Your 30-60 Day Cyber Essentials v3.3 Readiness Plan: A Step-by-Step Guide
Hello, World!
Right. Let's be practical about this.
Noel's done the deep-dive on exactly what changes in v3.3. Mauven's explained why getting scope wrong doesn't just fail an assessment, it creates a liability. My job is the bit that comes after those conversations: what do you actually do, in what order, over the next few weeks?
I've broken this into a 30-60 day framework. The first ten days are about telling the truth. Days 11 to 30 are about fixing the most common gaps. Days 31 to 60 are about tightening the edges and doing the dry run.
Fair warning: I'm going to get fairly specific in places, and I'll occasionally come back to correct myself when I realise I've glossed over something important. That's how implementation actually works.
One thing before we start: this plan assumes you're a UK SMB with between 5 and 50 staff, running a mix of Windows or macOS devices, and using at least one major cloud productivity suite, almost certainly Microsoft 365 or Google Workspace. If your setup is significantly different, the principles apply but the specific steps will need adapting.
Days 1-10: Tell the Truth About What You Have
This phase is harder than it sounds. Not technically. Organisationally.
Step 1: Define Your Scope Boundary
Sit down with whoever manages your IT, even if that's you, and answer this question in writing: what is in scope for this certification?
Your scope needs to describe three things: the business unit or function being certified (for most SMBs this is the whole organisation), the network boundary that separates it from anything outside, and the physical or logical locations included.
The temptation here is to hedge. To write "primarily the main office network" and hope that covers it. It doesn't. You need to be specific.
A workable scope statement for a small business might look like this:
"Certification scope covers the entire IT estate of [Company Name], including all devices used by staff and contractors for business purposes, the office network at [address], all home and remote working devices with access to company data or services, and all cloud services used to store or process company data."
That is uncomfortable to write if you have not been managing all of those things consistently. Write it anyway. The discomfort is pointing at exactly the places that need attention.
One hard rule that cannot be negotiated: your scope cannot exclude all end-user devices. You can define a sub-set scope, but it must include devices. A scope that covers only servers is not valid under CE.
Step 2: Build Your Asset Inventory
This is the step most businesses think they've already done, and most haven't done properly.
Open a spreadsheet. Create four tabs: Devices, Software, Cloud Services, and People.
Devices tab: list every device that falls within your scope. Servers, desktops, laptops, thin clients, tablets, smartphones, network equipment including routers, switches, and firewalls. For each entry, record: device name or identifier, device type, operating system and version, who uses or manages it, and whether it can reach the internet, accept inbound connections, or control network traffic.
If you don't know what's on your network, use your DHCP server logs or a simple network scanner like Angry IP Scanner (free, runs on Windows and macOS) to enumerate connected devices. It won't find everything, but it's a start.
Software tab: for each device, list the key software installed. Operating system, office productivity applications, browsers and extensions, line-of-business software, firewall and router firmware. You're looking for two things: anything that's unsupported and should be removed, and anything that needs to be in your patching process.
You don't need to list every piece of software on every device individually. Focus on the categories above and flag anything that looks out of date or potentially unsupported.
Cloud Services tab: this is the one that's usually most incomplete. List every cloud service your business uses that stores or processes organisational data. Microsoft 365, Google Workspace, Dropbox, your CRM, your accounting software, your project management tool, your HR system, your backup service. Everything.
For each service, note: what data is stored there, who has accounts, whether MFA is currently enabled, and who administers it.
If you're unsure what cloud services you're running, check your bank statements for the last twelve months. Recurring SaaS subscriptions will show up there.
People tab: list every person with access to your systems. Staff, contractors, volunteers, trustees if you're a charity. For each, note: what systems they can access, what level of privilege they have (standard user or admin), and whether their account is currently active. You're looking for accounts that should have been disabled but weren't.
This whole exercise takes most SMBs between half a day and a full day, depending on the size and complexity of the estate. Do not skip it. Everything that follows depends on having an honest picture of what you're certifying.
Step 3: Map Assets Against the Five Controls
For each device and cloud service on your inventory, work through five questions:
What firewall protection does it have?
How is it securely configured?
