Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

Why Do Companies Fail Cyber Essentials Plus?

Quick Answer

Patching gaps, incomplete MFA, and devices you forgot about. These three account for most failures.

Quick answer: Patching gaps, incomplete MFA, and devices you forgot about. These three account for most failures.

The Usual Culprits

1. Patching isn't current

The standard says critical patches within 14 days. The assessor will check.

What catches people:

  • That server no one touches because "it just works"
  • Third-party software that doesn't auto-update
  • Devices that haven't been online recently
  • Firmware on firewalls and network kit

2. MFA isn't everywhere

You enabled MFA on Microsoft 365. Great. But:

  • Is it on your VPN?
  • Your firewall admin portal?
  • Every cloud service with company data?
  • Admin accounts on local machines?
Assessors check. One gap is a fail.

3. Forgotten devices in scope

Your scope includes every device that accesses company data. That means:

  • The MD's personal laptop they sometimes use for email
  • The old PC in the warehouse running stock software
  • Mobile phones accessing company email
  • That test machine the developer uses
If it's in scope and it's not compliant, you fail.

4. "We'll fix it before the assessment" optimism

Assessments get booked. Remediation takes longer than expected. Assessment day arrives. Things aren't ready.

This is avoidable with proper gap analysis and realistic timelines.

How to Pass First Time

Get a gap analysis before booking the assessment. Know exactly what needs fixing.

Fix everything before scheduling. Don't book the assessment until you're genuinely ready.

Remember your full scope. Document every device, every user, every system that touches company data.

Check the awkward stuff. That legacy system. The MD's iPad. The firewall firmware from 2019.

What We Do

We run pre-assessment gap analysis that catches these issues before the real assessment. Our clients know exactly what needs fixing and have time to fix it.

For managed clients, most of this is already handled. Patching is current, MFA is enforced, devices are managed. Certification becomes a formality rather than a scramble.

---

- a gap analysis costs less than a failed assessment.

---

Related Questions