Cyber Essentials Plus is a pragmatic UK baseline covering five areas: firewalls, secure configuration, user access control, malware protection, and security update management. Most Cyber Essentials failures are mundane (missing updates, unsupported software) and highly preventable with a pre-audit pass.

The five controls, what typically fails

Firewalls: default-admin passwords on perimeter devices, unrestricted management interfaces.
Secure configuration: unused services enabled, default credentials on database instances.
User access control: shared admin accounts, stale ex-employee accounts.
Malware protection: devices without EDR, or with EDR disabled.
Security update management: unsupported OS versions, >14 days of unpatched high/critical CVEs.

Use Cyvex for pre-audit spot checks

Run an external scan and a cloud posture scan at least two weeks before the on-site audit. The “security update management” control fails most often — filter findings to “outdated software” and “missing patch” and remediate before the assessor arrives.

BYOD gotcha

If staff use personal devices to access organisational data, those devices are in scope. Either exclude them via policy and enforcement (conditional access) or bring them into scope with MDM.