It’s late February, the certificate expires on 31 March, and the call comes through on a Wednesday. “Our assessor’s booked us in for next Tuesday, can you make sure everything’s ready?” There are seventeen laptops to check, three of them with personal admin accounts that shouldn’t exist, a server that hasn’t had its patch cycle reviewed since November, and a multi-factor authentication (MFA, needing a code as well as a password, usually a number from an app on your phone) rollout that’s at about 80% adoption, all with six working days to go.
We’ve worked clients through a Cyber Essentials Plus (CE+, the UK government’s annual cyber-hygiene certification, audited by an external assessor) renewal under that kind of pressure more than once. It’s possible, and we’ve never failed one for a client we’ve prepared, but the cost of doing it in six days versus 90 is roughly five times the consultancy hours. None of that needs to happen. The certification is annual, the expiry date is known a year in advance, and the fix is a prep-window calendar that starts the clock with 90 days to spare.
Why CE+ renewal is harder than people expect
Cyber Essentials (the self-assessment level) and Cyber Essentials Plus look similar on paper. They cover the same five technical controls: boundary firewalls, secure configuration, user access control, malware protection, patch management. The difference is that CE+ is externally audited. An assessor connects to a sample of your devices, runs technical tests, and checks that what you said you were doing is what’s actually configured.
That’s where the cost of last-minute prep hits. A self-assessment can be tidied up on paper in an afternoon, whereas an audit cannot. If your patching cadence has slipped, the assessor sees the slipped patches. If a user has local admin rights they shouldn’t have, the assessor sees it. If MFA isn’t on every cloud account, the assessor’s tooling flags it. There’s no narrative you can put around the technical evidence; it either passes or it doesn’t.
A 90-day window gives you time to find and fix the gaps before the assessor’s tools land on them.
Common failure modes
The patterns we see when prep starts too late:
- Patch backlog. The patching policy (your routine for installing security updates) says “within 14 days for high-severity”. The actual lag is six weeks because the patching window keeps getting rescheduled around month-end close.
- Local admin accounts. Set up years ago for someone who left, never cleaned up. They show up in the audit as a user with admin rights and no MFA.
- Unmanaged devices. The new starter who’s using a personal laptop “just for now”, three months ago. The director who’s syncing email to an iPad nobody’s enrolled in mobile device management (the tool that lets you wipe a lost phone remotely).
- MFA gaps. MFA’s on the email accounts. It isn’t on the accounting system, the CRM, or the file-share. The audit scope’s wider than people remember.
- Out-of-support software. That one machine running an old version of Sage because the new version costs £1,200. It’s been flagged in the inventory for two years and nobody’s owned the conversation about replacing it.
Each of these takes weeks to fix properly, not days.
The 90-day prep calendar
The calendar runs backwards from the audit date. Five milestones, each with a clear deliverable.
Day 90 to 75: Scoping and inventory
What this means in practice: confirm what’s in scope for the audit, list every device and account, and book the assessor.
The scope is the foundation. CE+ covers everything that handles your business data: every endpoint (the laptops, phones and tablets people work on), every server, every cloud service, every user account. We’ve watched scope arguments stretch to week three of a 90-day plan; better to settle it on day one. Pull the full asset list. Cross-reference it against payroll (everyone employed should have a device or know why they don’t), against your Microsoft 365 (M365, the Microsoft cloud bundle: email, Word, Excel, Teams, file storage) admin centre (every account should match an employee), against your mobile device management console (every phone with company email should be enrolled). Anything that doesn’t reconcile gets investigated this week.
Book the assessor at the end of day-90-to-75, which fixes the audit date and means everything else hangs off it.
Day 75 to 60: Gap test against the five controls
What this means in practice: run through each of the five CE+ controls and write down where you currently stand against each. This is the dress rehearsal stage. We use a simplified version of the assessor’s own checklist and walk through it like an audit. Boundary firewalls: is every endpoint behind a software firewall, with default-deny on inbound? Secure configuration: default passwords changed everywhere, no unused services running? User access: are there any standing admin accounts, is MFA on every cloud service, is there an offboarding process and is it being followed? Malware protection: is the endpoint protection live on every device, with current signatures? Patch management: are high-severity patches applied within 14 days?