How are software updates and patches managed?
How do people authenticate to it?
What malware protection is in place?
You don't need detailed answers yet. You need to identify the gaps. Mark anything where you can't give a clear answer, or where the honest answer is "we're not doing that properly". Those gaps become your action list for Days 11-30.
Days 11-30: Fix the High-Priority Gaps
MFA on All Cloud Services
If your asset inventory revealed cloud services without MFA enabled for all users, this is your first priority. Not admins only. All users.
In Microsoft 365, go to the Microsoft Entra admin centre (formerly Azure AD), navigate to Security and then Conditional Access, and create a policy that requires MFA for all users on all cloud applications. If Conditional Access feels too complex, the simpler route is to enable Security Defaults, which enforces MFA for all users automatically. Security Defaults is free, takes about five minutes to enable, and will force all users to register an authentication method at their next sign-in.
In Google Workspace, go to the Admin Console, navigate to Security and then 2-Step Verification, and enable it as mandatory for all users. Set an enforcement date, which can be immediate for most SMBs.
A practical note here: give staff a week's warning before you enforce MFA. Run a quick communication explaining what is changing and how to set up the Microsoft Authenticator app or Google Prompt. The first time someone gets locked out at 8:30am because they didn't expect the MFA prompt is not a great introduction to the process.
User Account Audit and Cleanup
Run your People tab from the asset inventory against your current staff list. Every account that belongs to someone no longer with the organisation needs to be disabled. Not deleted necessarily, you may need audit trails, but disabled so they cannot be used.
Check your admin accounts separately. Under v3.3, admin accounts should only be used for admin tasks. If your IT person has been using their admin account as their daily driver for email and browsing, that needs to change. Create a separate standard user account for daily use. The admin account stays for admin tasks only.
While you're in the admin console, check for any accounts with global admin or equivalent privileges that don't need them. Apply least privilege: give people access to what they need and nothing more.
Firewall Rule Review
Pull up your firewall's rule list and work through it systematically.
For each inbound rule that's open, ask: is there a current business reason for this? If yes, document what it is and who approved it. If no, or if nobody can remember why the rule was created, remove it.
Pay particular attention to any rules exposing admin interfaces to the internet, RDP (port 3389), or management ports on network equipment. These are common targets and common findings in CE assessments.
If you have remote workers and they're not using a VPN, verify that software firewalls are enabled on their endpoint devices. In Windows, check through Settings and Windows Security. On macOS, check through System Settings and Network and Firewall. Both should be on.
Patching Process Review
Check when your devices last received updates. Windows Update, macOS Software Update, and your applications.
The 14-day window for critical and high-risk fixes is the measure. For most businesses, enabling automatic updates for the operating system and major applications is the practical way to meet this. Go through your device inventory and verify automatic updates are turned on where supported.
Don't forget firmware. Routers, switches, and firewalls need firmware updates too. Check your network equipment manufacturer's support pages for the current firmware version and compare it against what's running. This is often the most neglected part of a patching process.
Make a note of any unsupported software identified in your inventory. Anything running an operating system or application that's past its end-of-support date needs either a replacement plan or a genuine technical isolation from the internet. "We'll upgrade it eventually" is not a CE-compliant answer.
Days 31-60: Tighten the Edges and Do the Dry Run
Authentication Documentation
Write down how you handle authentication across your environment. Not a long policy document. A simple reference document that says:
"Standard users: Microsoft 365 / Google Workspace accounts, minimum [X]-character password, MFA required using Microsoft Authenticator / Google Prompt app."
"Admin accounts: separate accounts used only for admin tasks, FIDO2 security keys / strong passwords with MFA."
"Mobile devices: biometric unlock with minimum [X] attempts before lockout."
The point is to be able to look at the Danzell question set's authentication questions and point to a clear, documented answer for each one. This document is also useful if you're ever asked to demonstrate your security posture to a customer or insurer.
Anti-Malware Verification
On every Windows device in scope, verify that Windows Defender or your chosen anti-malware solution is running, up to date, and has real-time protection enabled. Open the Security dashboard and check the status indicators.
