From Cyber Essentials to SMB1001 — Is One Badge Ever Enough?
Right. What a week.
If you've been following along since Monday, you now know more about Cyber Essentials v3.3 than most IT managers I've spoken to this year. Noel walked through every material change. Mauven explained why scope failures turn into legal problems. I gave you the 30-60 day plan. Lucy showed you what scope drift looks like when it catches up with a business. And Noel closed on Saturday with the direct question: is that badge on your website currently telling the truth?
If you only take one thing from this week, make it the scope review. Pull your current scope document. Compare it honestly against your actual IT estate. Close the gap before it closes you.
The Key Takeaway in One Paragraph
Cyber Essentials v3.3 goes live on 26th April 2026 via the Danzell question set. Cloud services cannot be excluded from scope. MFA must cover all users on cloud services, not just admins. The 14-day patching window applies to vendor-prescribed config changes as well as software updates. If your renewal falls on or after 26th April, you're preparing against v3.3. If it falls before, get the scope honest now anyway. The work is the same.
What's Coming Next Week: SMB1001
Next Monday on the podcast, we're zooming out.
Cyber Essentials answers the question "have we got the basics right?" But some businesses, particularly those growing their supplier relationships or handling more sensitive data, want a clearer roadmap for what comes next. That's where SMB1001 enters the conversation.
SMB1001 is an international cybersecurity certification framework developed specifically for small and medium businesses. It runs from Bronze up to Diamond, with each tier building on the last. It's not a UK government scheme, it doesn't carry the same procurement weight as Cyber Essentials, and the two don't map neatly onto each other. But for businesses that want a structured progression beyond CE, it's a framework worth understanding.
We'll be asking the questions that matter for UK SMBs:
Does SMB1001 complement Cyber Essentials or compete with it? What does Bronze actually require compared to CE? Is Diamond realistic for a 20-person business, and if it is, should they be spending that effort on SMB1001 or on something else? And critically: if a UK SMB has limited security budget and time, where does SMB1001 sit in the priority order?
It is not a straightforward answer. I'll be upfront about that now.
Something to Think About Before Monday
If you're a UK SMB that has just got your head around CE v3.3, the idea of adding another certification framework to the list might feel overwhelming. Fair enough.
But the underlying question SMB1001 raises is a useful one regardless of whether you ever pursue it: what does your security journey look like beyond the basics? CE gets you to a defined floor. The threats don't stop at that floor. Having a framework for what comes next, even informally, is worth thinking about.
Come back Monday for the full episode. In the meantime: check that badge. Sort the scope. Turn on MFA.
See you then.
