have recorded a non-compliance without failing you. That flexibility is going away.
• Cloud services can't be excluded from scope. If you failed partly because your scope didn't include cloud services, Danzell makes this explicit. Cloud services are in scope.
• CE+ double sampling means patching across your whole estate matters, not just the devices you expect to be tested. If your first sample fails, a second random sample is taken with no more than three days' notice.

The full guide to Danzell changes covers every update in detail.

Should you go straight to CE Plus after passing?

That depends on what you need and who is asking for it. CE basic (the self-assessment) is enough for most government contracts and client requirements. CE Plus adds a technical audit where an assessor tests your systems directly. It's more thorough and more convincing to clients who understand the difference.

If you've just fixed the issues that caused your basic CE failure, your systems are in better shape than they were. That's actually a good time to go for CE Plus, because the remediation work you've just done directly prepares you for the technical audit.

Our CE Plus assessment builds on the basic certification. If you've already fixed your patching and MFA, the remaining gaps are usually smaller than you'd expect.

What about the cost of failing?

Some certification bodies charge a reassessment fee. Others include one resubmission in the original price. Check before you start remediation so there are no surprises.

With Net Sec Group, the assessment fee includes support until you pass. If something in your submission needs fixing, we work through it with you. There's no additional charge for resubmission because the whole point is to get you certified, not to collect fees for failed attempts.

The real cost of failing isn't the assessment fee. It's the contract you can't bid for while you wait. If you've got a tender deadline, tell your assessor. Fast Track turnaround is 12 hours for basic CE once your submission is clean.

The honest version

Failing Cyber Essentials doesn't mean your security is terrible. It usually means one or two things weren't configured properly, and the assessment found them. That's literally what the assessment is designed to do.

The businesses that struggle aren't the ones that fail once. They're the ones that pass, let everything drift for 11 months, and then scramble to fix it all the week before renewal. Don't be that business scrambling at the last minute. Keep your patching current, keep MFA on, and check your scope is right before your assessor does.

If you've failed and you're not sure where to start, get in touch. We'll look at your failure report with you and tell you exactly what needs fixing and how long it'll take. No sales pitch, just honest feedback on where you stand and what needs attention.

---

Need help with your Cyber Essentials assessment? Get in touch or request a quote and we'll review your situation.

---

Related articles

• Cyber Essentials v3.3: What the Danzell Update Changes
• What to Expect on Cyber Essentials Assessment Day
• 14-Day Patching: What the Requirement Actually Means

netsec-canary-89ba05c1f184.