1 - You need to be more precise in your scope
2 - You need a complete picture of your assets
3 - You must properly enforce MFA everywhere it’s required
I’ve been delivering Cyber Essentials since 2014. I’ve seen the scheme evolve from a relatively simple baseline control framework into a far more structured, mature certification that genuinely improves security posture when done properly.
In April 2026, IASME will release Version 16 of the questionnaire (codenamed Danzell), replacing the current Version 15 (Willow).
This isn’t a cosmetic update. It’s a tightening of definitions, a clarification of expectations, and in some areas, a raising of the bar.
If you’re already certified — or planning to be — here’s exactly what’s changing and what you need to do to remain compliant.
1. Scope: You must be precise (no more grey areas)
One of the biggest shifts in the 2026 update is around scope clarity.
Cyber Essentials has always required organisations to define whether certification covers:
The whole organisation
A specific business unit
Specific locations
Specific systems
However, the new questionnaire removes ambiguity. You’ll now need to be far more precise about:
What networks are in scope
What users are in scope
What physical and cloud environments are included
Whether segmentation between scoped and unscoped systems is properly enforced
What you must do
If you certify the whole organisation:
Make sure every user, device, and cloud service is covered
Confirm there are no “informal” exclusions
If you certify part of the organisation:
Demonstrate clear technical segregation
Make sure scoped systems are protected from unscoped systems
Be able to explain and evidence network separation
Make sure user access from outside scope can’t compromise in-scope systems
This will particularly affect:
Multi-site organisations
Group structures with shared IT
Businesses with partially outsourced IT
Organisations using shared cloud tenants
If your scope statement is vague, expect challenge from your assessor.
2. Asset visibility: You need a complete picture
The updated questionnaire strengthens requirements around declaring:
Network equipment
Operating systems (including quantities)
Cloud services in use
The direction is clear: IASME wants a complete and accurate inventory.
What you must do
Maintain an up-to-date asset register
Know exactly how many endpoints you have
Confirm all operating systems are supported by the vendor
Identify and remove any legacy or unsupported systems
List all cloud services used for business purposes — including SaaS platforms
Eliminate shadow IT
If you can’t clearly state what you have, you’re unlikely to pass confidently.
Unsupported operating systems remain an immediate fail.
3. MFA: You must properly enforce it everywhere it’s required
Multi-factor authentication has been mandatory for some time, but Version 16 sharpens expectations around its implementation — particularly in cloud environments.
The key shift is this:
MFA must be enforced.
What you must do
Enforce MFA on all cloud services handling organisational data.
Make sure MFA is enabled for all administrator accounts.
Review backup admin accounts.
Review service accounts.
Review legacy SaaS platforms.
Confirm there are no bypass routes.
Common failure points I still see:
Secondary admin accounts without MFA.
Shared accounts with weak authentication.
MFA applied to “most” users, but not all.
Conditional access misconfigurations.
From 2026 onward, partial MFA implementation is not defensible.
4. Changes to question wording
Many questions have been reworded.
While it might seem minor, in practice it reduces interpretation flexibility. Over the years, I’ve seen organisations answer based on how they thought the question was intended. The revised wording tightens this.
Areas with clearer phrasing include:
Supported operating systems
Firewall protections
Secure configuration requirements
User access controls
What you must do
Read every question carefully.
Don’t reuse last year’s answers without reviewing them.
Validate that your interpretation aligns with the updated wording.
Make sure whoever completes the questionnaire understands the technical controls.
Cyber Essentials is increasingly intolerant of “assumed compliance”.
5. Expansions to administrative and contractual information
The new questionnaire includes refined administrative questions covering:
Regulators
Contracting authorities
Grant authorities
Organisational registration details
This aligns Cyber Essentials more closely with public sector procurement frameworks.
What you must do
Make sure your organisation’s legal details are accurate.
Confirm any relevant regulatory oversight.
Check procurement-related declarations.
While not technical, errors here can delay certification.
What hasn’t changed
The five core control areas remain the same:
Firewalls
Secure configuration
User access control
Malware protection
Security update management
Cyber Essentials is still a baseline technical standard. But the tolerance for incomplete implementation is reducing.
If you’re already certified: Your 2026 preparation checklist
Here’s exactly what I recommend doing before April 2026:
1. Review your scope
Confirm it is technically accurate
Confirm segmentation works
Update scope statements if necessary
2. Conduct a full asset audit
Endpoints
Servers
Network devices
Cloud services
Remote users
Mobile devices
3. Validate operating system support
Remove unsupported systems
Confirm patching processes are active and effective
4. Enforce MFA everywhere required
All cloud services
All administrators
All remote access
No exceptions
5. Review admin account hygiene
No shared admin accounts
Remove dormant accounts
Apply least privilege
6. Perform a gap analysis before renewal
Don’t wait until renewal week. Conduct a pre-assessment review at least 2–3 months in advance.
What to expect if you’re new to Cyber Essentials
If you’ve never been through Cyber Essentials before, here’s what you should understand:
It’s a self-assessment questionnaire verified by an external certification body
You must answer truthfully
Evidence may be requested
If applying for Cyber Essentials Plus, technical testing will validate your answers
You should expect to:
Document your IT environment properly
Implement baseline security controls
Patch systems promptly
Enforce MFA
Secure remote access
Remove unsupported systems
It’s not a paperwork exercise and if you treat it as one, you’ll struggle.
However, if implemented properly, Cyber Essentials provides:
A strong baseline security posture
Increased resilience against common attacks
Credibility in procurement
Protection against commodity threats
My professional view
Having delivered this scheme since 2014, I can say confidently:
The direction of travel is positive.
IASME is reducing ambiguity, strengthening cloud security expectations, and increasing the integrity of certification.
This update isn’t about making certification harder for the sake of it. It’s about ensuring that a Cyber Essentials badge genuinely means something.
If your organisation already takes security seriously, these changes will be manageable.
If you’ve been skating close to the edge, April 2026 will expose that.
If you’d like a readiness review, gap analysis, or support preparing for the new questionnaire, now is the time to start.
Cyber Essentials should be your foundation — not your finish line.