Skip to content
Secure Select
Back to home
Resources

Cyber Essentials: what changed, and how to stay certified

Cyber Essentials is the UK government-backed certification that shows you have the basics of cybersecurity in place. More and more clients, insurers and public-sector contracts now expect it — and the latest update has made renewal meaningfully harder for small businesses.

If your certification used to be a quick form, this is the year it catches people out. Here’s what changed and what you actually need in place.

What changed

The recent update brought several things firmly into scope that many SMBs weren’t evidencing before:

  • Cloud services are in scope — Microsoft 365, Google Workspace, accounting and line-of-business SaaS all count.
  • Home and remote-working devices are in scope — anything used for work, wherever it is.
  • Multi-factor authentication (MFA) is mandatory for all internet-facing cloud services — for every user, not just admins.
  • A full software inventory is expected, with evidence of what’s installed across your devices.
  • Security updates within 14 days of release for anything high/critical — with documented evidence, not just a claim.

The common thread is evidence. It’s no longer enough to say you do these things — you need to be able to show it.

The five controls

Cyber Essentials covers five technical control areas. Here’s what each one means in plain English, and how SecureCore helps you meet and evidence it:

  • Firewalls — controlling what gets in and out of your network. SecureCore adds DNS filtering and intrusion detection on top of your existing firewall.
  • Secure configuration — devices set up safely, no default passwords or needless services. SecureCore continuously checks configuration and flags drift.
  • User access control — least privilege and MFA everywhere. SecureCore monitors account changes and privilege escalation and surfaces gaps.
  • Malware protection — active protection on every device. SecureCore combines anti-malware, network detection and DNS-level blocking.
  • Security update management — patching within 14 days, with evidence. SecureCore tracks vulnerabilities against live exploit data and shows what needs patching.

How SecureCore helps at renewal

SecureCore continuously checks your environment against all five controls, shows you where you’d pass or fail, and exports an evidence pack for your assessor in one click — so renewal stops being a scramble. It also tells you the moment something drifts out of compliance, before your auditor does.

A note on honesty: certification is issued by an accredited certification body, not by us. SecureCore is built to help you meet the controls and produce the evidence — we don’t issue the certificate, and Secure Select doesn’t claim certifications it doesn’t hold.

Serving Cardiff, Newport, Swansea, Cwmbran and across the UK

Not sure where you stand? Take the free security check or join the waitlist.