WHY FIRST-TIME PASS MATTERS

Failing Cyber Essentials is not just an inconvenience. It costs you the reassessment fee, delays your certificate, and if you were working towards Cyber Essentials Plus, a failed CE basic assessment resets the 90-day window - meaning you will need to resubmit CE before you can restart the Plus process. For organisations chasing a tender deadline, this can be fatal.

The good news is that the vast majority of failures are predictable and preventable. The five controls have not changed in years. What has changed - with the introduction of Danzell (v3.3) in April 2026 - is the addition of automatic failure conditions that catch organisations who think they have the basics covered when they do not.

This guide walks through each control, the most common failure points, and what to check before you formally submit your assessment.

Updated for Danzell v3.3. Danzell applies to all assessment accounts created on or after 27 April 2026. If you are renewing or applying now, this is the version you will be assessed against.

CONTROL 1: FIREWALLS

The firewall control requires that all devices connecting to the internet are protected by a correctly configured boundary firewall or equivalent software firewall. This applies to your office network, cloud infrastructure, and - critically - home workers.

Common failure points:

  • Default admin credentials not changed - Routers and firewalls shipped with default usernames and passwords must have those changed before deployment. This is one of the most frequently overlooked failure points.
  • Unused ports and services not disabled - Your firewall rules should block all inbound connections that are not explicitly required. Assessors will look for unnecessary open ports.
  • Home worker devices not covered - Any device used at home to access corporate data is in scope. If it relies on a domestic router with no additional software firewall, that is a gap.
  • Cloud-hosted services not considered - Virtual machines and cloud workloads need firewall protection too. A cloud provider's default settings are not sufficient without explicit firewall configuration.

CONTROL 2: SECURE CONFIGURATION

Devices and software must be configured securely - with unnecessary features disabled, default accounts removed or disabled, and auto-run features turned off.

Common failure points:

  • Unsupported operating systems - This is a frequent and hard failure. Windows 10 reached end of support in October 2025 and no longer receives security updates. Any in-scope device running Windows 10 will fail. You must be running a currently supported OS version on all in-scope devices.
  • Unsupported software - Applications, browsers, plugins and extensions that are no longer vendor-supported are a failure point. Check every piece of software on in-scope devices.
  • Default accounts not disabled - Guest accounts, default admin accounts, and factory accounts on routers and switches must be disabled or renamed with strong credentials.
  • Auto-run and unnecessary services enabled - Services that are not needed for business purposes should be disabled. Macro execution in Office applications, for example, should be restricted.

Run a software inventory across all in-scope devices before you start. Check every application against the vendor's current support status. Anything end-of-life needs upgrading or removing before submission.

CONTROL 3: USER ACCESS CONTROL

User accounts must be managed carefully. People should only have access to what they need for their role, and administrative accounts must not be used for everyday tasks.

Common failure points:

  • Shared admin accounts - Every user with administrative access must have their own named account. Shared admin credentials are a direct failure.
  • Standard users with admin rights - Routine tasks - email, browsing, document editing - must be carried out under standard user accounts. Admin rights should only be used when explicitly needed and should not be granted permanently to standard users.
  • Stale accounts not removed - Former employees, contractors, and service accounts that are no longer needed must be disabled or deleted. Any active account for a person no longer with the organisation is a failure.
  • No MFA on privileged accounts - Administrative accounts must have multi-factor authentication enabled. Under Danzell this extends to all cloud service accounts, not just admin accounts.

CONTROL 4: MALWARE PROTECTION

All in-scope devices must be protected against malware, either through anti-malware software with up-to-date definitions, or through application allowlisting (where only approved software can run).

Common failure points:

  • No anti-malware on all devices - Every in-scope device needs active malware protection. This includes servers, not just end-user devices. Windows Defender is acceptable if enabled and up to date.
  • Definitions not kept current - Anti-malware software is only effective if its definitions are regularly updated. Assessors will check that automatic updates are enabled.
  • Mobile devices not covered - Smartphones and tablets in scope need malware protection too. iOS and Android have built-in protections but these must be active and the device must not be jailbroken or rooted.
  • Malicious downloads not blocked - Organisations should have controls in place to prevent execution of malicious content. Browser settings, email filtering, and application controls all contribute here.

CONTROL 5: PATCH MANAGEMENT

Security updates for operating systems and applications must be applied within 14 days of release. Under Danzell, this control now carries two separate automatic failure conditions.

Danzell auto-fail conditions for patching:

  • Operating systems and firmware - High or critical security updates for operating systems, routers, and firewall firmware must be applied within 14 days. Answering no to this question is an automatic fail.
  • Applications - The same 14-day rule applies to applications, including their associated files and extensions. This is a separate auto-fail question introduced in Danzell.

Additional common failure points:

  • No automatic updates enabled - For most organisations, enabling automatic updates is the simplest way to meet the 14-day requirement. Manual patch processes need documented evidence of compliance.
  • Third-party applications missed - Windows Update keeps the OS patched, but third-party applications - browsers, PDF readers, Java, productivity tools - need separate update processes.
  • Firmware not updated - Router and firewall firmware updates are frequently overlooked. Check your network hardware for available updates before submission.

