Preparing for a Cyber Essentials assessment can be stressful, especially when last-minute surprises derail your submission. Many organisations fail because of overlooked basics, in fact, most non-compliances stem from simple checks that could have been caught early. 

This guide focuses on three critical checks that prevent 80% of last-minute failures, based on common issues identified by IASME, National Cyber Security Centre, and Evolve North’s experience supporting successful assessments. By addressing these areas proactively, you’ll reduce risk, save time, and approach your assessment with confidence. 

Background

Cyber Essentials is designed to protect organisations against the most common cyber threats. The majority of failed assessments are due to simple gaps such as missing MFA, outdated software, or insecure configurations – not advanced technical flaws. 

These failures often happen because: 

• Organisations assume default settings meet Cyber Essentials requirements. 

• Checks are left until the day of assessment, leaving no time for remediation. 

• Teams misunderstand the scope of Cyber Essentials, especially around cloud services and remote devices. 

By focusing on three key checks, you can address the most frequent problem areas, dramatically reduce the risk of a failed submission and ensure compliance with the latest scheme updates.

1. Verify MFA is Enabled for All Cloud Services That Provide It

Multi-Factor Authentication (MFA) is one of the most effective ways to prevent account compromise. According to NCSC, passwords alone are not enough – MFA adds an extra layer of security, making stolen credentials far less useful to attackers. Cyber Essentials requires MFA on all cloud services that support it, if disabled will result in non-compliance. 

Note: The newest version of Cyber Essentials due to be released in 2026 will require MFA to be enabled on all cloud services that provide it, or a fail will be awarded. 

Common Cloud Services Supporting MFA

• Microsoft 365 / Entra ID 

• Google Workspace 

• AWS 

• Dropbox 

• GitHub 

It is best to understand which cloud services  

See our Password Policy Guide for instructions on how to enable MFA for all users in your Microsoft 365 environment. 

2. Check Local Admin and Standard Account Separation

Cyber Essentials requires administrative accounts to be separate from standard user accounts. This prevents attackers from gaining elevated privileges if a user account is compromised. Using a single account for both admin and daily tasks is a common fail point because it increases the risk of privilege escalation. 

See our Windows Account Separation Guide for instructions on how to create separate administrative and standard accounts locally on your Windows device. 

Key Practices for Admin Account Management 

1. Enforce Least Privilege: Only grant admin rights when strictly necessary to minimise risk exposure. 

1. Audit and Monitor Usage: Log and review admin activity to quickly detect misuse or suspicious behavior. 

1. Document and Regularly Review Access: Maintain clear records of who has admin rights and remove unnecessary privileges during periodic reviews. 

1. User Training: Educate administrators on secure practices, phishing awareness, and proper handling of elevated privileges. 

3. Check for Unsupported Operating Systems

Cyber Essentials requires that all devices run vendor-supported operating systems. Unsupported OS versions no longer receive security updates, leaving them vulnerable to exploitation. Even one non-compliant device can cause an assessment failure. 

Operating Systems that are now End-of-Support 

Windows 10 (Home, Pro, Enterprise, Education) – End of support: October 14, 2025  

Exchange Server 2016 & 2019 – End of support: October 14, 2025 

Windows 11 Enterprise 22H2 (10.0.22621) – End of support: October 14, 2025 

Windows 11 Pro 23H2 (10.0.22631) – End of Support: November 10,  2025 

If any of your devices are still running operating systems or software that have gone out of support, the priority should be to plan an upgrade or migration as soon as possible. Unsupported versions no longer receive security updates, leaving them vulnerable to malware, phishing, and other cyber threats. 

To check your operating system locally per device, these are quick methods for individual users: 

Windows 

• Go to Settings → System → About → see “Windows specifications.” 

macOS 

• Click the Apple menu → About This Mac → shows macOS version and build. 

iOS/iPadOS 

• Go to Settings → General → About → see “Software Version.” 

Android 

• Go to Settings → About phone → Software information → see “Android version.” 

For small companies without a dedicated device management solution, operating system information that is retrieved manually from user devices should be recorded in a central asset register. This register should capture key details such as device owner, hardware type, and current OS version. By maintaining and reviewing the register on a regular schedule, organisations can compare their inventory against vendor support lifecycles and update policies accordingly. This practice ensures that unsupported or endoflife operating systems are identified early, reducing security risks and helping the company plan timely upgrades in line with vendor updates. 

Focusing on these three critical checks, enforcing MFA on all cloud services, separating admin and standard accounts, and removing unsupported operating system, addresses the most common causes of Cyber Essentials failures. These controls are not just compliance requirements; they significantly reduce the risk of account compromise, privilege misuse, and exploitation of unpatched vulnerabilities. 

By implementing these measures early and verifying them before your assessment, you’ll avoid last-minute surprises, strengthen your security posture, and ensure alignment with NCSC guidance and Cyber Essentials standards. 

If you’re unsure about any of these steps, please contact us on 01748 905 002 or email info@evolvenorth.com, we’re happy to help.