Every organisation pursuing Cyber Essentials certification reaches a critical juncture: the moment you must honestly assess where your current security posture stands against the scheme's five technical controls. This is the purpose of a cyber essentials gap analysis — a structured, methodical evaluation that identifies the distance between where you are today and where you need to be to achieve certification. Without it, you are navigating blind, risking failed assessments, wasted budget, and prolonged exposure to the very threats the scheme is designed to mitigate.
This guide provides a comprehensive, step-by-step walkthrough of the entire cyber essentials gap analysis and cyber essentials remediation process. We cover every phase — from initial scoping and control-by-control assessment, through cyber essentials vulnerability testing, to prioritised remediation planning, cyber essentials patch management, and cyber essentials secure configuration hardening. Whether you are a ten-person accountancy firm in Birmingham or a 200-seat technology company in London, the methodology is the same. At Cloudswitched, we have guided hundreds of UK organisations through this process, and every insight in this guide is drawn from real-world experience.
What Is a Cyber Essentials Gap Analysis?
A cyber essentials gap analysis is a systematic review of your organisation's IT environment against the five technical controls defined by the National Cyber Security Centre (NCSC). Its purpose is simple: to identify every area where your current configuration, policies, or practices fall short of the Cyber Essentials requirements — before you submit your self-assessment questionnaire or undergo a Cyber Essentials Plus audit.
Think of it as a pre-flight checklist. An airline pilot does not simply assume the aircraft is ready; they work through every system methodically. A gap analysis applies the same discipline to your cyber security. It produces a clear, prioritised list of findings — gaps — each mapped to a specific control, with a severity rating and a recommended remediation action. This list becomes your roadmap to certification.
The gap analysis is not the same as the certification assessment itself. The certification body will verify your compliance; the gap analysis is the internal (or consultant-led) exercise you conduct beforehand to ensure you will pass. Skipping this step is the single most common reason UK SMEs fail their first assessment attempt.
The NCSC publishes the full Cyber Essentials Requirements for IT Infrastructure document, which details exactly what assessors look for. Download this before starting your gap analysis and use it as your primary reference. It is freely available on the NCSC website and is updated annually — always use the current version.
Why a Gap Analysis Matters: The Cost of Skipping It
Organisations that skip the cyber essentials gap analysis phase and proceed directly to the self-assessment questionnaire face several risks. First, failed assessments cost money — you typically cannot resubmit without paying again, and the delay exposes your organisation to ongoing risk. Second, gaps discovered mid-assessment create pressure to rush fixes, which often introduces new problems. Third, without a structured remediation plan, teams waste effort fixing low-priority issues while critical vulnerabilities remain open.
The data is clear: organisations that conduct a thorough gap analysis before their assessment have a first-time pass rate above 90 per cent. Those that skip it hover around 30 per cent. The gap analysis is not optional — it is the single highest-return activity in the entire certification journey.
Before You Start: Scoping Your Assessment
Before you can assess gaps, you must define what is in scope. Cyber Essentials requires you to include all devices, software, and user accounts that can access the internet or process organisational data. This includes desktops, laptops, tablets, smartphones, servers, cloud services, routers, firewalls, and any software-as-a-service (SaaS) platforms your staff use for work.
Scoping errors are one of the most common causes of assessment failure. Organisations frequently exclude devices or services that the assessor will consider in scope. The NCSC guidance is clear: if a device connects to your network and can reach the internet, it is in scope. If a cloud service processes your data, it is in scope. If staff use personal devices for work (BYOD), those devices may be in scope depending on how they access organisational resources.
Scoping Checklist
| Asset Category | Examples | In Scope? | Common Mistake |
|---|---|---|---|
| End-user devices | Laptops, desktops, tablets, phones | Yes — all internet-connected devices | Excluding BYOD devices used for email |
| Servers | On-premises file servers, web servers | Yes — if internet-accessible | Forgetting development or test servers |
| Cloud services | Microsoft 365, Google Workspace, AWS | Yes — SaaS and IaaS | Assuming the cloud provider handles everything |
| Network devices | Routers, firewalls, managed switches | Yes — boundary devices especially | Overlooking ISP-provided routers |
| IoT and peripherals | Printers, CCTV, smart devices | Yes — if network-connected | Ignoring network printers and CCTV systems |
| Home worker setups | Home routers, personal laptops | Partial — home routers now in scope | Not considering home network boundaries |
Since the 2022 update to the Cyber Essentials requirements, home workers' routers are considered boundary devices and are in scope. If your staff work from home — even occasionally — their home router configurations must meet the firewall control requirements. This catches many organisations off guard during their cyber essentials gap analysis.
The Five Controls: A Control-by-Control Gap Assessment
The heart of your cyber essentials gap analysis is a detailed review of each of the five technical controls. Below, we walk through each control, explain what the assessor expects, identify the most common gaps found in UK SMEs, and outline how to test for compliance.
Control 1: Firewalls and Internet Gateways
Firewalls form the boundary between your trusted internal network and the untrusted internet. The Cyber Essentials requirements demand that every internet-connected device is protected by a correctly configured firewall — whether that is a hardware appliance at the network perimeter, a software firewall on the device itself, or a cloud-based firewall service.
