Cyber Essentials and Incident Response: What the Scheme Actually Covers

‍‌‌‌​​‌‌‌​‌‌‌‌‌‌​‌‌‌​​​​‌‌‌​​​‌​‌‌​​​‌‌​​​‌​​‌​​​‌‌‌‌‌​​‌‌‌‌​​‌‌​‍Cyber Essentials does not require an incident response plan, which surprises a lot of people who assume it would.

The scheme is built around five preventative technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It's about reducing the likelihood of an attack succeeding in the first place. Incident response sits on the other side of that line. It's what you do after something gets through.

But attacks still happen regardless of your controls. 43% of UK businesses identified a breach or attack in 2025 (UK Cyber Security Breaches Survey), and 85% of those involved phishing. The five controls reduce your risk, but they don't eliminate it entirely. And when something does go wrong during your 12-month certification window, your CE controls are the first thing that gets scrutinised.

So why doesn't Cyber Essentials include incident response?

Because the scheme was designed to do one thing well: establish a baseline of technical hygiene that stops the most common attacks. The five controls are based on research from Lancaster University, which tested 200 common vulnerabilities and found 131 fully mitigated and 60 partially mitigated by these controls.

That's a prevention framework through and through. It answers the question "how do we stop most attacks from working?" It doesn't try to answer "what do we do when one gets through?"

Incident response is a separate discipline. It covers detection, containment, investigation, recovery, and notification. Some frameworks, like ISO 27001 or the NCSC's own Cyber Assessment Framework, do include incident response requirements. Cyber Essentials deliberately keeps its scope narrow so that it stays accessible for small and mid-sized businesses.

That's not a weakness but a deliberate design decision. But it does mean there's a gap between what CE certifies and what you actually need when something goes wrong.

What happens if you have a breach during your certification year?

Your certificate doesn't get automatically revoked after a breach. It confirms that your controls were in place on the day of assessment. A breach six months later doesn't undo that.

But it does trigger some pointed questions. Specifically, people start looking at whether the controls were still in place when the breach happened.

Insurers check your controls

If you hold cyber insurance (and CE certification includes free cover of up to GBP 25,000 through the IASME scheme for eligible SMEs), the insurer will want to know what went wrong. They'll look at the five controls and ask whether they were operational at the time of the incident.

If your malware protection was up to date and running, that's defensible. If it had been disabled three months ago and nobody noticed, that's a different conversation.

Regulators check your controls

If the breach involves personal data, you have obligations under GDPR. The Information Commissioner's Office (ICO) must be notified within 72 hours if the breach poses a risk to individuals. The ICO's investigation will look at what security measures were in place. Having CE certification is a positive indicator, but only if the controls were actually being maintained.

Clients check your controls

If you hold CE certification because a client or contract requires it, that client will want to know how the breach happened. They'll want to see that the controls were in place and that you responded properly. If you can show both, the relationship usually survives. If you can't show either, it probably won't.

Where do CE controls and incident response actually overlap?

The five controls don't cover incident response directly. But each one becomes directly relevant when you're investigating what went wrong after a breach. Here's how each of them connects in practice.

Malware protection

If malware gets into your network, the first question is whether your malware protection was running, up to date, and configured to scan in real time, because that is a CE control. If the answer is yes and the malware was a zero-day that bypassed your protection, you've got a defensible position. If the answer is that someone turned off the antivirus because it was slowing their machine down, that's a control failure.

Patch management

If an attacker exploits a known vulnerability, the question becomes whether the patch was available and whether it was applied within 14 days, which is the CE requirement. A missed patch that directly enabled a breach is one of the worst findings for a certified organisation.

The 14-day patching requirement applies to vulnerabilities scored CVSS 7.0 or above, or those labelled critical or high risk by the vendor. If a patch was available for a known vulnerability and you didn't apply it within the window, your CE compliance is in question regardless of what your certificate says.

User access control

This is the scenario that keeps me up at night, where an attacker compromises a user account. If that account had standard privileges, the damage is limited. If it had admin access, the attacker can move laterally, escalate, and access anything on the network.

CE requires that admin accounts are separate from standard user accounts and that people only have the access they need for their job. If admin accounts weren't properly separated and an attacker compromised one, that's a control failure. It's also the kind of finding that makes insurers and regulators ask harder questions.

Firewalls

If the breach came from outside the network, the firewall configuration is under the microscope. Were unnecessary ports open, or were default rules still in place? Was the firewall configured to block inbound connections by default?

A properly configured firewall that was bypassed through a different vector is defensible. A firewall with ports left open from a project six months ago is not.

Secure configuration

Default passwords, unnecessary software, accounts that should have been removed. Secure configuration failures are the quiet ones. They don't cause breaches on their own, but they make every other breach worse. If an investigation finds default admin credentials on a network device, the question of whether you were really meeting the CE requirements on assessment day becomes a lot harder to answer.

What should an incident response plan actually include?

Since CE doesn't require one, this is your decision. But if you're going to build one (and you should), here's what matters for a CE-certified organisation.

Detection: How will you know something has happened? This might be alerts from your endpoint protection, unusual login activity, or a report from a staff member who clicked something suspicious.

Containment: What's the first thing you do? Typically: isolate the affected device or account, preserve evidence, and prevent the attacker from moving further.

Notification: Who needs to know? Internally, that's your IT team and senior management. Externally, it's the ICO within 72 hours if personal data is involved. It may also be affected individuals, your clients, your insurer, and in some cases, law enforcement.

Investigation: What happened, how, and what was affected? This is where your CE controls become part of the story. Were they in place and were they working? Did the attacker bypass them or exploit a gap?

Recovery: How do you get back to normal? Rebuild affected systems, reset compromised credentials, patch the vulnerability that was exploited, and verify that the attacker no longer has access.

Lessons learned: What do you change? This is where incident response feeds back into your CE controls. If the breach revealed a patching gap, fix the process. If it revealed excessive admin access, tighten the access control.

You don't need a 50-page document for this. A two-page plan that everyone knows about is worth more than a binder nobody's read.

Does incident response matter for cyber insurance?

Yes, and it's becoming more important every year. (per the latest governance compliance framework update).

CE certification gives you a starting position. The GBP 25,000 free cyber insurance included with certification through IASME covers the basics for eligible SMEs. But if you're buying standalone cyber insurance, or if your coverage needs are higher, insurers increasingly want to see evidence of incident response capability.

The combination of CE certification plus a documented incident response plan puts you in a stronger position at renewal. The CE controls show you've reduced the likelihood of an incident. The response plan shows you've thought about what happens if one occurs anyway, and insurers value both signals together.

Some insurers ask specific questions about incident response on their application forms. If you can't answer those questions, your premium goes up or your coverage gets limited.

The gap between prevention and response

Cyber Essentials does exactly what it was designed to do. It establishes a baseline of technical controls that stops the majority of common attacks. That's worth having, and it's worth maintaining throughout the year, not just on assessment day.

But prevention on its own isn't the whole picture. The 43% of UK businesses that identified breaches in 2025 include organisations that had security measures in place. Things still get through because phishing emails still trick people, zero-day vulnerabilities still exist, and human error still happens.

If your only plan is "don't get breached," you don't actually have a plan. Pairing your CE controls with even a basic incident response process means you're covered on both sides: reducing the chance of an attack and knowing what to do when one arrives.

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote and we will scope it for you.

---

Related articles

• What to Expect on Cyber Essentials Assessment Day
• 14-Day Patching: What the Requirement Actually Means
• Keeping Your Cyber Essentials Compliance on Track

netsec-canary-69ba3cd6ae2e.