Cyber Essentials5 min read
Maintaining Cyber Essentials Certification: Ongoing Compliance
Cyber Essentials certification is valid for 12 months. Maintaining certification requires ongoing attention to the five controls and timely recertification. This guide covers how to stay compliant year-round—so recertification is straightforward rather than stressful.
Key Takeaways
| Point | Summary |
|---|---|
| 12-month validity | Must recertify annually to maintain certification |
| Continuous compliance | Maintain all 5 controls throughout the year, not just at certification time |
| Key ongoing tasks | Apply patches within 14 days, manage user access, keep device inventory current |
| Plan recertification | Start planning in month 10-11; book certification body early |
| Track changes | New devices, software, or locations may affect scope |
Quick Answer: Cyber Essentials certification lasts 12 months. Maintain all 5 controls year-round: patch within 14 days, manage user access, update device inventory. Start recertification planning in month 10-11 to avoid gaps.
The 12-month cycle
Annual certification lifecycle
Month 0: Certification achieved
- Certificate issued
- Listed in NCSC directory
- 12-month validity begins
- Maintenance period starts
Months 1-9: Ongoing maintenance
- Maintain all five controls
- Monitor for changes
- Address new devices and software
- Conduct regular security reviews
- Keep documentation current
Month 10-11: Recertification planning
- Review current compliance
- Address any gaps
- Book recertification
- Prepare updated information
Month 12: Recertification
- Complete new assessment
- New certificate issued
- New 12-month period begins
- Cycle repeats
If your certificate expires
| Consequence | Impact |
|---|---|
| Cannot claim certification | Marketing materials must be updated |
| Removed from directory | Third-party verification fails |
| May affect contracts | Could breach contract requirements |
| Must restart certification | Cannot simply "renew"—must reassess |
Ongoing maintenance activities
Daily activities
| Activity | Responsibility |
|---|---|
| Monitor security alerts | IT/Security team |
| Process new starters | HR + IT |
| Process leavers | HR + IT |
| Review suspicious events | IT/Security team |
Weekly activities
| Activity | Responsibility |
|---|---|
| Review patch status | IT |
| Check anti-malware updates | IT |
| Review new software requests | IT |
| Process access changes | IT |
Monthly activities
| Activity | Responsibility |
|---|---|
| Review user accounts | IT + HR |
| Audit admin access | IT/Security |
| Update device inventory | IT |
| Review security metrics | Security/Management |
Quarterly activities
| Activity | Responsibility |
|---|---|
| Full compliance review | Security/IT |
| Policy review | Management |
| Training refresher | All staff |
| Documentation update | IT/Security |
Control-specific maintenance
Control 1: Firewalls
Ongoing requirements:
- Review firewall rules periodically
- Update firmware as patches are released
- Document any new rules
- Remove obsolete rules
- Verify host firewalls remain enabled
Watch for:
- New network connections
- Changes to cloud infrastructure
- New remote access requirements
- Firmware update notifications
Control 2: Secure configuration
Ongoing requirements:
- Maintain configuration standards on new devices
- Review and remove unnecessary software
- Enforce password policy
- Ensure screen lock remains configured
Watch for:
- New device deployments
- Software installation requests
- Configuration drift
- New user requirements
Control 3: Security updates
Ongoing requirements:
- Apply critical/high patches within 14 days
- Monitor for new vulnerabilities
- Track software end-of-life dates
- Maintain update automation
Watch for:
- Patch Tuesday releases
- Emergency security bulletins
- Failed update notifications
- Approaching EOL dates
Control 4: User access control
Ongoing requirements:
- Create accounts for new joiners
- Remove accounts for leavers promptly
- Adjust access for role changes
- Maintain admin account inventory
Watch for:
- HR notifications
- Role changes
- Temporary access requests
- Contractor on/offboarding
Control 5: Malware protection
Ongoing requirements:
- Verify protection remains active
- Confirm signature updates are current
- Review scan results
- Respond to detections
Watch for:
- Protection being disabled
- Update failures
- Malware detections
- New devices without protection
Tracking changes
What changes affect your certification?
| Change Type | Impact |
|---|---|
| New locations | May need to update scope |
| New cloud services | May need additional controls |
| New device types | Must meet all requirements |
| Significant growth | May affect Plus device sampling |
| Infrastructure changes | May require reassessment |
Change management for compliance
When changes occur:
- Assess: Does this change affect compliance?
- Implement: Apply controls to new systems
- Document: Update inventories and documentation
- Verify: Confirm compliance is maintained
- Record: Note changes for recertification
Recertification planning
Timeline for recertification
| Timeframe | Action |
|---|---|
| Month 10 | Begin compliance review |
| Month 10-11 | Address any gaps |
| Month 11 | Book certification body |
| Month 11-12 | Complete assessment |
| Month 12 | New certificate issued |
Recertification checklist
One month before:
- Verify all controls still compliant
- Update device inventory
- Update software inventory
- Review user account list
- Address any known gaps
- Book certification body
Before submission:
- Confirm scope hasn't changed significantly
- Verify all patches applied
- Check all devices protected
- Review admin accounts
- Test sample devices
- Prepare documentation
If issues arise before recertification
| Issue | Action |
|---|---|
| Control gaps discovered | Remediate before assessment |
| Significant scope changes | Discuss with CB |
| Time running short | Book earliest available slot |
| Budget constraints | Plan and prioritise |
Maintaining Plus certification
Plus recertification requires the same technical audit as initial certification:
Plus-specific maintenance
- Keep vulnerability scan results on file
- Maintain device configurations
- Ensure no new vulnerabilities introduced
- Track any failed audit items from initial certification
- Keep assessor relationship active
Pre-audit preparation
- Run internal scans periodically
- Address any findings
- Verify device configurations
- Update documentation
- Schedule audit with buffer time
Common maintenance challenges
Keeping patches current
| Challenge | Solution |
|---|---|
| Patches cause issues | Test in pilot group first |
| Remote devices | MDM or scheduled office visits |
| Legacy systems | Isolation + compensating controls |
| Bandwidth constraints | Scheduled, staged deployment |
Managing user access
| Challenge | Solution |
|---|---|
| Leavers not reported | HR/IT process integration |
| Access creep | Quarterly access reviews |
| Contractor management | Defined on/offboarding |
| Role changes | Documented mover process |
Scope changes
| Challenge | Solution |
|---|---|
| Growth | Apply controls to new systems |
| Acquisitions | Assess and integrate |
| New technology | Ensure compliance before deployment |
| Cloud migration | Apply cloud security controls |
How Bastion can help
Maintaining certification year-round takes consistent effort. We can help reduce that burden.
| Challenge | How We Help |
|---|---|
| Ongoing monitoring | We track compliance status continuously |
| Change management | We assess impact of changes |
| Remediation | We address issues as they arise |
| Recertification | We manage the recertification process |
| Reporting | We provide compliance visibility |
Working with a managed service partner means certification maintenance becomes a managed process rather than a last-minute scramble. We help you stay compliant throughout the year, which makes recertification straightforward and stress-free.
Need help maintaining your Cyber Essentials certification? Talk to our team