THE DANZELL MFA AUTO-FAIL: THE BIGGEST NEW RISK

The single biggest change in Danzell - and the one most likely to catch organisations off guard - is the MFA auto-fail condition for cloud services.

Under Danzell, if any cloud service supports MFA and it is not enabled for all users, your assessment will automatically fail. There are no exceptions, no mitigations, and no partial credit. The condition applies to:

  • Microsoft 365 and Azure AD / Entra ID
  • Google Workspace
  • Any SaaS platform accessed via an account - Xero, Salesforce, Dropbox, Slack, and similar
  • Business social media accounts (LinkedIn company pages, Twitter/X, etc.)

The fix is straightforward but takes time to roll out across all users and all platforms. Audit every cloud service your organisation uses, confirm MFA is supported, and enable it for every account before you submit.

Microsoft 365 note: MFA can be enforced via Conditional Access policies or per-user MFA settings. Security Defaults (Microsoft's free baseline) enables MFA for all users and is acceptable for Cyber Essentials purposes. Check that it is actually enforced and not just enabled - users who have not yet registered their MFA method will fail at login and need prompting to complete setup.

GET YOUR SCOPE RIGHT BEFORE YOU START

Incorrect scoping is one of the most common causes of assessment failure - and one of the hardest to fix mid-process. Your scope must include:

  • All devices that can access your organisation's data, email, or systems - including home working devices and personally-owned (BYOD) devices that access corporate resources
  • All cloud services that store or process organisational data - these cannot be excluded under Danzell
  • All servers and network infrastructure, including virtual machines hosted in cloud environments

Devices can only be excluded from scope if they are technically isolated from your network and data - and that isolation must be evidenced. Saying a device "doesn't really access anything important" is not sufficient.

Getting scoping right at the start avoids the scenario where a device or service is flagged during assessment that you had not accounted for, requiring remediation and resubmission.

YOUR PRE-SUBMISSION CHECKLIST

Before formally submitting your Cyber Essentials assessment, work through the following:

  • MFA enabled on all cloud services for all users - no exceptions
  • All OS versions supported - no Windows 10, no end-of-life operating systems
  • All applications supported - check vendor support status for every app on in-scope devices
  • Critical patches applied within 14 days - for OS, applications, and firmware
  • Default credentials changed on all routers, firewalls, and network devices
  • Admin and standard accounts separated - no routine tasks performed under admin accounts
  • Stale accounts removed - no active accounts for former staff or unused services
  • Anti-malware active and updated on all in-scope devices
  • Scope confirmed - all devices, cloud services, and home worker devices identified and included

Use our free Cyber Essentials readiness checklist - 25 items across all five controls, updated for Danzell v3.3 - to confirm you are ready before you submit.

HOW VINCENT CYBER DEFENCE APPROACHES FIRST-TIME PASS

Our process is built around one goal: certifying you correctly, first time, without surprises.

Before you formally submit your assessment, we review your IT environment, identify any gaps against the five controls, and work with you to address them. We do not open a portal and hand you a questionnaire. We guide you through every question, flag anything that could cause a failure, and make sure your submission is solid before it is formally assessed.

If you have a deadline - a tender, a contract renewal, a MOD supply chain requirement - tell us upfront. We work backwards from your date and give you a clear timeline.

Ready to get certified? Vincent Cyber Defence is an IASME Approved Certification Body. Get in touch and we will scope your assessment, identify gaps, and guide you to a first-time pass.

COMMON QUESTIONS

The most common failure points are: MFA not enabled on all cloud services (automatic fail under Danzell); out-of-date or unsupported operating systems or software; default credentials not changed on network devices; administrative accounts used for routine tasks; and scoping errors where devices or cloud services are missed.
Yes. Under Danzell (v3.3), if any cloud service supports MFA and it is not enabled for all users, your assessment fails automatically. This includes Microsoft 365, Google Workspace, and any SaaS platform your organisation uses. There are no exceptions or partial passes.
Software is considered supported if the vendor still provides security updates for it. Windows 10 reached end of mainstream support in October 2025, but organisations enrolled in Microsoft's Extended Security Updates (ESU) programme continue to receive patches and Windows 10 remains acceptable for Cyber Essentials for as long as that ESU coverage is active. What matters is that the device is still receiving security updates. All operating systems, applications, browsers, and plugins must either be on currently supported versions or covered by an active extended support programme.
You receive specific feedback on what needs to change. You can remediate and resubmit, but this incurs additional time and typically an additional fee. If you were pursuing Cyber Essentials Plus, failing CE basic resets the 90-day CE Plus window, requiring you to restart the Plus process once CE basic is passed.
No - not if those devices access corporate data, email, or systems. Home working devices are in scope. BYOD devices that access corporate resources are also in scope and must meet the same control requirements as company-owned devices.
For a well-prepared organisation, certification can typically be completed in one to three weeks. Organisations with gaps - particularly around MFA rollout, unsupported OS versions, or patching processes - should allow additional time to remediate before submitting.