For each control, a RAG status: green (clean), amber (one or two findings), red (systemic). The red items get owners and remediation plans this week.
Day 60 to 30: Remediation
What this means in practice: fix the gaps you found in the dress rehearsal, in priority order.
Thirty days is enough to do most CE+ remediation work without burning out the team. MFA rollouts, local admin cleanups, patch catch-up, software replacement, mobile device management enrolment, all doable inside the window if they were identified clean in the previous step. The discipline is sequencing: do the changes that touch the most users first, because those are the ones that surface the unexpected pushback. The accountant who can’t log in after MFA goes live; the director who wants to keep their personal laptop. Better to surface those in week six than week twelve.
Day 30 to 14: Verification pass
What this means in practice: re-run the gap test, confirm every previously-red and previously-amber item is now green, and lock down change.
The verification pass is the rehearsal of the rehearsal. Same checklist, same RAG, fresh eyes, ideally somebody who wasn’t involved in the remediation work, because they’ll catch what the implementer thinks they fixed. From day 30 onward, a change freeze applies: nothing new gets installed, no admin rights get handed out, scope stops growing. The estate needs to be stable for the audit window so the auditor sees what you tested.
Day 14 to audit: Light touch and evidence pack
What this means in practice: prepare the documentation the assessor needs, communicate the audit to the team, and avoid making changes.
The last two weeks aren’t a sprint; they’re a hold. Pull together the evidence pack: asset register, user list, MFA proof, patch reports, anti-malware deployment proof, leaver process documentation. Brief the team that the assessor will be in touch and may need 10 minutes of their time. If a critical patch lands during this window it still gets applied (security beats process), but log it carefully and tell the assessor up front.
Where SMEs trip
Two things, repeatedly:
The first is conflating Cyber Essentials with Cyber Essentials Plus. The self-assessment level can be done in a day if the estate is in reasonable shape, whereas CE+ cannot. We’ve had clients book a CE+ assessor expecting a paperwork exercise and then realise on day one that the assessor is going to actually plug a laptop in. The 90-day window is built around CE+ specifically.
The second is treating it as a once-a-year tax. The whole point of an annual certification is that it’s an annual checkpoint on a continuous process. If you do nothing between renewals, the gap test in month two of the next prep cycle is going to look like the gap test from the year before. Bake the five controls into the operating rhythm: monthly patch reviews, quarterly admin-account audits, semi-annual MFA verification. The prep window then becomes a verification exercise, not a remediation exercise.
What good looks like
When this is working, the 90-day window is comfortable. The day-75 gap test comes back mostly green with two or three amber items that get fixed inside two weeks. The day-30 verification confirms it. The auditor arrives, runs their tooling, asks for the evidence pack, and signs the certificate within two weeks of the assessment date. The team barely notices it happened.
That’s the goal: a renewal that feels like a check-up, not an exam.
Where this lands with us
CE+ renewal sits inside our Security Solutions practice. For most managed clients we run the calendar from day 90 through to certification: we do the gap test, manage the remediation, prepare the evidence pack, and coordinate with the assessor. For clients who want to drive it internally, we’ll do the gap test and remediation plan and hand it over.
A failed CE+ audit isn’t an internal embarrassment, it’s a contract you lose the next time a customer asks for proof of certification, a cyber-insurance premium that jumps at renewal, and a public mark that takes 12 months to fix. The 90-day window is the cheap version and six days is the expensive one. Choose which call you’d rather be making.
Renewal date sneaking up on you? Drop us a note at info@jmopartners.co.uk and we’ll book a scoping call.
Want the printable version of this checklist? Drop us a note at info@jmopartners.co.uk and we’ll send it through.
JMO|Partners · Enterprise IT, sized for SMEs.