What the assessor checks:
- All boundary firewalls have had their default administrative passwords changed
- Firewall rules block all inbound connections by default, allowing only those that are documented and necessary
- Unnecessary services and ports are closed
- Software firewalls are enabled and active on all end-user devices
- Firewall rules are documented and reviewed regularly
- Home worker routers meet the same boundary requirements
Common gaps in UK SMEs:
- ISP-provided routers still using default credentials (admin/admin or admin/password)
- Windows Firewall disabled on some workstations, often turned off during troubleshooting and never re-enabled
- Inbound ports left open for services no longer in use (e.g., old remote desktop connections)
- No documentation of firewall rules — rules exist but nobody knows why
- Home worker routers with default credentials and UPnP enabled
Control 2: Secure Configuration
Cyber essentials secure configuration is about ensuring that devices and software are configured to reduce vulnerabilities. This means removing unnecessary software, disabling unnecessary features, changing default passwords, and ensuring that only required user accounts exist on each system.
What the assessor checks:
- Default passwords changed on all devices, applications, and accounts
- Unnecessary user accounts removed or disabled (including guest accounts)
- Auto-run and auto-play disabled
- Only necessary software installed — no bloatware or legacy applications
- Screen lock enabled after a short period of inactivity (15 minutes maximum)
- Password policies enforce minimum length (at least 8 characters for standard accounts, 12 for admin)
Common gaps in UK SMEs:
- Default administrator accounts still active with factory passwords on network equipment
- Trial software and bloatware installed on workstations, never removed
- No screen lock policy, or timeout set to 30+ minutes
- Shared user accounts in use (e.g., a single "reception" login used by multiple staff)
- Password policies that allow short or easily guessable passwords
Control 3: User Access Control
User access control ensures that only authorised individuals can access your systems and data, and that they have only the level of access they need to do their job. This is the principle of least privilege — a fundamental concept in information security and a core requirement of the Cyber Essentials scheme.
What the assessor checks:
- Every user has a unique, individual account — no shared logins
- Administrative privileges are limited to those who genuinely need them
- Admin accounts are not used for day-to-day activities (email, web browsing)
- Multi-factor authentication (MFA) is enabled on all cloud services and admin accounts where available
- User accounts are removed or disabled when staff leave
- Password policies are enforced (complexity, minimum length, lockout after failed attempts)
Common gaps in UK SMEs:
- Staff using admin accounts for everyday work
- MFA not enabled on Microsoft 365, Google Workspace, or other cloud platforms
- Former employees' accounts still active weeks or months after departure
- Shared departmental accounts (e.g., "accounts@" used by multiple people)
- No account lockout policy after failed login attempts
Control 4: Malware Protection
Every in-scope device must be protected against malware. The Cyber Essentials scheme accepts three approaches: anti-malware software, application allow-listing, or sandboxing. For the vast majority of UK SMEs, anti-malware software is the practical choice.
What the assessor checks:
- Anti-malware software is installed on all in-scope devices
- Anti-malware is configured to update automatically (at least daily)
- Anti-malware is configured to scan files automatically on access
- Anti-malware is configured to scan web pages accessed through a browser
- Users cannot disable or override the anti-malware protection
Common gaps in UK SMEs:
- Relying solely on Windows Defender without verifying it is properly configured and active
- Anti-malware disabled on some devices — often developer machines or older hardware
- No web filtering or browser protection in place
- Staff able to disable protection without IT knowledge or approval
- Mac devices not included in malware protection strategy (the belief that "Macs don't get viruses" persists)
Control 5: Security Update Management (Patch Management)
Cyber essentials patch management is arguably the control where UK SMEs struggle the most. The requirement is straightforward but demanding: all software and firmware must be kept up to date, with critical and high-risk security patches applied within 14 days of release. Unsupported software — anything that no longer receives security updates from the vendor — must be removed or isolated from the network.
What the assessor checks:
- All operating systems are supported versions receiving security updates
- All applications are supported versions receiving security updates
- Critical and high-risk patches applied within 14 days of release
- Automatic updates enabled where possible
- Unsupported software removed or isolated from the network
- Firmware on network devices is up to date
Common gaps in UK SMEs:
- Windows 10 devices not yet migrated to Windows 11 (with end-of-support approaching)
- Legacy applications requiring old Java or .NET versions that are no longer supported
- Firmware on routers, firewalls, and switches not updated in years
- Browser extensions and plugins not included in the patching process
- Patches deferred because staff complain about restart interruptions
Conducting the Gap Analysis: Step-by-Step Process
Now that you understand what each control requires, here is a structured methodology for conducting your cyber essentials gap analysis. This process works whether you are doing it yourself or engaging a professional assessor.
Asset Discovery and Inventory
Create a comprehensive inventory of every device, software application, cloud service, and user account in your organisation. Use network scanning tools, Active Directory reports, and cloud admin consoles to build a complete picture. Tag each asset as in-scope or out-of-scope with justification.
