Staying Compliant Between Cyber Essentials Assessments

‍‌‌​‌‌​​‌​‌‌‌‌​​‌​​​‌‌​​​​​‌‌​​​​​‌​‌​‌​‌​​‌​‌‌‌​‌​‌‌​​​‌‌​‌‌​‌‌​‍Your Cyber Essentials certificate lasts exactly 12 months. Your actual compliance can start slipping within weeks.

That's the gap nobody talks about until renewal. The assessment confirms your controls were in place on one specific day. It says nothing about the other 364 days. And most of the businesses I see at renewal aren't failing because they dismantled their security. They're failing because things changed and nobody noticed.

Patching fell behind without anyone noticing the widening gap. Someone left the company and kept their access. A new cloud service got added without MFA. A personal phone started accessing work email. All of it happens quietly, between assessments, when nobody's watching.

There's no formal requirement under the scheme to monitor your compliance between assessments. But there's a pretty strong business case for it, starting with the fact that 43% of UK businesses identified breaches or attacks in 2025 (UK Cyber Security Breaches Survey). The controls exist for a reason beyond the certificate. Letting them drift doesn't just risk your certificate, it risks your entire network.

What actually drifts?

I've certified over 800 organisations across every sector. The same five problems turn up at renewal, in roughly the same order of frequency.

Patches fall behind

This is the one I see most often. The 14-day patching requirement says vulnerabilities scored CVSS 7.0 or above (or labelled critical or high risk by the vendor) must be patched within 14 days of the fix being released. That requirement applies to every device in scope, every month, all year.

What actually happens: automatic updates get turned off because one patch broke something. A firewall firmware update sits in a queue because nobody wants to schedule the downtime. A server running a legacy application gets deliberately excluded from patching because the vendor says "don't update until we've tested it." By renewal time, the patching gap is months wide.

A Lancaster University study found that 87.5% of successful breach mitigations involved patch management. It's not a paperwork control; it's the one that actually stops attacks.

Staff changes create access control gaps

Someone leaves the company and their account stays active. Someone new starts and gets given admin access because it's quicker than working out what they actually need.

Access control is one of the five core controls, and it has a straightforward rule: people should only have access to what they need for their job. But when IT doesn't get told about a leaver for three weeks, or a new starter gets cloned permissions from someone senior, the access control picture on assessment day looks nothing like the one you had 12 months ago.

New cloud services appear without MFA

This problem is getting worse under Danzell. From 27 April 2026, cloud services can't be excluded from scope. Every cloud service your organisation uses that supports multi-factor authentication (MFA) must have it enabled.

The problem: someone in marketing signs up for a new project management tool in June. Someone in finance starts using a new invoicing platform in September. Nobody tells IT and nobody enables MFA. At renewal, the assessor asks for a list of cloud services and those platforms are either missing from it or sitting there with single-factor authentication.

For details on what the MFA requirement actually says, see the MFA on cloud services guide.

BYOD devices come into scope without anyone noticing

An employee starts checking work email on their personal phone. A contractor uses their own laptop to access your shared drive. Under Danzell, if a personal device accesses organisational data or services, it's in scope.

The device needs to meet the same patching, configuration, and malware protection requirements as a company-owned machine. If IT doesn't know the device exists, it can't meet those requirements. And the employee probably isn't going to volunteer the information.

Firewall rules and configurations change

Someone opens a port for a temporary project and forgets to close it. A default password stays on a new router because setup was rushed. A firewall rule gets added to fix a connectivity issue and never gets reviewed.

Secure configuration doesn't just mean getting it right once; it means keeping it right over time. Most organisations don't have a formal change control process for network devices, and small tweaks accumulate over 12 months until the configuration on assessment day is unrecognisable from the one that passed last time.

Why does this matter if the assessment is only once a year?

There are two reasons this matters beyond the paperwork.

First, your actual security is at stake, because the controls exist because they work. Letting patches slip for six months doesn't just risk your certificate. It creates actual vulnerabilities that attackers can exploit. The certificate is a byproduct of good security, not the other way around.

Second, your renewal becomes significantly harder than it needs to be. If you let things drift for 12 months and then try to fix everything in the two weeks before your assessment, you'll either rush the job and miss something, or you'll discover problems that take longer than two weeks to fix. I've seen organisations postpone their renewal because they couldn't get their patching back under control in time. That means a gap in certification, which matters if you hold government contracts or your clients require it.

What should you check, and when?

The scheme doesn't prescribe ongoing monitoring between assessments. But a quarterly check covers most of the risk without turning compliance into a full-time job. Here's what that looks like in practice.

Every quarter: patching

Pull a patch report from whatever tool you use, whether that's Windows Server Update Services (WSUS), Intune, NinjaOne, or even a manual spreadsheet. Check two things: are automatic updates still enabled on every device in scope? And are there any outstanding updates older than 14 days with a CVSS score of 7.0 or above?

