Preparing for Cyber Essentials - Danzell

From April 27th 2026, Cyber Essentials and Cyber Essentials Plus will be refreshed to the new Danzell updated question set.

Brought in with Danzell is the new double sampling requirement. This means that if a critical or high vulnerability is identified within the initial sample set, a second set of devices will also need to undergo additional vulnerability scanning. If any of these second devices are discovered to have the same vulnerabilities identified from the first sample set, this will result in a failure of the Cyber Essentials Plus audit, and will lead to revocation of your Cyber Essentials certificate.

IASME released a blog to highlight the key changes to the scheme, which aims to improve the baseline security for organisations based on what the National Cyber Security Centre (NCSC) have seen over the last 12 months.

These changes are in direct response to real world instances of impacted confidentiality, integrity or availability of organisational IT systems as seen by the NCSC.

Vulnerabilities are being discovered, and exploited, at an increasing pace. To help mitigate against these commodity-based threats, Cyber Essentials requires all critical or high updates to be applied to Operating Systems (Including firewalls) and Software Applications to be applied within 14 days of release. Beyond 14 days, the risk of an exploit of a known vulnerability being created and made available in the wild increases exponentially.

As you fill out your Cyber Essentials self-assessment, consider reviewing how you are meeting this requirement. Ask do all systems in scope update automatically, including firewalls and routers, within 14 days or is there an element of manual updating required? Does your service level agreement (SLA) with your IT support company mandate they meet this timescale? Do they confirm back to you they are patching your systems once complete?

Starting with Danzell, Cyber Essentials Plus testing takes a stronger stance to ensure you are meeting this requirement. Test 2 of a Cyber Essentials Plus audit requires the checking of patching by authenticated vulnerability scans.

If discovered during sampling, a device contains any critical or high vulnerability which has had a patch released over 14 days ago, it will need to be patched or resolved within 30 days before a pass can be awarded for this section of the Cyber Essentials Plus test.

Brought in with Danzell is the new double sampling requirement. This means that if a critical or high vulnerability is identified within the initial sample set, a second set of devices will also need to undergo additional vulnerability scanning. If any of these second devices are discovered to have the same vulnerabilities identified from the first sample set, this will result in a failure of the Cyber Essentials Plus audit, and will lead to revocation of your Cyber Essentials certificate.

TL;DR – Double-Sampling Scenarios

Scenario 1

Initial sample devices scanned to ensure updates are being applied within 14 days.

If no vulnerabilities are identified, CE+ tests continue

Scenario 2

Initial sample devices scanned to ensure updates are being applied within 14 days.

Vulnerability identified. Advised to remediate within 30 days. A clean rescan of the initial devices will be required. A second sample set of devices will need to be scanned.

Second samples scanned and no vulnerabilities from the initial sample found will result in a pass of this element.

Scenario 3

Initial sample devices scanned to ensure updates are being applied within 14 days.

Vulnerability identified. Advised to remediate within 30 days, second sample set to be tested.

Second samples scanned and different vulnerabilities from the initial sample set are found. CE+ tests continue, vulnerabilities marked as advisory on the CE+ report.

Scenario 4

Initial sample devices scanned to ensure updates are being applied within 14 days.

Vulnerability identified. Advised to remediate within 30 days, second sample set to be tested.

Second samples scanned and vulnerabilities from the initial sample set are still found. Fail of CE+ and CE revoked.

This change has been implemented to help ensure that vulnerability management and patching is being applied across the whole organisation, and not just those sampled devices as part of the Cyber Essentials Plus audit.

If the second sample discovers new vulnerabilities not found from the first sample, these vulnerabilities will be detailed on the Cyber Essentials Plus report as advisory recommendations to remediate but will not prevent you from achieving a pass for this part of the test.

"Great results, can be achieved with small forces."
     – Sun Tzu

The use of technical controls is recommended to ensure continued compliance with this requirement of Cyber Essentials, as relying solely on automatic updates or manual patching may leave you exposed for longer than the mandated 14 day window.

You may already have access to Microsoft Defender’s Vulnerability Management, your anti-virus console may include a vulnerability dashboard, or your IT Support Company could recommend tools to help you identify vulnerabilities and automatically apply patches to Operating Systems or Applications as part of their service offering.

A number of products exist to specifically support patch management and vulnerability reporting. Each tool should be reviewed to see if they meet your requirements, budget and functionality.

Punk Security can offer advice and guidance on your specific requirements, and welcome the opportunity to discuss which solutions may be the right fit for your organisation.

For more information, email us at [email protected] or call us on 01609 635 932