Control Mapping
For each asset in your inventory, map it to the relevant Cyber Essentials controls. A laptop is relevant to all five controls. A cloud SaaS platform is relevant to secure configuration, user access control, and patch management. A firewall appliance is relevant to firewalls and secure configuration.
Evidence Collection
Gather evidence of current configurations against each control requirement. This includes firewall rule exports, Group Policy settings, MFA status reports, patch compliance reports, anti-malware deployment status, and user account lists with privilege levels.
Gap Identification
Compare your evidence against the NCSC requirements document. For every requirement, record whether you are compliant, partially compliant, or non-compliant. Document the specific gap and the affected assets.
Vulnerability Testing
Run cyber essentials vulnerability testing scans against your external-facing systems and a sample of internal devices. This validates your findings and often uncovers gaps that manual review missed — open ports, missing patches, weak configurations.
Risk Prioritisation and Remediation Planning
Categorise each gap by severity (critical, high, medium, low) and effort to remediate. Create a prioritised cyber essentials remediation plan with clear owners, deadlines, and dependencies.
Remediation Execution
Work through the plan systematically, starting with critical and high-severity gaps. Verify each fix before marking it complete. Re-test where necessary.
Validation and Re-Assessment
Once remediation is complete, repeat the gap analysis in miniature — a validation pass — to confirm all gaps are closed. Only then should you proceed to the formal certification assessment.
Cyber Essentials Vulnerability Testing: Approaches and Tools
Cyber essentials vulnerability testing is a critical component of both the gap analysis and the Cyber Essentials Plus assessment. It involves using automated scanning tools — and sometimes manual testing — to identify security weaknesses in your systems that could be exploited by attackers.
For the purposes of a gap analysis, vulnerability testing serves two functions. First, it validates the findings from your manual control review — confirming that the gaps you identified are real and that you have not missed any. Second, it provides objective, evidence-based data that can be used to prioritise remediation efforts and demonstrate progress to stakeholders.
Types of Vulnerability Testing
| Testing Type | What It Does | When to Use | CE Plus Requirement? |
|---|---|---|---|
| External vulnerability scan | Scans your internet-facing IP addresses for open ports, missing patches, and misconfigurations | Essential for every gap analysis | Yes — assessor performs this |
| Internal vulnerability scan | Scans internal network devices for vulnerabilities and configuration issues | Recommended for comprehensive analysis | Yes — sample of devices tested |
| Authenticated scan | Scans with credentials to check installed software versions, patch levels, and configurations in depth | Best for patch compliance verification | Partial — assessor checks configs |
| Web application scan | Tests web applications for common vulnerabilities (SQL injection, XSS, etc.) | If you host web applications | If in scope |
| Phishing simulation | Tests staff susceptibility to phishing emails | User awareness assessment | Not directly, but good practice |
Recommended Tools for Vulnerability Testing
The following tools are widely used by UK organisations conducting cyber essentials vulnerability testing as part of their gap analysis. Some are free, some are commercial — choose based on your organisation's size, technical capability, and budget.
| Tool | Type | Cost | Best For |
|---|---|---|---|
| Nessus Essentials | Vulnerability scanner | Free (up to 16 IPs) | Small organisations doing internal scans |
| OpenVAS (Greenbone) | Vulnerability scanner | Free (open source) | Technically capable teams wanting a free scanner |
| Qualys Community Edition | Cloud-based scanner | Free (limited) | External perimeter scanning |
| Microsoft Defender for Endpoint | Endpoint security + vulnerability management | Included in M365 E5 / standalone | Organisations already using Microsoft 365 |
| Nmap | Network scanner | Free (open source) | Port scanning and service discovery |
| CIS-CAT Pro | Configuration assessment | Free for CIS members | Secure configuration benchmarking |
If you are preparing for Cyber Essentials Plus, run the same type of external vulnerability scan that the assessor will use. The CE Plus assessment includes an external scan of all internet-facing IP addresses — any critical or high vulnerabilities found will result in a fail. Running your own scan first gives you the opportunity to remediate before the official test.
Common Gaps Found in UK SMEs: The Full Picture
After conducting hundreds of cyber essentials gap analysis assessments for UK organisations, we at Cloudswitched have identified clear patterns in where gaps occur. Understanding these patterns can help you focus your analysis and avoid the most common pitfalls.
Split
Patch management and user access control consistently produce the most gaps, accounting for nearly half of all findings. This aligns with national data: the NCSC's Annual Review regularly highlights patching and access control as the areas where UK organisations most commonly fall short.