If your patching tool shows a clean record, you're fine. If it shows devices with updates pending for weeks, fix them and find out why they were missed.

A quarterly manual check catches drift, but it leaves three-month gaps where new vulnerabilities go unnoticed. Vulnerability scanning agents running on a fortnightly cycle give continuous visibility. The scan data shows exactly where patching stands at any point, not just on the day someone remembers to check. Cyber 365 includes this as standard, and there's a full guide on why auto-updates alone aren't enough.

Every quarter: user accounts

Run a report from your directory service (Active Directory, Entra ID, Google Workspace, wherever you manage accounts). Compare the list of active accounts against your current staff list. Look for accounts belonging to people who've left. Look for accounts with admin privileges and check whether those people still need them.

This takes 20 minutes if you have a small team. It takes longer for larger organisations, but it prevents the slow creep of orphaned accounts and excessive permissions that trips people up at renewal.

Every quarter: cloud service inventory

Keep a running list of every cloud service your organisation uses. Every quarter, check whether any new services have been added. If they have, confirm MFA is enabled on each one. Under Danzell, this isn't optional, and the assessor will ask for the list.

The easiest way to maintain this: make it part of your procurement process. Any new software subscription gets added to the list, and MFA gets enabled before the first user logs in.

Every quarter: device inventory

Check whether any new devices have come into scope. New company laptops, new phones, contractor devices, personal devices being used for work. Every device in scope needs to meet the patching, configuration, and malware protection requirements.

If you've got a mobile device management (MDM) tool, it can generate this report for you. If you don't, someone needs to ask the question: has anyone started using a new device for work since last quarter?

Every quarter: firewall and configuration review

Check your firewall rules against what was in place at the last assessment. Look for new rules, open ports that should be closed, and any default credentials on network devices. If someone made a change during the quarter, make sure it was documented and that the configuration still meets Cyber Essentials requirements.

This one often gets skipped because network devices feel like "set and forget" infrastructure, but they're not.

What about the two months before renewal?

The quarterly checks should mean there are no surprises. But two months before your renewal assessment is due, it's worth doing a more thorough review.

Run through the full Cyber Essentials question set as if you were completing the self-assessment questionnaire from scratch. Check every control against your current state, not against what you answered last year. Things change over 12 months, from people to infrastructure. The answers from 12 months ago might not be accurate any more.

If you find problems, two months is usually enough time to fix them, but two weeks is not. That's the whole point of checking well before your renewal date. (per the latest assurance compliance framework update).

Check	Quarterly	Pre-renewal (2 months out)
Patching status across all devices	Yes	Yes, with full audit trail
User accounts vs. current staff list	Yes	Yes, including privilege review
Cloud service inventory and MFA status	Yes	Yes, with MFA evidence
Device inventory (including BYOD)	Yes	Yes, confirm scope is accurate
Firewall rules and network config	Yes	Yes, compare against last assessment
Full question set walk-through	No	Yes
Evidence gathering (screenshots, reports)	No	Yes

Does any of this actually change under Danzell?

The compliance monitoring approach itself doesn't change. What changes is the scope of what you're monitoring.

Under Danzell (effective 27 April 2026), cloud services can't be excluded. That means your quarterly cloud service check is now mandatory in practice, even if the scheme doesn't formally require it. Any cloud service added mid-year is in scope from the moment someone starts using it.

BYOD devices are also harder to ignore under Danzell. If personal devices access organisational data, they're in scope. Your device inventory check needs to account for that.

And the MFA enforcement is noticeably tighter. It's not just "enable MFA where available" any more. The assessor will be checking that every cloud service in your scope has MFA enabled, and that every user account on those services is enrolled.

For the full list of Danzell changes, see the Danzell changes overview.

The short version

Cyber Essentials is a point-in-time assessment by design. Your controls need to be right on assessment day. But controls drift, and the things that cause the most failures at renewal are the things that changed quietly during the year: missed patches, orphaned accounts, new cloud services without MFA, and personal devices nobody told IT about.

A quarterly check takes a few hours. It catches most of the drift before it becomes a problem. And it means your renewal is a confirmation of what you already know, not a scramble to fix what you've missed.

Need help staying compliant between your Cyber Essentials assessments? Get in touch or request a quote to get started. If you want ongoing vulnerability scanning and patching between assessments rather than a quarterly manual check, look at Cyber 365.

---

Related articles

• Why Auto-Updates Aren't Enough for Cyber Essentials
• What to Expect on Cyber Essentials Assessment Day
• 14-Day Patching: What the Requirement Actually Means
• MFA on Cloud Services for Cyber Essentials

netsec-canary-18bdc21a3855.