The Certificate That Made Things Worse: A Cyber Essentials Scope Drift Case Study
Right, so hang on.
A business certifies to Cyber Essentials in 2021. They renew every year. They display the badge on their website. Their clients can see it. Their insurers have it on file. By all visible measures, they are a certified business.
Except by 2025, the IT estate that badge describes is not the IT estate the business is running. And when something goes wrong, that gap is not a technical detail. It is the centre of every conversation that follows.
I want to walk through a composite case that reflects patterns I have seen repeatedly in how UK professional services firms have handled CE certification as their technology use has changed. The business I'm calling Meridian Advisory is not a single real entity. But the failure mode is entirely real. It is happening in businesses right now, and the v3.3 changes are designed specifically to address it.
Meridian Advisory: A Typical Story
Meridian is a small professional services firm. Twelve staff, two partners, handling financial planning and some light corporate advisory work. They first certified to Cyber Essentials in 2021, sensibly, because one of their larger clients asked them to.
At the time, their IT estate was straightforward. Two on-premises servers, an on-premises file share where client documents lived, and fifteen managed laptops. The scope was cleanly defined. It matched the reality. They passed, renewed the following year, and put the badge on the website.
Between 2021 and 2024, their technology changed substantially. This is entirely normal. It is what happens to almost every small business over four years.
They migrated to Microsoft 365, primarily because the cost of maintaining on-premises Exchange was no longer justifiable. Client documents moved from the file share to SharePoint. Email was now in Exchange Online. The two servers were eventually decommissioned.
They adopted a cloud-based CRM to manage client relationships, meeting notes, and financial planning data. This was not a security decision. It was a productivity one.
Staff started working from home regularly from 2020 and the arrangement became permanent for three people. They used their own devices, which connected to Microsoft 365 and the CRM.
The project management platform was added in 2023. The VOIP system in early 2024.
At each renewal, the CE scope document was updated with the date changed and the answers largely copied from the previous year. Nobody asked whether the scope still matched the estate. The assessors reviewed the answers against the declared scope. The declared scope still described the original on-premises setup in general terms that could, if you squinted, be read as covering the new arrangements. It couldn't, really. But nobody looked hard.
What the Scope Actually Covered
By the time of the breach in late 2025, Meridian's Cyber Essentials scope, as documented, covered approximately 20 percent of their actual attack surface.
The Microsoft 365 environment, where all email and most documents lived, was not explicitly scoped. The CRM, which held detailed financial planning data for several hundred clients, was not in scope. The three BYOD home workers' devices were not in scope. The project management platform, which contained client names, financial summaries, and correspondence, was not in scope.
The firewalls and servers the scope described had not existed for over two years.
The certificate was, in the most literal technical sense, accurate. Everything in the declared scope probably did meet the requirements. The declared scope simply did not describe where the business's data and systems actually lived.
The Breach
The incident began with a credential-based attack on the CRM. A staff member had reused a password across several personal accounts. One of those accounts was compromised in an unrelated breach. The attacker used the credential to log in to the CRM, which had no MFA requirement for standard users.
Over approximately two weeks, the attacker accessed client records, exported financial planning documents, and retrieved contact information. The CRM logs recorded the access but Meridian had no monitoring process to review them. The breach was eventually identified when a client reported receiving a targeted phishing email referencing specific details from their financial plan.
The ICO was notified. Meridian's insurer was notified. Both started asking questions at roughly the same time.
Who Is Accountable for This?
The insurer's first question was about MFA. The policy had a specific condition requiring MFA on all cloud services used to store customer data. The CRM stored customer data. MFA was not enabled. The insurer declined to cover the cost of the breach response and the notification exercise, citing the policy condition.
The ICO's focus was different but equally uncomfortable. The investigator asked Meridian to provide their Cyber Essentials certificate, their scope document, and a description of the IT systems used to store the affected personal data.
The gap between the certificate's scope and the actual systems containing the personal data was immediately visible. The CRM was not in the scope. Microsoft 365 was not explicitly in the scope. The BYOD home worker devices were not in the scope.
The ICO's line of inquiry then became whether Meridian had taken "appropriate technical and organisational measures" to protect personal data, as required under UK GDPR. The Cyber Essentials certificate was presented as evidence that they had. The ICO's response was to note that the certificate applied to a scope that did not include the systems where the breach occurred.
This is the precise scenario Mauven described on Wednesday. The certificate had moved from being a positive indicator of security posture to an exhibit that raised questions about whether the business understood its own obligations.
What Changed Because of v3.3
Had Meridian been renewing under the Danzell question set, the self-assessment would have confronted these gaps directly.
The question on cloud services under v3.3 is explicit: cloud services cannot be excluded from scope. An assessor reviewing a scope document that omitted Microsoft 365 and a cloud CRM while a business described its primary data stores would be expected to challenge it. The question about BYOD and home worker devices would have required Meridian to address the three home workers whose personal devices had access to the CRM.
These are not trick questions. They are the questions a business running in 2025 should be able to answer. What v3.3 does is require them to be answered in the self-assessment, rather than worked around by a scope document that describes a 2021 IT estate.
The Practical Lessons
I want to be careful here about the tone. This is not "Meridian should have known better" as a conclusion. The failure mode I've described is systemic and extremely common. Most small businesses that hold Cyber Essentials certification are not security specialists. They are accountants, architects, consultants, tradespeople. They certified because a client or a contract required it. They renewed because letting it lapse seemed unwise. Nobody told them that annual renewal required annual scope review.
That is a genuine gap in how the scheme has been communicated to smaller businesses, and it is one the sector needs to address.
But the consequences of the gap are real, and they are landing on real businesses and their clients. So here are the direct takeaways.
Your scope document is a live document. It is not a form you complete once and file. Every time your IT estate changes significantly, the scope should be reviewed. Cloud services adopted. New BYOD users. Remote working arrangements. Software migrations. Each of these potentially changes the scope.
"Cloud services cannot be excluded" is not just a v3.3 rule. It reflects a logical reality that was true before v3.3 formalised it. If your business data is in a cloud service, the controls around that service are your responsibility, not the provider's. The provider secures the infrastructure. You secure the access.
MFA on cloud services is a policy condition, not just a compliance requirement. Cyber insurance policies increasingly specify MFA as a requirement for coverage. If your policy has that condition and MFA is not enabled, you may be paying for coverage that will not pay out. Check the policy. Enable MFA. In that order.
The ICO notices the gap between the cert and the breach. This is not speculation. It is a documented pattern. A Cyber Essentials certificate that does not cover the environment where a breach occurred does not provide the protection from scrutiny that businesses assume it does. It may create additional scrutiny.
The renewal is not an administrative task. It should involve a genuine review of whether the scope and controls still match the estate. Thirty minutes of honest review at each renewal is worth considerably more than the cost of a breach that the certificate cannot defend against.
What to Actually Do
If any part of Meridian's story sounds familiar, the steps are the same ones Graham set out on Thursday, and they start with telling the truth about your current IT estate.
Pull your current scope document. Write down every significant cloud service, every home worker arrangement, every BYOD situation your business has adopted since the last time you genuinely reviewed the scope. Compare the two lists.
If there are gaps, you have work to do before your next renewal. If your renewal falls after 26th April 2026, you will be renewing against v3.3 and the Danzell question set, and those gaps will surface in the assessment rather than after the breach.
The certificate is only as useful as the truth it represents. Make it true.