The Top 15 Gaps We Find
| # | Gap | Control | Severity | Frequency |
|---|---|---|---|---|
| 1 | MFA not enabled on cloud services | User Access Control | Critical | 68% |
| 2 | Critical patches not applied within 14 days | Patch Management | Critical | 64% |
| 3 | Default credentials on network devices | Firewalls / Secure Config | Critical | 57% |
| 4 | Unsupported software still in use | Patch Management | High | 52% |
| 5 | Admin accounts used for daily work | User Access Control | High | 49% |
| 6 | No screen lock policy or timeout too long | Secure Configuration | Medium | 46% |
| 7 | Home worker routers with default passwords | Firewalls | High | 44% |
| 8 | Unnecessary open ports on firewall | Firewalls | High | 41% |
| 9 | Former employees' accounts still active | User Access Control | High | 39% |
| 10 | Network device firmware outdated | Patch Management | High | 37% |
| 11 | Bloatware or trial software installed | Secure Configuration | Medium | 35% |
| 12 | No web filtering or browser protection | Malware Protection | Medium | 33% |
| 13 | Shared user accounts in use | User Access Control | High | 31% |
| 14 | Auto-run not disabled | Secure Configuration | Medium | 28% |
| 15 | Anti-malware disabled on some devices | Malware Protection | High | 26% |
Cyber Essentials Remediation: Planning and Prioritisation
Once your cyber essentials gap analysis is complete and you have a documented list of gaps, the next phase is cyber essentials remediation — systematically closing every gap to bring your organisation into compliance. Remediation without a plan leads to chaos. Remediation with a well-structured plan leads to certification.
Prioritisation Framework
Not all gaps are equal. A critical vulnerability on an internet-facing server requires immediate attention; a missing screen lock policy on a single workstation, while still a compliance requirement, can wait a few days. We recommend a four-tier prioritisation model:
Priority 1 — Critical
Priority 2 — High
Priority 3 (Medium) items — such as screen lock timeouts, auto-run settings, and software inventory clean-up — should be remediated within two weeks. Priority 4 (Low) items — documentation gaps, minor policy updates, and cosmetic configuration changes — should be completed within four weeks. All priorities must be resolved before your certification assessment.
Creating a Remediation Plan
A robust cyber essentials remediation plan is a working document that tracks every gap from identification through to verified closure. At minimum, it should contain the following for each gap:
| Field | Description | Example |
|---|---|---|
| Gap ID | Unique identifier for tracking | GAP-001 |
| Control | Which of the five controls this relates to | Patch Management |
| Description | Clear description of the gap | Windows Server 2012 R2 running on file server — end of support |
| Affected Assets | Which devices or systems are affected | FS01 (192.168.1.10) |
| Severity | Critical / High / Medium / Low | Critical |
| Remediation Action | Specific steps to resolve the gap | Migrate file services to Windows Server 2022; decommission FS01 |
| Owner | Person responsible for the fix | IT Manager — Sarah T. |
| Target Date | Deadline for completion | 15 March 2026 |
| Status | Not Started / In Progress / Complete / Verified | In Progress |
| Verification Method | How you will confirm the fix is effective | Vulnerability scan confirming no Server 2012 R2 detected |
Cyber Essentials Patch Management: Best Practices
Cyber essentials patch management is the most operationally demanding of the five controls because it is never finished. Patches are released constantly — Microsoft alone publishes security updates on the second Tuesday of every month (Patch Tuesday), and critical out-of-band patches can arrive at any time. Building a sustainable patching process is essential not just for certification but for ongoing security.
The 14-Day Rule
The Cyber Essentials scheme requires that critical and high-risk security patches are applied within 14 days of release. This is a hard requirement — there is no flexibility. If the assessor finds a device with a critical patch more than 14 days old, that is a fail. Understanding and operationalising this rule is central to effective cyber essentials patch management.
Building a Patch Management Process
An effective cyber essentials patch management process follows a consistent cycle:
- Inventory: Maintain a current list of all software and firmware in your environment, including version numbers
- Monitor: Subscribe to vendor security advisories and use vulnerability scanning to identify missing patches
- Assess: When a patch is released, determine its severity (critical/high/medium/low) and relevance to your environment
- Test: For critical business systems, test patches in a staging environment before deployment. For standard workstations, this step can often be skipped if automatic updates are enabled
- Deploy: Push patches to affected systems within the 14-day window. Use automated deployment tools where possible
- Verify: Confirm that patches have been successfully applied across all target devices. Check for failed installations
- Report: Generate compliance reports showing patch status across your estate. This evidence supports your certification assessment
Patch Management Tools for UK SMEs
| Tool | Platform | Cost | Key Features |
|---|---|---|---|
| Microsoft Intune | Windows, macOS, iOS, Android | Included in M365 Business Premium | Cloud-based device management, automatic updates, compliance policies |
| WSUS | Windows | Free (included with Windows Server) | Centralised Windows update management for on-premises environments |
| Automox | Windows, macOS, Linux | From $3/device/month | Cloud-native patch management with cross-platform support |
| NinjaOne | Windows, macOS | Quote-based | RMM with integrated patching, popular with UK MSPs |
| PDQ Deploy | Windows | From $19/month | Software deployment and patching for Windows networks |
Do not forget firmware. Cyber essentials patch management covers not just operating systems and applications but also firmware on routers, firewalls, switches, and other network devices. Many UK SMEs have network equipment running firmware that is years out of date — this is one of the most common critical findings in a gap analysis. Check your device manufacturers' websites for firmware updates and apply them as part of your patching cycle.
