Cyber Essentials Renewal And Maintaining Certification

The Cyber Essentials renewal applies to both certification levels and is part of an annual process to verify the continued cyber security of your business.

To achieve or maintain your Cyber Essentials Certification, contact our team or review any further information available here.

Planning Your Certificate Renewal

The renewal of both certification levels can take several days or weeks to plan and complete the assessments so this should be taken into account when organizing your certificate renewal.

Cyber Essentials Certification Process

For the self-assessment questionnaire, there can be the necessary time required by companies to update their answers and account for any changes that have occurred in the certification standard throughout the year.

This may take several days to update, submit, and wait for a graded questionnaire to be returned.

Cyber Essentials Plus Certification Process

For Cyber Essentials Plus, scheduling certification bodies to conduct the assessments can take some time, and resolving any issues that are identified may also take time to complete, which may account for several weeks of overall scheduling and assessment time.

Applying Through IASME Or A Certification Body

Regardless of how your company has initially certified to the Cyber Essentials standard, your business can choose to apply directly through the IASME website or through a Certification Body.

In both situations, an assessor will review and grade your supplied self-assessment questionnaire, and provide feedback where they identify any issues with the supplied information.

When working directly with IASME, the feedback will be written down and solely provided through the online portal where your business completes the questionnaire.

Where your organization works alongside a Certification Body, information can also be provided through the online portal, but also with calls, emails, and consultancy time to discuss the requirements of the assessment and each individual question in the self-assessment questionnaire.

While there can be benefits to applying directly through IASME, in many cases, where your business has received feedback on a questionnaire that wasn’t clear or specific, it can be worthwhile to work with a certification body.

This can help your business to have a more direct method to answer questions, provide additional context, and clarify where your organization should implement changes to maintain compliance.

Cyber Essentials Certification Changes

The Cyber Essentials Scheme

Cyber Essentials is managed through the IASME Consortium working alongside the National Cyber Security Centre (NCSC) and is designed to provide best-practice security standards for all companies to align with, and provide protection against the most common cyber attacks and cyber security risks.

As the standard has progressed over time, changes have been implemented to continue to provide protection from the most common cyber threats and to more closely align with modern best practice recommendations for cyber security.

Prior Changes To The Cyber Essentials Scheme

As the assessment has been updated changes have been introduced over time, such as the requirements for Multi-Factor Authentication becoming mandatory for user accounts of Cloud Services.

Planned Updates To The Cyber Essentials Scheme

Additional updates are being implemented in April 2025 which include:

• Methods to verify the scope of assessment during a Cyber Essentials Plus practical assessment.
  • This process may include an element of network scanning and device discovery for a company’s internal network to ensure that the number of identified devices aligns with the devices defined within the self-assessment questionnaire.
• Methods to verify that network security and network segmentation are in place, where companies define a sub-set of their organization as the scope for Cyber Essentials.
  • This form of assessment may involve an element of internal network scanning to ensure there is a clear separation between the in-scope and out-of-scope portions of the business.

Maintain And Achieve Cyber Essentials Certification

The Cyber Essentials requirements can change on an annual basis, with some minor and some major changes being planned.

Working with a Cyber Essentials certification body and cyber advisors allows your company to remain informed of the changing certification requirements and to plan your recertification accordingly throughout the year.

This may include changing your company policies, secure configuration standards, or budgeting for additional time and practical testing as part of Cyber Essentials Plus.

Certification Cost For Renewal

The prices for renewal don’t increase or decrease after initial certification unless the standard prices are changed by IASME as part of the planned annual changes.

However, where your company grows over time, your business may need to consider the tiered pricing structure and whether this will impact the cost of certification renewal, as your company grows into a new tier.

• Micro Enterprises, with 0-9 Employees, £320 + VAT
• Small Enterprises, with 10-49 Employees, £440 + VAT
• Medium Enterprises, with 50-249 Employees, £500 + VAT
• Large Enterprises, with 250+ Employees, £600 + VAT

Cyber Essentials Plus doesn’t have the same fixed pricing structure as Cyber Essentials, as the assessment is dependent on the specific certification body you work with and how many devices need to be tested during the assessment.

Where your company grows in size, this may also impact the number of devices your organisation owns that need to be included within the assessment, impacting the time taken to complete the required tests, and therefore the overall cost of recertification.

The Cyber Essentials Self-Assessment Questionnaire

While there have been multiple changes to the Cyber Essentials assessment as the standard has developed, the changes that do occur are mainly incremental, and most of the answers your company has submitted previously will still be valid.

Downloading and saving your submitted answers can help ensure your business remains compliant as you renew your certifications, as many of the previously supplied answers can be resubmitted.

However, there are changes that should be accounted for when renewing your self-assessment questions which can occur through changes in your business.

Updating Your Questionnaire For Renewal

Scope of Assessment And Organisation Size

The Cyber Essentials scheme divides companies into different categories based on the number of employees.

