That Cyber Essentials Badge on Your Website: Credential or Creative Writing?
I want to talk about lies. Specifically, the kind of lies that don’t feel like lies while you’re telling them.
You didn’t sit down and decide to mislead anyone. You got Cyber Essentials certified, probably because a customer or contract required it. You renewed because letting it lapse seemed careless. You put the badge on the website because that’s what you’re supposed to do. At every stage you were doing the right thing.
Except somewhere along the way, the thing the badge claimed became detached from the reality the badge was supposed to represent. And now it’s sitting there on your homepage, doing a job it can no longer actually do.
What the Badge Is Supposed to Mean
Cyber Essentials, when it works as intended, is a credible government-backed signal that a business has implemented a specific set of baseline security controls. NCSC-designed, independently assessed, renewed annually. Not perfect. Not sufficient for sophisticated threats. But a genuine, honest indicator that the basics are in place.
That’s a valuable thing. It tells customers something real. It gives insurers something to work with. It helps procurement teams make faster, more confident decisions. It earns that badge on the website.
But here is what it requires: the controls you certified against have to be the controls you’re actually running. The scope you declared has to be the scope that reflects your actual IT estate. The certificate has to be current. And you have to be maintaining it actively, not just displaying it.
When any of those conditions breaks down, you’re no longer displaying a credential. You’re making a claim you can’t substantiate. In a regulated context with data protection obligations attached, that is a different kind of problem.
The Four Ways the Badge Becomes a Liability
The expired certificate. The most obvious failure. Your Cyber Essentials certificate expires annually. If you’re displaying the badge on your website after the expiry date, you’re claiming current certification you don’t hold. This is not a grey area. Post-breach, this will be identified within minutes and it will not help your case with the ICO, your insurer, or a client’s legal team.
Check the date. Right now, before you read another sentence. If it’s expired, take the badge down until you’ve renewed. You can put it back in a few weeks when you’ve done the work properly.
The drifted scope. Lucy’s case study yesterday described this pattern in detail. The estate changes, the scope doesn’t. Four renewals later, the certificate describes a 2021 IT estate and the business is running on a 2025 one. Every significant technology change, every cloud service adoption, every BYOD arrangement that becomes the norm, requires a scope review.
The hard truth is that v3.3 removes most of the wriggle room here. Cloud services cannot be excluded. End-user devices cannot all be excluded. If your scope has been quietly carved around the convenient parts of your estate, it will not survive the Danzell question set. Better to find that out now than during an ICO investigation.
The ceremonial renewal. You know what I’m talking about. Same answers as last year, date changed, submitted. No actual review of whether the controls are still in place. No check of whether the cloud services match the scope. No verification that MFA is still enabled and still covers everyone. The form went in and the certificate came back and nobody looked hard at either.
This kind of renewal produces a certificate that is technically valid and practically worthless. The controls it attests to may or may not exist. The scope it describes may or may not match reality. If you’ve been doing renewals this way, you need to stop and do one properly before the next one comes up.
The scope that omits the actual business. The version that genuinely astounds me. A professional services firm, say, certifying its on-premises infrastructure while everything it actually does runs in Microsoft 365 and a cloud CRM. Every client email, every document, every piece of personal financial data: none of it in the certified scope. The badge is on the website. The customers see it. The insurers have it on file. And the actual data is completely uncovered by the certified controls.
I am not going to pretend this is rare. I have seen it. The sector has seen it. V3.3 is specifically designed to make it impossible to self-certify honestly while leaving your cloud estate uncovered. That’s a good thing.
Director Accountability Is Coming Into Focus
The Cyber Security and Resilience Bill is working its way through Parliament. The direction of travel is clear: directors of UK organisations are going to be held to a higher standard of accountability for the security of their IT estate and the accuracy of their security claims.
I have been saying for years that we need an HSE-style enforcement model for cybersecurity. Mandatory reporting, active investigation, meaningful consequences for directors who treat security as a compliance checkbox rather than a genuine operational responsibility. The direction of regulatory travel suggests that’s coming.
In that environment, the question changes. It’s not “did we pass the assessment?” It’s “were the claims we made about our security posture accurate and honestly maintained?” A Cyber Essentials badge on a website is a claim. If it’s not accurate, it becomes evidence of a claim that wasn’t true. Directors own that.
What I Want You to Take Away
This week we’ve covered the mechanics of v3.3 in detail. Noel’s deep-dive on Tuesday, Mauven’s analysis on Wednesday, Graham’s practical plan on Thursday, Lucy’s case study on Friday. The information is there.
But here’s the bit I want you to actually do something about.
Look at the Cyber Essentials badge on your website. Ask yourself honestly: does that badge represent something real? Is the certificate current? Does the scope cover your actual IT estate including your cloud services? Are the controls it attests to actually running and maintained?
If the answer to all of those is yes, good. Keep the badge. Display it with confidence.
If any of the answers gave you pause, the badge is currently doing more harm than good. Not because displaying it is dishonest in some abstract sense. Because it is making a claim for you that you cannot stand behind. And in a world where regulators, insurers, and solicitors all know how to read a scope document, that is a claim with consequences.
Fix it. Use the 30-60 day plan Graham set out. Get the scope honest. Get the controls current. Renew properly.
Then put the badge back up and mean it.