Cyber Essentials Secure Configuration: Hardening Your Systems
Cyber essentials secure configuration is about reducing the attack surface of every device and application in your environment. The principle is simple: the more software, services, and features running on a system, the more potential entry points for an attacker. Secure configuration removes or disables everything that is not needed and ensures that what remains is configured safely.
Hardening Checklist by Platform
The following checklist covers the most critical cyber essentials secure configuration requirements across the platforms most commonly found in UK SME environments:
Windows Workstations and Servers
- Rename or disable the built-in Administrator account
- Remove the Guest account
- Disable auto-run and auto-play for all media types
- Set screen lock timeout to 15 minutes or less
- Enable Windows Firewall on all network profiles (Domain, Private, Public)
- Remove unnecessary software — including manufacturer bloatware, trial applications, and games
- Configure password policy: minimum 8 characters for standard users, 12 for administrators
- Enable account lockout after 10 failed login attempts
- Disable Remote Desktop unless specifically required (and if required, restrict access by IP)
- Configure Windows Update for automatic installation
macOS Devices
- Set a firmware password (Intel Macs) or enable Activation Lock (Apple Silicon)
- Enable FileVault full-disk encryption
- Require password after screen saver or sleep (immediately)
- Set screen lock timeout to 15 minutes or less
- Enable the built-in firewall
- Disable auto-login
- Enable automatic software updates
- Remove unnecessary applications from /Applications
- Ensure Gatekeeper is enabled (only allow apps from identified developers or App Store)
Network Devices (Routers, Firewalls, Switches)
- Change default admin username and password on every device
- Disable remote management unless required (if required, restrict by source IP)
- Disable UPnP (Universal Plug and Play)
- Disable WPS (Wi-Fi Protected Setup) on wireless access points
- Use WPA2 or WPA3 encryption for wireless networks — never WEP or open
- Update firmware to the latest version
- Document all firewall rules and review quarterly
Cloud Services (Microsoft 365, Google Workspace)
- Enable MFA for all user accounts — no exceptions
- Disable legacy authentication protocols (IMAP, POP3, SMTP AUTH)
- Configure session timeout policies
- Review and disable unnecessary licensed features
- Enable audit logging
- Configure conditional access policies (if available in your licence tier)
- Review third-party app permissions and OAuth consents
Timeline for Remediation: How Long Does It Take?
One of the most common questions we hear at Cloudswitched is: "How long will cyber essentials remediation take?" The answer depends on the size and complexity of your IT environment, the number of gaps identified, and the resources you can dedicate to the process. However, based on our experience with UK organisations of all sizes, here are realistic timelines.
| Organisation Size | Typical Gap Count | Gap Analysis Duration | Remediation Duration | Total to Certification |
|---|---|---|---|---|
| Micro (1–9 employees) | 8–15 gaps | 1–2 days | 1–2 weeks | 2–4 weeks |
| Small (10–49 employees) | 15–30 gaps | 2–5 days | 2–4 weeks | 4–8 weeks |
| Medium (50–249 employees) | 25–60 gaps | 1–2 weeks | 4–8 weeks | 6–12 weeks |
| Large (250+ employees) | 40–100+ gaps | 2–4 weeks | 8–16 weeks | 12–20 weeks |
These timelines assume that the organisation has dedicated IT resource — either internal or through a managed service provider like Cloudswitched — actively working on remediation. Organisations that attempt remediation on an ad-hoc basis, fitting it around other priorities, typically take two to three times longer.
The single biggest factor that extends remediation timelines is unsupported software. If your gap analysis reveals systems running Windows 7, Windows Server 2012 R2, or other end-of-life software, the remediation may involve hardware replacement or major migration projects. Identify these blockers early and factor them into your timeline. If you cannot remove unsupported systems quickly, isolating them from the network can be a temporary measure — but they must be removed entirely before certification.
DIY vs Professional Gap Analysis: Making the Right Choice
Should you conduct your cyber essentials gap analysis in-house or engage a professional? This is a practical question with no one-size-fits-all answer. Both approaches have merits, and the right choice depends on your organisation's technical capability, time constraints, and budget.
DIY Gap Analysis
Professional Gap Analysis
When to DIY
A self-conducted cyber essentials gap analysis can work well if your organisation has a competent in-house IT team (or IT-savvy owner in smaller firms) who can dedicate focused time to the process. You will need someone who can interpret the NCSC requirements document, run basic network scans, review device configurations, and document findings methodically. This approach works best for micro-businesses and small organisations with straightforward IT environments — a few laptops, a cloud email service, and a broadband router.
When to Engage a Professional
Professional cyber essentials gap analysis and cyber essentials remediation support is strongly recommended when your environment includes any of the following: on-premises servers, multiple sites, complex network architectures, BYOD policies, legacy or unsupported systems, or when you are aiming for Cyber Essentials Plus. Professionals bring pattern recognition from hundreds of assessments — they know exactly where to look and what assessors will focus on. They also bring specialist vulnerability scanning tools and the expertise to interpret results accurately.