Where your company may grow in size over time, this can impact the number of devices to be included within the assessment and also the size categorization of your business.

These changes need to be reflected within the questionnaire but will ultimately impact the cost of assessment as the registration fees for Cyber Essentials will increase and the time to complete a Cyber Essentials Plus assessment can also increase.

For more information related to the costs of Cyber Essentials certification, the following article can be referred to.

Operating Systems and Software Versions

The self-assessment questionnaire has multiple questions that require information about your devices and software to be detailed, which is likely to change over time such as:

• Laptops, Desktops, and Mobile Devices, including their make model, and operating system versions.
• Servers your company uses, including their make and operating systems
• Firewalls in use and their make and model
• Cloud Services your company uses and whether they have Multi-Factor Authentication enabled
• Malware Protection software installed on your device and their software versions
• Web Browsers installed on your devices and their software versions
• Office Applications installed on your devices and their versions
• Email Applications installed on your devices and their software versions

This information will update throughout the year as your company applies security updates to your devices, especially the operating system and software versions that are installed, and so it should be ensured this information is kept up to date.

Updating Company Policies and Procedures

Your company policies and procedures may update throughout the course of your business, and so the relevant questions which request these details will need to be updated for your organisation, such as:

• How your company manages changes that need to be made to your firewall configuration
• How your company manages the creation of new user accounts
• How your company strictly manages administrator permissions for your accounts
• How your company manages password changes when suspected of compromise
• How your company protects user accounts from brute force password guessing attacks
• How your company educates your users to choose strong credentials

Upgrading From Cyber Essentials To Cyber Essentials Plus

As part of your annual renewal of the Cyber Essentials certificate, your company may have an additional requirement to progress to the Cyber Essentials Plus certification.

In addition to keeping your questionnaire up to date throughout the year, progressing into Cyber Essentials Plus can introduce additional planning and costs for certification.

The Cyber Essentials Plus assessment is a technical audit and set of practical tests that review the five basic security controls defined as part of the certification standard.

The assessment includes a set of internal and external tests, completed by Cyber Essentials assessors, to verify the cyber security controls have been implemented, which include:

• External Vulnerability Scan of your internet-facing assets and IP Addresses
• Internal Authenticated Scan against a set of sample devices, including end-user devices and servers
• A review of the Multi-Factor Authentication implemented within user accounts for Cloud Services
• An analysis of the account separation configured between your standard and administrator accounts
• An assessment of your Malware Protection solution applied to your devices

Depending on the size of your organisation and the number of devices to be tested, the planning and completion of the practical tests may take a few weeks to complete.

The assessment cost will also increase quite significantly when migrating to the Cyber Essentials Plus standard. Where prices for Cyber Essentials can begin around £320, Cyber Essentials Plus will typically start around £1500-£2000, but can vary based on specific companies and requirements.

Renewing Certification Before The Expiry Date

Although it can be cost-effective to try and align your certificate expiry and renewal dates to coincide, this may not always be possible, due to scheduling and availability.

However, the Cyber Essentials certification can be renewed at any point throughout the year and this can sometimes be required for a variety of reasons, such as:

• Your company is changing offices and needs a new certification which reflects the new address
  • Cyber Essentials certificates cannot be reissued when the address of a company changes. As the address change will reflect a new location, new network configuration and potentially new devices. To maintain a valid Cyber Essentials certificate, the assessment will need to be repeated under the new address.
• Your company undergoes significant network and device changes
  • While not a strict requirement to recertify when changing your devices and network security, where your company undergoes significant network changes, it can be worthwhile to verify the cyber security measures of these systems to ensure vulnerabilities have not been introduced into your company.
• Your company now requires Cyber Essentials Plus certification
  • After certifying to the Cyber Essentials standard, there is a three-month period where your company can complete the Cyber Essentials Plus assessment and achieve the additional certification level. After this time, companies will need to recertify and resubmit their self-assessment questions before being able to progress into the Cyber Essentials Plus assessment.

Conclusion

Cyber Essentials renewal is an annual process that should be planned and scheduled to account for any changes in your business and the certification standard itself.

While the certification doesn’t often include drastic changes, there are usually a number of minor changes that are introduced throughout the year, which can impact the questionnare, practical tests, pricing, and what is considered compliant or non-compliant.

Working with a Cyber Essentials certification body can help to ensure your business maintains its certification status each year and remains updated regarding any changes to the assessment.

For further guidance on achieving Cyber Essentials certification or progressing into Cyber Essentials Plus, the following articles may be useful:

• Requirements for the Cyber Essentials Accreditation, found here
• Preparing for Assessment: A Cyber Essentials CheckList, found here
• Requirements for Cyber Essentials Plus Certification, found here
• Changes to the Cyber Essentials Requirements In April 2025, found here

Where you have any further questions regarding different cybersecurity solutions or the Cyber Essentials process your company needs to work through, our consultants are available to address any concerns you may have.