You’ve done the hard work, correctly implemented the requirements, closed all the gaps and your organisation now has a shiny new Cyber Essentials certificate.
The temptation is to update your website, tell your customers, and not think about it again until renewal time. But this undermines Cyber Essentials and prevents you from gaining the full value from the certification. The controls need to be actively maintained to make sure that you continue to benefit from holding the certificate. Recent insurance data shows us that organisations with Cyber Essentials are 92% less likely to make a claim on their insurance than those without it.
So what should you do after passing, to keep that “Cyber Essentials” status all year round?
1. Recognise what you’ve committed to
Cyber Essentials is more than a badge. It’s a commitment to maintain five areas of basic cyber hygiene across your in-scope environment:
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
The assessment is annual, but the expectation is continuous: these controls should be operating day in, day out – not just “good enough” once a year when you complete the questionnaire.
A useful mindset is: We’re now a Cyber Essentials organisation, not a company that happens to have a Cyber Essentials certificate.
2. Put Cyber Essentials into your “business as usual”
First, make it someone’s job!
- Assign an owner. Give clear responsibility to an IT lead, Operations Director, or virtual CISO function to keep Cyber Essentials on track.
- Add it to your governance. Cyber Essentials should feature in your risk register and in periodic management meetings, alongside other compliance and operational items.
- Keep your key documents live. Policies and procedures you created for the assessment (e.g. patching, access control, device build) should be updated when reality changes, not once a year.
This doesn’t have to be heavy. For most SMEs, a one-page responsibility matrix and a recurring agenda item are enough to keep it visible.
Registers: the knowledge
A Cyber Essentials requirement is that you know what you’re protecting for example devices, systems, cloud services etc.
Right after certification is a good time to:
Refresh your asset register. Maintain a simple list of:
- Laptops, desktops and servers
- Network devices (e.g. firewalls, routers, Wi-Fi)
- Mobiles and tablets
- Cloud services (such as Microsoft 365, Google Workspace, Adobe etc.)
- Remote and home-working setups
Tie it to HR and procurement. When someone joins, moves role or leaves, or when new kit or software service is purchased, your asset list should be updated automatically as part of those processes.
A live asset list makes everything else easier: patching, access reviews, incident response and next year’s assessment!
Software updates: Treat patching as a regular routine, not a project
Security update management is one of the most important control areas in Cyber Essentials, and also one of the easiest to let slip once the assessment is over.
The scheme expects that only supported software is used and that high and critical security updates are applied within defined timeframes.
To keep that standard:
Define a simple updates schedule. For example:
- Weekly or automatic updates for end-user devices
- Explicit commitment to apply high/critical patches promptly
- Monitor and check for new firmware for firewalls, routers etc on a weekly basis to make sure that updates are applied in the timeframe required
Spot-check and evidence. Once a month, pick a handful of devices and:
- Check they are up to date – Operating System and key local software such as browsers etc.
- Capture screenshots or reports
- File them somewhere you can find quickly ahead of renewal
This turns patching from “we think it’s happening” into something you know and have confidence.
Keep on top of user access and admin accounts
Access control is another area that can quietly drift. Over the year you’ll have new starters, role changes, leavers, new systems and more third-party access.
To keep Cyber Essentials in good shape:
Run a regular access review. Quarterly is usually enough for an SME to:
- Check accounts for any missed leavers
- Check group memberships and admin roles
- Confirm that MFA is enabled everywhere possible (email, remote access, admin portals)
Maintain the separation between day-to-day and admin accounts.
After certification, it’s easy for admin accounts to creep back into everyday use because it feels “easier”. Set clear expectations (policies) that:
- Staff use standard accounts for normal work
- Privileged accounts are only used when needed, and only for as long as needed
Keep your joiners / movers / leavers process tight.
This is your first line of defence against “access sprawl”. If you adjust the process, check it still aligns with what you told the assessor.
Good access discipline is one of the cheapest ways to reduce your risk of account compromise.
3. Treat new systems and changes as Cyber Essentials events
You won’t have the same IT footprint for the full 12 months. New tools, office moves, restructures and acquisitions all affect your Cyber Essentials scope.
As a rule of thumb, when you:
- Add a new SaaS platform that will hold business or personal data
- Open a new office or significantly change network architecture
- Roll out a new remote access solution
- Adopt a new supplier with direct technical access
Check “What does this mean for our Cyber Essentials controls and scope?”
In practice, that means:
- Ensuring new systems meet your baseline configuration
- Extending MFA, logging and backup where relevant
- Updating your asset list, diagrams and internal documentation
- Considering whether especially big changes should trigger an earlier internal review, rather than waiting for annual renewal
This prevents the problem where the environment looks nothing like the one you described in last year’s assessment.
4. Run simple quarterly “health checks”
To avoid an annual scramble, many SME organisations treat Cyber Essentials as a quarterly cycle. Every quarter they check that they are still in compliance with the requirements. Example checks include:
Patching and support
- Are all in-scope Operating Systems and applications still supported?
- Are patch cycles being followed?
Access control
- Are there any stray admin accounts or shared logins?
- MFA is still enforced?
- Endpoint and remote working controls are still valid?
- Have new mobiles and laptops been configured correctly?
- Has anyone introduced ad-hoc remote access tools that bypass your standards?
Capture any findings, actions and evidence. When renewal comes around, you already have most of what you need – and fewer surprises.
5. Start renewal preparation early!
Cyber Essentials certificates expire after 12 months, and you must renew annually to stay on the official certified list.
You’ll usually get a reminder from your certification body or IASME about a month before renewal, but for a smoother experience:
Plan to start 6–8 weeks before expiry.
This gives you time to review the changes in the question set, close gaps and gather fresh evidence. The scheme is reviewed regularly; new or refined expectations can appear (e.g. around cloud services, scoping etc).
Re-use, but don’t copy and paste.
Your previous answers are a good starting point, but the environment and requirements may have changed. Make sure the narrative still matches reality.
Use renewal as an internal review.
Treat the questionnaire as a structured way to check whether your controls still do what you think they do.
Approached this way, renewal becomes a shorter, more predictable activity rather than a disruptive annual project.
Turning a one-year certificate into long-term value
Cyber Essentials is intentionally achievable for SMEs, but its real power comes when you treat it as part of how you run the business every day.
If you maintain a Cyber Essentials security posture all year round, you’ll be in a much stronger position when customers, partners or insurers ask tough questions about how you protect their data. Plus your next certification cycle becomes a quick confirmation, not another painful project.
You’ve already done the hard work to get certified. Now the goal is to stay true to that badge all year by baking the Cyber Essentials requirements into your day-to-day processes, projects and purchasing decisions. Turn your certification from a yearly hurdle into a lasting competitive edge.