At Cloudswitched, we offer a combined gap analysis and remediation service specifically designed for UK SMEs. We conduct the full gap analysis, provide a prioritised remediation plan, and can either guide your team through the fixes or implement them directly. Our clients consistently achieve first-time certification.
Tools and Resources for Your Gap Analysis
The right tools can dramatically simplify your cyber essentials gap analysis and subsequent cyber essentials remediation. Below is a curated list of resources — many free — that are directly relevant to the process.
Official NCSC Resources
- Cyber Essentials Requirements for IT Infrastructure — the official requirements document. This is your primary reference for the gap analysis. Download from the NCSC website.
- NCSC Cyber Essentials guidance pages — practical implementation advice for each of the five controls
- NCSC Small Business Guide — broader security guidance that complements Cyber Essentials
- IASME Certification Body directory — for finding an accredited assessor when you are ready to certify
- NCSC Exercise in a Box — free tabletop exercises to test your incident response (not a CE requirement, but excellent practice)
Gap Analysis and Configuration Assessment
- CIS Benchmarks — free, detailed secure configuration guides for Windows, macOS, Linux, network devices, and cloud platforms. These go beyond Cyber Essentials requirements but are excellent references for cyber essentials secure configuration
- Microsoft Secure Score — free assessment of your Microsoft 365 security configuration, with specific recommendations. Directly relevant to several CE controls
- Google Workspace Security Investigation Tool — similar to Secure Score but for Google Workspace environments
- Lynis — free, open-source security auditing tool for Linux and macOS systems
Vulnerability Scanning
- Nessus Essentials — free vulnerability scanner (up to 16 IPs), excellent for small organisations
- OpenVAS / Greenbone — free, open-source vulnerability scanner with comprehensive coverage
- Qualys Community Edition — free cloud-based scanning for external perimeters
- Nmap — free network discovery and port scanning tool. Essential for firewall control verification
Patch Management Verification
- Windows Update for Business reports — built into Microsoft Intune / Endpoint Manager
- WSUS reports — built into Windows Server Update Services
- Vulners.com — free vulnerability intelligence platform for checking CVE details and patch availability
Remediation Deep Dive: Control-by-Control Fixes
With your gap analysis complete and your remediation plan in hand, it is time to execute. Below is practical, step-by-step cyber essentials remediation guidance for the most common gaps in each control area.
Firewall Remediation
Changing default credentials on all boundary devices: Log in to every router, firewall, and managed switch. Change the admin username (if the device allows it) and password. Use a unique, strong password for each device — at least 12 characters with a mix of character types. Store credentials securely in a password manager.
Closing unnecessary ports: Export your current firewall rules. Review each rule against your documented list of required services. Any rule that cannot be justified should be disabled or removed. Pay particular attention to inbound rules allowing Remote Desktop (TCP 3389), SSH (TCP 22), and database ports (TCP 1433, 3306, 5432) — these should never be open to the entire internet.
Enabling software firewalls: On Windows, verify that Windows Firewall is enabled on all three profiles (Domain, Private, Public) via Group Policy. On macOS, enable the application firewall in System Settings. Document any exceptions.
Home worker router hardening: Provide remote workers with a checklist: change the admin password, disable UPnP, disable WPS, ensure WPA2/WPA3 is enabled, and update firmware. For organisations with many remote workers, consider issuing company-managed routers or using a VPN solution that creates a controlled network boundary regardless of the home router configuration.
Secure Configuration Remediation
Implementing cyber essentials secure configuration across your estate involves a combination of Group Policy settings (for Windows environments), MDM profiles (for mobile and Mac devices), and manual configuration (for network devices and cloud services). The key principle is consistency — every device of the same type should be configured identically.
Group Policy for Windows: Create a Cyber Essentials GPO that enforces: screen lock after 15 minutes, password minimum length of 8 characters (12 for admin accounts), account lockout after 10 failed attempts, auto-run disabled, and software restriction policies where appropriate. Apply this GPO to all organisational units containing workstations and servers.
Software inventory clean-up: Use a software inventory tool (or a simple PowerShell script querying installed programs) to identify all software on every machine. Cross-reference against your approved software list. Remove anything not required. Pay particular attention to: Adobe Flash (unsupported), Java 6/7/8 (unless specifically required and no update available), old browser versions, and manufacturer pre-installed software.
User Access Control Remediation
Implementing MFA: This is the single most impactful cyber essentials remediation action for most organisations. Enable MFA on Microsoft 365 (via Security Defaults or Conditional Access), Google Workspace (via Admin Console), VPN connections, and any other cloud service that supports it. Use authenticator apps rather than SMS where possible. Roll out to all users — not just administrators.
Separating admin and standard accounts: Create separate admin accounts for IT staff (e.g., admin.john.smith alongside john.smith). Admin accounts should only be used for administrative tasks — never for email, web browsing, or daily work. This requires a cultural shift in many organisations, but it is a hard requirement.
Implementing a joiner/mover/leaver process: Establish a formal process for creating accounts when staff join, adjusting access when they change roles, and disabling accounts immediately when they leave. Audit your current user list against HR records to identify any stale accounts.
