Published 9 July 2026 · Red Notice Security

Why most Cyber Essentials assessments fail

Cyber Essentials is the UK government-backed scheme that proves your baseline defences are in place. It covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. On paper, it sounds straightforward. In practice, most businesses fail their first submission.

The reason is almost always the same: gaps in the existing setup that nobody knew existed. A firewall rule that's too permissive. Software that hasn't been patched in months. Local administrator accounts that shouldn't still be active. These aren't catastrophic problems, but they're exactly what the assessment looks for.

A Cyber Essentials remediation plan is the structured way to close those gaps before you submit, or to fix them after a failed attempt.

What a Cyber Essentials remediation plan actually covers

A proper remediation plan isn't a vague list of "things to do better." It's a prioritised, documented set of changes mapped directly against the five Cyber Essentials controls. Here's what it includes:

1. Gap analysis against the five controls

Before you fix anything, you need to know what's broken. A gap analysis maps your current environment against each of the five Cyber Essentials technical controls:

  • Firewalls - are your边界defences configured correctly? Are unnecessary ports open?
  • Secure configuration - are default credentials changed? Are unnecessary services disabled?
  • User access control - do users have the minimum access they need? Are admin accounts separated from daily-use accounts?
  • Malware protection - is endpoint protection installed, up to date, and scanning regularly?
  • Patch management - are operating systems and applications patched within 14 days of release?

Most businesses discover three to five gaps they didn't know about. That's normal. The point of the remediation plan is to close them systematically.

2. Prioritised remediation actions

Not all gaps are equal. A missing patch on a public-facing server is more urgent than a configuration issue on an internal workstation. Your remediation plan should prioritise actions by risk:

  • Critical - issues that would definitely cause a failure (e.g. missing patches on internet-facing systems)
  • High - issues likely to cause a failure (e.g. shared admin accounts, no malware protection)
  • Medium - issues that might cause a failure depending on assessor interpretation (e.g. weak password policies)
  • Low - best practice improvements that strengthen your posture but aren't strictly required

3. Documented evidence requirements

Cyber Essentials is a self-assessment, but the assessor can ask for evidence. Your remediation plan should document:

  • What was changed and when
  • Who made the change
  • Before and after screenshots where relevant
  • Configuration exports or policy documents

4. Timeline and ownership

Every action in the plan needs a deadline and an owner. "We'll get around to it" isn't a plan. "John will update the firewall rules by Friday" is.

The five most common Cyber Essentials failures (and how to fix them)

After scoping dozens of businesses for Cyber Essentials, these are the failures we see most often:

1. Unpatched software

The problem: Operating systems or applications with known vulnerabilities that haven't been patched within 14 days.

The fix: Enable automatic updates where possible. For systems that can't auto-update, build a patching schedule and stick to it. Document your patching process.

2. No endpoint protection

The problem: Devices without antivirus or anti-malware software installed and running.

The fix: Install endpoint protection on every device. Windows Defender counts if it's enabled and up to date. Make sure it's scanning regularly.

3. Excessive user privileges

The problem: Users with local admin rights they don't need, or shared accounts used by multiple people.

The fix: Remove local admin rights from standard users. Eliminate shared accounts. Implement separate admin and standard accounts for anyone who needs elevated access.

4. Firewall misconfiguration

The problem: Default firewall rules left in place, unnecessary ports open, or no firewall at all on some devices.

The fix: Review firewall rules on all devices. Close unnecessary ports. Ensure firewalls are enabled on every device, including laptops.

5. Weak secure configuration

The problem: Default credentials, unnecessary software installed, or auto-run features enabled.

The fix: Change all default passwords. Remove unnecessary software. Disable auto-run and auto-play features.

How long does remediation take?

For most small to medium businesses, Cyber Essentials remediation takes two to four weeks. That includes the initial gap analysis, implementing fixes, and a pre-assessment review before you submit.

If you've already failed an assessment and need to remediate, the timeline depends on how many issues were flagged. Simple configuration changes can be done in days. More complex issues like patching legacy systems or restructuring user access may take longer.

DIY vs. professional remediation

You can absolutely do Cyber Essentials remediation yourself. The scheme is designed for self-assessment. However, most businesses choose to work with a security consultant because:

  • A consultant catches gaps you'd miss (we've seen it hundreds of times)
  • The remediation plan is documented and audit-ready
  • The pre-assessment review catches issues before submission
  • It's faster than learning the requirements from scratch

The cost of a consultant is typically less than the cost of a failed assessment, re-remediation, and re-submission.

Cyber Essentials remediation for government contracts

If you're bidding on government contracts, Cyber Essentials is often mandatory. The contract may require certification before you can even tender. This means your remediation timeline is driven by the procurement deadline, not your internal schedule.

For government contracts, we recommend starting the remediation plan at least six weeks before the certification deadline. This gives you time for gap analysis, fixes, pre-assessment review, and the actual assessment without rushing.

Some government contracts also require Cyber Essentials Plus (the higher tier with technical verification). The remediation requirements are stricter, and you'll need to demonstrate controls are working in practice, not just configured correctly.

Getting started

The fastest way to understand where you stand is a readiness assessment. We map your environment against the five Cyber Essentials controls, identify the gaps, and give you a clear remediation plan with priorities and timelines.

If you've already failed an assessment, we can review the failure report and build a targeted remediation plan to close the specific gaps that were flagged.

Cyber Essentials page Book a scoping call

Cyber Essentials remediation  ·  UK-registered security specialists  ·  Fixed-fee consulting