On macOS devices, Apple's built-in XProtect and Gatekeeper are active by default, but you should verify they haven't been disabled. Check System Settings and Security and Privacy.
For any devices where anti-malware is showing as out of date, update it immediately. For devices where it's been disabled, find out why and re-enable it.
Check your anti-malware covers the four required functions: blocking malware from running, blocking malicious code execution in documents and scripts, blocking connections to known malicious websites, and automatically updating signatures. Most reputable consumer and business products cover all four. If you're running something minimal, check the vendor's feature list.
The Dry Run
Download the Danzell question set from the IASME website. Open it alongside the v3.3 Requirements document. Work through every question and answer it honestly, noting the evidence you would use to demonstrate each answer if asked.
Evidence doesn't have to be elaborate. A screenshot of your 365 admin centre showing MFA enabled for all users. A firewall rule list with a date on it. A screenshot of Windows Update showing recent patches applied. A list of admin accounts and what they're used for.
If you get stuck on a question, that's a gap. Add it to your action list and resolve it before you pay for the portal.
I'll be honest: the dry run will probably surface two or three things you missed in the first pass. That's what it's for. It is much better to find those things in a spreadsheet than mid-assessment.
Pay for the Portal
Only when you can get through the dry run without hand-waving or arguing with yourself should you pay for the Cyber Essentials portal.
At that point, the assessment is data entry. Your answers are already prepared, your evidence is identified, and you're not making decisions under time pressure. The portal is IASME-administered. The cost for basic Cyber Essentials is a few hundred pounds. Budget for it, prepare properly, and treat the portal session as a formality.
What About Cyber Essentials Plus?
A note on Plus, because it comes up.
Cyber Essentials Plus involves an independent technical assessment of the same five controls. Internal and external verification that you actually meet the requirements, not just self-declaration. It typically follows basic CE certification, and you have three months from your basic CE certification date to apply.
Some contracts and sectors require Plus rather than basic CE. If you're in that position, you should know it already. For most UK SMBs, basic CE done properly and honestly is the right starting point. Get that right first.
A Realistic Timeline Summary
DaysFocusKey Actions1-3Scope definitionWrite scope statement, identify inclusions and exclusions4-7Asset inventoryDevices, software, cloud services, people8-10Gap mappingMap assets against five controls, build action list11-20MFA rolloutEnable MFA on all cloud services for all users21-25Account auditDisable leavers, separate admin accounts, least privilege26-30Firewall reviewDocument rules, remove unnecessary inbound access, check remote endpoints31-35Patching reviewEnable auto-updates, check firmware, identify unsupported software36-45DocumentationAuthentication document, anti-malware verification46-55Dry runComplete Danzell question set in spreadsheet, identify residual gaps56-60Resolve gapsFix anything surfaced in dry run60+PortalPay, complete assessment
How to Turn This Into a Competitive Advantage
The businesses that complete this process properly, and can demonstrate it clearly, have a commercial asset.
When a potential customer runs a supplier questionnaire and asks about Cyber Essentials, you don't just say "yes, we're certified." You say "we're certified to v3.3, our scope covers our full IT estate including cloud services, and we can walk you through our controls if that's useful." That's a different conversation and it signals a different kind of supplier.
If you're tendering for public sector work, a current, accurate Cyber Essentials certificate is a pass/fail requirement. Having it done properly before the deadline, rather than scrambling at renewal time, means you're never in the position of having a live tender and a lapsed certificate.
How to Sell This to Your Board
Three arguments that land with people who hold the budget:
The cost of inaction is measurable. ICO investigations into businesses with data breaches cost significant time and resource. Businesses that can demonstrate proper implementation of recognised security controls are in a materially better position in those investigations than businesses that cannot.
The contract exposure is direct. If you hold government contracts or supply chain relationships that require CE, a lapsed or inaccurate certificate creates a contractual risk that can terminate those relationships. The cost of maintaining the certification is a fraction of the cost of losing the contracts.
The effort is bounded. This is not an open-ended project. The 30-60 day framework has a defined end point. The ongoing maintenance, patching, account reviews, MFA management, is built into how the business operates anyway. CE formalises and documents what should already be happening.
