Cyber Essentials has come to serve as a baseline for demonstrating vigilance and resilience when it comes to cybersecurity, and as a marker of seriousness.
Of course, cybersecurity dangers continue to evolve, and so the Cyber Essentials standard has to evolve in tandem. The latest round of updates to the Requirements for IT Infrastructure document, introduced this month (April 2026), strengthens requirements in a number of areas and aims to provide greater clarity in others.
In practical terms, this means fewer grey areas and more stringent expectations, where necessary. So what exactly does it take to ensure that your IT infrastructure is genuinely Cyber Essentials ready – and how should your business approach this?
Cyber Essentials is designed to help protect organisations against the most common cybersecurity risks. It centres on five key technical controls: firewalls, secure configuration, user access control, malware protection and security update management.
However, to be ready for certification, these controls must not only be in place but implemented consistently across your IT environment. Likewise, you must be able to demonstrate that they adhere to the certification’s specific requirements.
The April 2026 cyber essentials update introduces a raft of changes. Multi-factor authentication (MFA) is now required where it is available, while cloud services are fully in scope. There is also a growing emphasis on backup and recovery, with organisations expected to be able to recover quickly and effectively from incidents.
This update also saw the previous set of Cyber Essentials self-assessment questions (known as Willow) replaced by a new set, Danzell. The new Danzell questions clarify requirements around security patching and MFA, go into greater detail on scope and legal entities, and replace previously ambiguous wording with clearer formulations.
The introduction of the Danzell questions again raises the standards of Cyber Essentials and sets a new benchmark for accountability. Remember that when completing the new question set, you should not rely on answers previously given for Willow because they may no longer meet the new criteria laid down by Danzell.
Getting ready for Cyber Essentials requires a structured approach, though not necessarily a total overhaul. Here are a few key areas on which you should focus.
Firstly, you need a clear understanding of what you’re certifying. This means identifying all users, devices and services that access or store organisational data. Cloud platforms and remote devices (including personal devices used for work) all fall within scope of Cyber Essentials. Building a comprehensive asset inventory is therefore a critical first step.
With MFA now a requirement, ensure that it is enabled across all supported systems, including cloud services and remote access points. At the same time, review how access is managed. Remove shared accounts, limit privileged access to what users actually need and ensure that administrative privileges are tightly controlled.
Secure configuration and patching are key areas of concern for Cyber Essentials. Ensure that devices have any unnecessary services removed and default settings changed. Security updates must be applied promptly, ideally through automated processes, to reduce exposure to potential vulnerabilities.
One of the most important changes to Cyber Essentials in the 2026 update is the inclusion of all cloud services within scope. It’s no longer enough to assume that your chosen provider will handle security for you. You must understand your own responsibilities – for instance, around access controls and configuration – and ensure they’re aligned with Cyber Essentials requirements.
Cyber Essentials has always focused on prevention, but its latest set of updates places increased emphasis on the ability to recover from incidents. Regular and reliable backups are therefore essential, but they must also be tested. Organisations should be in a position to restore systems and recover data quickly in the event of an incident, whether it’s an attack or an accidental loss.
Even generally well-prepared organisations can run into issues during the Cyber Essentials certification process. In most cases, however, these problems are preventable.
A common mistake is treating Cyber Essentials as a tick-box exercise, implementing controls superficially rather than embedding them properly into day-to-day practice. Inadequate understanding of scope, overlooking cloud systems or remote users, is another common issue, while inconsistent application of MFA and patching are also frequent causes of failed assessments.
Leaving preparation too late can be another factor that jeopardises your organisation’s prospects of obtaining Cyber Essentials certification. Organisations that don’t properly review their IT infrastructure in advance are far more likely to encounter problems during the process.
The key takeaway is simple: preparation really does matter. Take the time to understand scope and your own environment, and address key gaps. This should make the certification process much smoother and significantly increase your changes of passing first time.
If you’re still unsure where to start, a structured readiness review can help you to identify what’s in place, what’s missing and what needs to be done before your organisation undergoes its Cyber Essentials assessment.
At Cyber Tec Security, we help organisations protect themselves against cybersecurity threats and strengthen customer confidence by getting Cyber Essentials certified. To find out how we can help your business, get in touch with our team today.