RENEWAL & MAINTENANCE
Our Cyber Essentials certificate is expiring. What do we need to do?
Cyber Essentials certificates last 12 months. Renewing is not as simple as resubmitting the same answers — your environment may have changed in ways that affect your compliance. Here is how to approach renewal correctly.
Why renewal is not just an administrative exercise
When Cyber Essentials was first introduced, many organisations treated annual renewal as a formality — resubmitting last year's answers with minor updates. That approach is increasingly unreliable.
The Cyber Essentials standard itself is updated periodically. Assessment requirements have tightened significantly, particularly around cloud services, mobile device management, and MFA. Controls that were acceptable previously may no longer meet current requirements.
Your own environment will also have changed. New devices, software, cloud services, staff, network changes — all can affect your compliance posture. An honest renewal starts with a fresh assessment of your current environment against the current standard.
What commonly changes between renewals
Common areas where organisations discover gaps at renewal are: patch management (new devices not brought into the patching process), cloud services (new SaaS applications not configured securely), user access control (staff changes leaving old accounts active), and MFA (expanded requirements in the standard).
What happens if your certificate lapses
If your certificate expires before renewal, you need to recertify from scratch. There is no grace period. A lapsed certificate is the same as no certificate — and if a contract requires a valid certificate, a lapse puts that contract at risk.
How far in advance to start
Start your renewal process at least six weeks before expiry. That gives time to conduct a gap assessment, address issues, and complete without pressure. If your environment has changed significantly or you are upgrading to CE Plus, start eight to ten weeks out.
CHECK THE CURRENT STANDARD BEFORE YOU RESUBMIT
The Cyber Essentials standard is updated periodically. Before renewing, confirm you are assessing against the current version — not the version from when you first certified. Requirements around cloud services, MFA, and mobile devices have all tightened.
COMING UP FOR RENEWAL?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.