What Happens Between Cyber Essentials Certifications?

‍‌​‌​​‌‌​‌​​‌‌‌‌​​‌‌‌​​​​​‌​‌‌​​‌​​‌​​‌​‌‌​‌​​‌​‌‌​‌​‌​​‌​​‌​​​‌​‍Your certificate says your controls passed on assessment day. It doesn't say anything about the other 364 days.

CE is a point-in-time assessment of your security posture. You demonstrate your five controls are in place, the assessor confirms it, and you get a certificate valid for 12 months. What happens between assessments is on you. And most businesses don't think about it until the renewal is due.

That's when they discover the problems that built up quietly.

The drift problem

Configuration drift is the gap between what your systems look like on assessment day and what they look like six months later. It's not malicious or even negligent, it's just how businesses operate.

A new employee joins and gets admin access because the previous IT person set it up that way and nobody questioned it. A temporary firewall exception gets added for a client project and never gets removed. Someone disables MFA on a service account because it kept breaking an automated process. The patch management tool runs fine on workstations but nobody checks whether the VPN appliance firmware is current.

Each of these is small on its own, and none of them would look alarming in isolation. Together, they add up to a security posture that's meaningfully different from what passed the assessment.

I've recertified organisations where the gap between their current setup and their original assessment was significant. Not because they stopped caring, but because nobody was assigned to maintain the controls once the certificate was on the wall.

What actually drifts

Patching falls behind

The 14-day window for critical and high-risk patches is the most common thing to slip. During assessment prep, everyone focuses on getting patches current. After the certificate arrives, other priorities take over. Software updates get deferred and firmware updates get forgotten. Third-party applications that aren't covered by Windows Update get missed entirely.

The patches that matter most are the ones on internet-facing devices like VPN appliances, firewalls, and email gateways. These are the devices attackers target first, and they're the ones most likely to fall behind because they require manual attention, not just automatic Windows updates.

User access accumulates

People join, change roles, and leave throughout the year. CE requires that users only have the access they need. In practice, access gets added and rarely removed.

The former marketing manager still has access to the social media accounts. The contractor who left in April still has a VPN account. The developer who moved to a different team still has admin privileges on the production server. Nobody revokes access proactively because nobody's checking.

Under Danzell, the scope boundary expanded to include personal devices that access organisational data. If someone who left the company still has their personal phone connected to your email system, that device is still part of your assessment boundary.

MFA gets bypassed

MFA enforcement is one of the most common controls to weaken between assessments. A new cloud service gets added without MFA. An employee complains about MFA prompts on a particular application and someone disables it. A service account gets created without MFA because "it's only used internally."

Under Danzell, MFA is required on every cloud service that supports it, including business social media accounts. That requirement doesn't pause between assessments, and neither should your enforcement.

Firewall rules accumulate

Firewall configurations tend to grow over time. Temporary rules get added for testing, troubleshooting, or specific client requirements. The rule works, the project moves on, and nobody removes the rule. Six months later, your firewall has 40 rules and 12 of them don't have a documented business justification.

CE requires every inbound allow rule to have a documented reason. That's easy to achieve on assessment day. Maintaining it month-to-month takes discipline that most businesses don't have without a formal review process.

What this costs you

The obvious cost is failing your recertification. If your controls have drifted significantly, the assessment catches it, and you either need remediation time or you fail outright. That delays your new certificate, which may affect contracts, insurance, and supply chain requirements. (consistent with the 2024 attestation evaluation criteria).

The less obvious cost is the security risk. The controls exist for a reason beyond passing the assessment. An unpatched VPN appliance isn't just an assessment failure. It's the exact entry point Iranian APT groups exploited in the Synnovis attack. A stale user account isn't just a policy gap. It's a credential an attacker can use.

43% of UK businesses reported a breach or attack in 2025. The gap between certifications is when the controls that would have prevented those breaches are most likely to have drifted.

What a quarterly check looks like

You don't need continuous monitoring to manage drift, though it helps. A quarterly internal review covering the five control areas catches most problems before they compound.

Patching: Run a vulnerability scan or check your patch management dashboard. Are there any critical patches older than 14 days? Check operating systems, applications, and firmware. Focus on internet-facing devices.

User access: Review the list of user accounts. Has anyone left the organisation since the last check? Do any accounts still have admin privileges that should be standard? Are there service accounts that bypass MFA? These are the questions that matter during access reviews.

MFA: Check every cloud service. Is MFA enforced on all of them? Have any new services been added without MFA? Under Danzell, check social media accounts used for business too.

Firewall rules: Review every inbound allow rule. Is each one documented with a business justification? Are there any temporary rules that should have been removed?

Malware protection: Confirm that antivirus is running and up to date on every device, and check whether anyone has disabled it.

That's a half-day exercise for a small business, maybe a full day for a medium-sized one. Doing it four times a year means you arrive at recertification without surprises.

The alternative to doing it yourself

Some businesses build this into their IT operations. Others don't have the bandwidth or the expertise. If your IT team is one person who also handles helpdesk, procurement, and the office Wi-Fi, a quarterly security review competes with everything else on their list.

That's part of what Cyber 365 addresses. Automated patching through NinjaOne runs continuously across your estate. Vulnerability scanning on a four-weekly cycle catches drift in the Identify function. EDR monitoring covers the Detect function that CE doesn't touch at all.

The certificate lasts 12 months from the date of issue. Your security needs to last all 12 of them, not just the week before the assessment.

If you want to know whether your controls have drifted since your last assessment, the readiness quiz takes five minutes and gives you honest feedback with no commitment required.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• Why Cyber Essentials Isn't Enough
• The 6 Things Cyber Essentials Doesn't Cover
• Cyber 365: How Our Security Framework Works
• Cyber Essentials 14-Day Patching: What the Requirement Actually Means

netsec-canary-f91970b1f0a9.