Cyber Essentials has changed recently and one of the most significant changes, in my opinion is the requirement for a senior executive to formally declare that security controls are continuously assessed throughout the year.  A fundamental change, not just a paperwork tweak. It shifts accountability and how organisations approach compliance.

What does this change really mean?

1. Accountability moves to the top

Executives (often a CEO, CFO, or board-level director) are now personally attesting that controls aren’t just “point-in-time compliant” but actively maintained. This raises the stakes, false declarations could have legal, reputational, and contractual consequences.

• End of “annual checkbox” compliance

Previously, many organisations treated Cyber Essentials as a once-a-year exercise. This change pushes toward continuous assurance, more in line with standards like ISO/IEC 27001 or frameworks such as NIST Cybersecurity Framework.

• Increased audit and insurance implications

Cyber insurers and regulators may view this declaration as evidence of due diligence or even negligence if something goes wrong. Expect more scrutiny if a breach occurs.

• Cultural shift toward operational security

Security becomes an ongoing business process, not an IT task. It requires coordination across the company up to and including management.

How organisations can actually deliver “continuous assessment”?

This is where many companies will struggle, because the declaration implies evidence, not intention.

1. Continuous monitoring of key controls

Use tools that provide ongoing visibility into:

• Patch management status
• Vulnerability scanning
• Endpoint protection health
• Firewall and access control configurations

Common tooling might include:

• Endpoint detection & response (EDR)
• Vulnerability management platforms
• Security configuration monitoring tools

• Defined control testing schedule

Not everything needs real-time monitoring, but you should have:

• Monthly or quarterly control checks
• Automated scans (minimum of weekly vulnerability scans)
• Regular access reviews (e.g., user permissions)

• Centralised logging and alerting

Implement:

• An MDR solution.
• Alerts for control failures (e.g., antivirus disabled, patch failures)

This creates an audit trail—critical if leadership is signing a declaration.

• Metrics and reporting to leadership

Executives need evidence to sign confidently:

• Security dashboards
• KPIs (e.g., patch SLAs, vulnerability remediation times)
• Regular security reports to the board

• Policies backed by enforcement

It’s not enough to have policies; you need:

• Technical enforcement (e.g., blocking unpatched devices)
• Automated compliance checks

• Internal audits or independent checks

Periodic internal reviews or external assessments that help validate that controls are actually working.

Practical example

Instead of saying:

“We apply patches”

You now need to demonstrate:

• All devices report patch status daily
• Alerts trigger if patches are overdue
• Reports show compliance over time
• Exceptions are tracked and approved

The real challenge

The hardest part isn’t technology, it’s evidence and governance.

Many SMEs certified under Cyber Essentials don’t currently have:

• Centralised visibility
• Documented control testing
• Board-level security reporting

So, this change may force investment in:

• Better tooling
• Clearer processes
• Stronger governance structures

Bottom line

This declaration effectively aligns Cyber Essentials with modern security expectations: continuous control validation, not annual self-assessment.

If an organisation can’t produce evidence of ongoing monitoring and review, executives are being asked to take a significant personal risk by signing.

How can an SME meet this requirement without breaking the bank?

You don’t need an enterprise SOC or a six-figure toolchain to meet these new expectations, but you do need joined-up tooling that produces continuous evidence.

The principle: “Good enough + visible + provable”

For an executive to sign the declaration, you must:

• Cover all five control areas
• Be centrally visible
• Generate reports + alerts automatically
• Require minimal manual effort

The issue for many SMEs that a system that integrates many of the issues simply hasn’t existed in a form that is financially viable, and that doesn’t require a dedicated cyber individual on staff, until now.  Such a system does now exist, and I have put up a short video on the features section of my profile page on LinkedIn, the link is A short video on protective monitoring for SMEs.  This should help you without having to read reams of information.  You will also find a couple of articles on that particular subject.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide, please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or drop us an email:

M: 07702 019060

E: kevin_hawkins@hah2.co.uk