Malware Protection Remediation
Deploying anti-malware consistently: Ensure every in-scope device has anti-malware protection that is active, updating automatically, and scanning on access. For organisations using Microsoft Defender (included with Windows 10/11), verify it is not disabled and is receiving definition updates. For organisations using third-party anti-malware, verify licence validity and deployment completeness.
Preventing user override: Configure anti-malware settings so that standard users cannot disable or modify protection. In managed environments, this is typically enforced through Group Policy, MDM, or the anti-malware console. This is a specific assessor check point — if a user can turn off their antivirus, that is a fail.
Patch Management Remediation
Implementing effective cyber essentials patch management is the most operationally complex remediation area. The immediate priority is addressing the backlog of missing patches identified in your gap analysis. The longer-term goal is establishing a sustainable process that keeps you compliant on an ongoing basis.
Addressing the patch backlog: Start with the most critical items — any patches rated Critical or High by the vendor that are more than 14 days old. Deploy these immediately. Then work through Medium and Low severity patches. For servers and critical business systems, schedule a maintenance window. For workstations, push updates and enforce restarts outside business hours.
Removing unsupported software: This is often the most disruptive remediation action. Identify all end-of-life software (the gap analysis should have flagged these), determine what depends on them, plan migrations to supported alternatives, and execute. Common examples include: Windows 7/8.1 to Windows 10/11, Office 2016/2019 to Microsoft 365, legacy line-of-business applications requiring old runtimes.
Maintaining Compliance After Certification
Achieving Cyber Essentials certification is not the end — it is the beginning of an ongoing commitment. Your certificate is valid for 12 months, after which you must recertify. More importantly, the security posture you have built through your cyber essentials gap analysis and cyber essentials remediation process must be maintained continuously. Security is not a project; it is a process.
Ongoing Compliance Activities
To maintain your compliance between annual recertifications, you should embed the following activities into your regular IT operations:
| Activity | Frequency | Control | Purpose |
|---|---|---|---|
| Patch compliance review | Weekly | Patch Management | Verify all critical patches applied within 14 days |
| User account audit | Monthly | User Access Control | Remove stale accounts, verify MFA status, check admin privileges |
| Firewall rule review | Quarterly | Firewalls | Remove unnecessary rules, verify no new open ports |
| Software inventory review | Quarterly | Secure Configuration | Identify unauthorised software, check for end-of-life versions |
| Anti-malware status check | Monthly | Malware Protection | Verify all devices have active, updated protection |
| Vulnerability scan (external) | Quarterly | All | Identify new vulnerabilities on internet-facing systems |
| Vulnerability scan (internal) | Quarterly | All | Check internal devices for configuration drift and missing patches |
| Configuration baseline check | Quarterly | Secure Configuration | Verify devices still match your hardened configuration baseline |
| Policy review | Annually | All | Update policies to reflect changes in the CE requirements |
| Pre-recertification gap analysis | Annually (6 weeks before expiry) | All | Formal gap analysis before renewal assessment |
Common Causes of Compliance Drift
Even organisations that pass their initial assessment with flying colours can drift out of compliance. The most common causes are:
- New devices added without configuration hardening — a new laptop is deployed with default settings and no anti-malware
- Staff turnover without proper offboarding — accounts are not disabled when people leave
- Shadow IT — staff adopt new cloud services without IT knowledge, introducing unmanaged assets
- Patch fatigue — patching discipline lapses over time, especially during busy periods
- Firewall rule creep — temporary rules created for troubleshooting are never removed
- Home worker changes — staff change broadband providers and new routers go unconfigured
- Software end-of-life — previously supported software reaches end of support between certifications
Schedule your annual recertification gap analysis at least six weeks before your certificate expires. This gives you time to identify and remediate any gaps that have developed during the year. Many organisations leave it until the last minute and then scramble to fix issues, which often leads to failed assessments and certification lapses. At Cloudswitched, we proactively remind our managed clients and begin the review process well in advance.
Building a Culture of Cyber Security
The technical controls verified by Cyber Essentials are essential, but they exist within a broader context of organisational culture. The most secure organisations are those where every member of staff understands their role in maintaining security — not just the IT team.
Staff awareness is not a formal Cyber Essentials requirement, but it dramatically reduces the likelihood of security incidents and makes maintaining compliance far easier. Consider implementing:
- Security induction for new starters — cover password policies, MFA setup, phishing awareness, and reporting procedures
- Regular phishing simulations — test staff awareness and provide targeted training to those who click
- Clear reporting channels — staff should know exactly who to contact if they suspect a security incident
- Acceptable use policy — document what staff can and cannot do with organisational IT resources
- Regular updates — keep security visible with brief monthly updates on threats and good practice
The NCSC provides free resources for staff awareness training, including their "Top Tips for Staff" guidance and the "Exercise in a Box" programme. These complement the technical controls assessed in Cyber Essentials and help create a security-conscious culture that supports ongoing compliance.
From Gap Analysis to Certification: The Complete Journey
Let us bring everything together into a single, end-to-end view of the journey from initial cyber essentials gap analysis through cyber essentials remediation to certification and beyond.
