Cyber Essentials and Incident Response: What the Scheme Covers (and What It Doesn't)
Cyber Essentials and Incident Response: What the Scheme Actually Covers
Cyber Essentials does not require an incident response plan, which surprises a lot of people who assume it would.
The scheme is built around five preventative technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It's about reducing the likelihood of an attack succeeding in the first place. Incident response sits on the other side of that line. It's what you do after something gets through.
But attacks still happen regardless of your controls. 43% of UK businesses identified a breach or attack in 2025 (UK Cyber Security Breaches Survey), and 85% of those involved phishing. The five controls reduce your risk, but they don't eliminate it entirely. And when something does go wrong during your 12-month certification window, your CE controls are the first thing that gets scrutinised.
So why doesn't Cyber Essentials include incident response?
Because the scheme was designed to do one thing well: establish a baseline of technical hygiene that stops the most common attacks. The five controls are based on research from Lancaster University, which tested 200 common vulnerabilities and found 131 fully mitigated and 60 partially mitigated by these controls.
That's a prevention framework through and through. It answers the question "how do we stop most attacks from working?" It doesn't try to answer "what do we do when one gets through?"
Incident response is a separate discipline. It covers detection, containment, investigation, recovery, and notification. Some frameworks, like ISO 27001 or the NCSC's own Cyber Assessment Framework, do include incident response requirements. Cyber Essentials deliberately keeps its scope narrow so that it stays accessible for small and mid-sized businesses.
That's not a weakness but a deliberate design decision. But it does mean there's a gap between what CE certifies and what you actually need when something goes wrong.
What happens if you have a breach during your certification year?
Your certificate doesn't get automatically revoked after a breach. It confirms that your controls were in place on the day of assessment. A breach six months later doesn't undo that.
But it does trigger some pointed questions. Specifically, people start looking at whether the controls were still in place when the breach happened.
Insurers check your controls
If you hold cyber insurance (and CE certification includes free cover of up to GBP 25,000 through the IASME scheme for eligible SMEs), the insurer will want to know what went wrong. They'll look at the five controls and ask whether they were operational at the time of the incident.
If your malware protection was up to date and running, that's defensible. If it had been disabled three months ago and nobody noticed, that's a different conversation.
Regulators check your controls
If the breach involves personal data, you have obligations under GDPR. The Information Commissioner's Office (ICO) must be notified within 72 hours if the breach poses a risk to individuals. The ICO's investigation will look at what security measures were in place. Having CE certification is a positive indicator, but only if the controls were actually being maintained.
Clients check your controls
If you hold CE certification because a client or contract requires it, that client will want to know how the breach happened. They'll want to see that the controls were in place and that you responded properly. If you can show both, the relationship usually survives. If you can't show either, it probably won't.
Where do CE controls and incident response actually overlap?
The five controls don't cover incident response directly. But each one becomes directly relevant when you're investigating what went wrong after a breach. Here's how each of them connects in practice.
Malware protection
If malware gets into your network, the first question is whether your malware protection was running, up to date, and configured to scan in real time, because that is a CE control. If the answer is yes and the malware was a zero-day that bypassed your protection, you've got a defensible position. If the answer is that someone turned off the antivirus because it was slowing their machine down, that's a control failure.
Patch management
If an attacker exploits a known vulnerability, the question becomes whether the patch was available and whether it was applied within 14 days, which is the CE requirement. A missed patch that directly enabled a breach is one of the worst findings for a certified organisation.
The 14-day patching requirement applies to vulnerabilities scored CVSS 7.0 or above, or those labelled critical or high risk by the vendor. If a patch was available for a known vulnerability and you didn't apply it within the window, your CE compliance is in question regardless of what your certificate says.
User access control
This is the scenario that keeps me up at night, where an attacker compromises a user account. If that account had standard privileges, the damage is limited. If it had admin access, the attacker can move laterally, escalate, and access anything on the network.
CE requires that admin accounts are separate from standard user accounts and that people only have the access they need for their job. If admin accounts weren't properly separated and an attacker compromised one, that's a control failure. It's also the kind of finding that makes insurers and regulators ask harder questions.
Firewalls
If the breach came from outside the network, the firewall configuration is under the microscope. Were unnecessary ports open, or were default rules still in place? Was the firewall configured to block inbound connections by default?
A properly configured firewall that was bypassed through a different vector is defensible. A firewall with ports left open from a project six months ago is not.
Secure configuration
Default passwords, unnecessary software, accounts that should have been removed. Secure configuration failures are the quiet ones. They don't cause breaches on their own, but they make every other breach worse. If an investigation finds default admin credentials on a network device, the question of whether you were really meeting the CE requirements on assessment day becomes a lot harder to answer.
What should an incident response plan actually include?
Since CE doesn't require one, this is your decision. But if you're going to build one (and you should), here's what matters for a CE-certified organisation.
Detection: How will you know something has happened? This might be alerts from your endpoint protection, unusual login activity, or a report from a staff member who clicked something suspicious.
Containment: What's the first thing you do? Typically: isolate the affected device or account, preserve evidence, and prevent the attacker from moving further.
Notification: Who needs to know? Internally, that's your IT team and senior management. Externally, it's the ICO within 72 hours if personal data is involved. It may also be affected individuals, your clients, your insurer, and in some cases, law enforcement.
Investigation: What happened, how, and what was affected? This is where your CE controls become part of the story. Were they in place and were they working? Did the attacker bypass them or exploit a gap?
Recovery: How do you get back to normal? Rebuild affected systems, reset compromised credentials, patch the vulnerability that was exploited, and verify that the attacker no longer has access.
Lessons learned: What do you change? This is where incident response feeds back into your CE controls. If the breach revealed a patching gap, fix the process. If it revealed excessive admin access, tighten the access control.
You don't need a 50-page document for this. A two-page plan that everyone knows about is worth more than a binder nobody's read.
Does incident response matter for cyber insurance?
Yes, and it's becoming more important every year. (per the latest governance compliance framework update).
CE certification gives you a starting position. The GBP 25,000 free cyber insurance included with certification through IASME covers the basics for eligible SMEs. But if you're buying standalone cyber insurance, or if your coverage needs are higher, insurers increasingly want to see evidence of incident response capability.
The combination of CE certification plus a documented incident response plan puts you in a stronger position at renewal. The CE controls show you've reduced the likelihood of an incident. The response plan shows you've thought about what happens if one occurs anyway, and insurers value both signals together.
Some insurers ask specific questions about incident response on their application forms. If you can't answer those questions, your premium goes up or your coverage gets limited.
The gap between prevention and response
Cyber Essentials does exactly what it was designed to do. It establishes a baseline of technical controls that stops the majority of common attacks. That's worth having, and it's worth maintaining throughout the year, not just on assessment day.
But prevention on its own isn't the whole picture. The 43% of UK businesses that identified breaches in 2025 include organisations that had security measures in place. Things still get through because phishing emails still trick people, zero-day vulnerabilities still exist, and human error still happens.
If your only plan is "don't get breached," you don't actually have a plan. Pairing your CE controls with even a basic incident response process means you're covered on both sides: reducing the chance of an attack and knowing what to do when one arrives.
Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote and we will scope it for you.
Related articles
- What to Expect on Cyber Essentials Assessment Day
- 14-Day Patching: What the Requirement Actually Means
- Keeping Your Cyber Essentials Compliance on Track
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.