Phase 1: Preparation (Week 1)
Define your scope. Identify all in-scope assets. Download the current NCSC requirements document. Decide whether you will conduct the gap analysis in-house or engage professional support. If engaging a provider like Cloudswitched, this phase often takes just a day — we bring the methodology, tools, and templates.
Phase 2: Gap Analysis (Weeks 1–2)
Conduct the control-by-control assessment described in this guide. Run cyber essentials vulnerability testing scans. Document every finding. Classify gaps by severity. Produce the gap analysis report.
Phase 3: Remediation Planning (Week 2)
Create your prioritised cyber essentials remediation plan. Assign owners. Set deadlines. Identify dependencies and blockers (particularly unsupported software requiring migration). Order any necessary hardware or licences.
Phase 4: Remediation Execution (Weeks 3–6)
Work through the plan systematically. Implement cyber essentials patch management processes. Apply cyber essentials secure configuration hardening. Enable MFA. Close firewall gaps. Deploy and verify anti-malware. Document all changes.
Phase 5: Validation (Week 6–7)
Re-run vulnerability scans. Conduct a validation pass against every gap in your original analysis. Confirm all gaps are closed. Prepare your documentation for the formal assessment.
Phase 6: Certification Assessment (Week 7–8)
Complete the self-assessment questionnaire through your chosen certification body. For Cyber Essentials Plus, schedule the on-site or remote technical audit. Submit. Respond to any clarification requests from the assessor. Receive your certificate.
Phase 7: Ongoing Maintenance (Continuous)
Embed the ongoing compliance activities described in this guide. Schedule your annual recertification. Continue improving your security posture beyond the Cyber Essentials baseline.
Frequently Asked Questions
How much does a Cyber Essentials gap analysis cost?
A professional cyber essentials gap analysis typically costs between £1,000 and £5,000 for UK SMEs, depending on the size and complexity of the IT environment. This usually includes vulnerability scanning, a detailed gap report, and a prioritised remediation plan. DIY gap analyses cost only staff time but carry a higher risk of missed gaps and failed assessments.
Can we do the gap analysis and remediation ourselves?
Yes, if you have competent IT staff with time to dedicate to the process. The NCSC requirements document is publicly available, and many of the tools listed in this guide are free. However, professional support significantly increases first-time pass rates and typically saves time overall by avoiding false starts and rework.
What happens if we fail the assessment?
If you fail, the certification body will tell you which areas need attention. You will typically need to remediate the issues and reapply — which may involve an additional fee. A thorough cyber essentials gap analysis before your assessment dramatically reduces this risk.
How often should we run vulnerability scans?
Cyber essentials vulnerability testing should be conducted at minimum during your annual gap analysis and recertification. Best practice is quarterly external scans and quarterly internal scans, with additional scans after significant infrastructure changes.
Do we need to patch everything within 14 days?
The 14-day requirement applies to critical and high-risk security patches. Medium and low-risk patches should still be applied promptly, but the hard 14-day deadline is for critical and high-risk updates. Effective cyber essentials patch management processes handle all severity levels systematically.
What about BYOD and home workers?
If staff use personal devices to access organisational data or services, those devices are in scope for Cyber Essentials. Home workers' routers are also in scope as boundary devices. Your cyber essentials secure configuration and firewall requirements extend to these environments. This is an area where many organisations have gaps — address it early in your analysis.
Is Cyber Essentials enough, or do we need more?
Cyber Essentials is a baseline — it addresses the most common threats but is not a comprehensive security programme. It is an excellent starting point, and for many UK SMEs, it provides a level of protection that is appropriate for their risk profile. Organisations handling highly sensitive data or operating in regulated sectors may need to go further — ISO 27001, SOC 2, or sector-specific standards. The gap analysis process described in this guide builds capabilities that support progression to these more advanced frameworks.
Why Cloudswitched for Your Gap Analysis and Remediation
At Cloudswitched, we are a London-based IT managed service provider specialising in cyber security for UK organisations. Our Cyber Essentials support service covers the entire journey — from initial cyber essentials gap analysis through cyber essentials remediation to certification and ongoing compliance management.
We understand the practical realities of UK SME environments. We know that your IT budget is finite, your team is busy, and you need a certification process that is efficient, thorough, and minimally disruptive. Our approach is built on hundreds of successful certifications and is continuously refined based on the latest NCSC requirements and assessor expectations.
Our service includes professional cyber essentials vulnerability testing, comprehensive cyber essentials patch management setup, cyber essentials secure configuration hardening across your entire estate, and full documentation and evidence preparation for your assessment. We work alongside your team — or as your team — to get you certified quickly and keep you certified year after year.
Ready to Start Your Cyber Essentials Gap Analysis?
Cloudswitched helps UK organisations identify, remediate, and certify against Cyber Essentials — efficiently and with expert guidance at every step. Whether you need a full gap analysis and remediation service or support with specific controls like patch management and secure configuration, our London-based team is here to help.
Get in Touch Explore Our Cyber Security Services →
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
