5 things West Sussex businesses get wrong before a Cyber Essentials audit
Most businesses that fail a Cyber Essentials assessment don't fail because the requirements are unreasonable. They fail because of entirely avoidable mistakes — things that were overlooked, misunderstood, or left too late to fix.
We've worked with SMEs across West Sussex preparing for Cyber Essentials audits, and the same issues come up repeatedly. Here are the five we see most often.
1. Assuming 'we have a firewall' is the same as 'our firewall is configured correctly'
Having a firewall is not the same as having a properly configured one. This is the gap that catches more businesses than almost anything else.
Cyber Essentials requires that your firewall blocks all inbound connections by default, with only specific, documented exceptions for traffic your business actually needs. Most out-of-the-box firewall installations aren't configured this way. Default settings often allow more traffic than they should, and exceptions accumulate over time as people add rules without removing old ones.
Before your audit, review your firewall rules properly. Every open port needs a documented business reason. Every inbound rule that can't be justified needs to go. If you're not sure what your current configuration looks like, that's the first problem to address.
2. Not knowing which devices are in scope
Cyber Essentials applies to all devices on your network — not just the ones you think of as 'company computers.' This is where scope confusion creates real problems.
Remote worker laptops. Personal devices connecting to your network or cloud services. Older servers you're still relying on. Guest Wi-Fi on the same network as your main systems. Network-attached storage. All of these are potentially in scope depending on how your network is set up.
The most common version of this mistake we see: a business goes through the self-assessment questionnaire thinking about their office desktops, and completely forgets about the fifteen remote workers using personal laptops to access company email and cloud applications. Those devices are in scope. If they don't have managed endpoint protection and current patches, the assessment fails.
Map your device estate properly before you start. Everything that connects to your network or accesses your business systems needs to be accounted for.
3. Leaving patch management until the week before
Patch management is one of the most common failure points in a Cyber Essentials assessment, and it's almost always because organisations leave it too late.
The requirement is clear: security patches must be applied within 14 days of release for internet-connected systems. In practice, many businesses have patching that's weeks or months behind. They know it's a problem, but it keeps getting deprioritised.
Then they decide to go for Cyber Essentials certification and try to catch up in the final week. The problem is that bulk patching a neglected estate in a short timeframe is risky. Updates can break things. Systems restart unexpectedly. Applications that relied on specific software versions stop working.
Give yourself at least six to eight weeks before your intended assessment date to get patching on track. Get everything current, then establish a consistent process that keeps it current. That process needs to still be running when the assessor checks.
4. Overlooking admin account management
Cyber Essentials requires you to apply the principle of least privilege — people should only have access to what they need to do their job, and administrative rights should be restricted to those who genuinely require them.
What we find in practice: someone set up an account as an admin years ago because it was easier at the time, and it's stayed that way. Or the IT person gave everyone local admin rights on their laptops so they wouldn't have to field every software installation request. Or there are shared admin accounts with no audit trail.
These arrangements fail the Cyber Essentials access control requirements. Every user needs a unique account. Admin rights need to be genuinely justified and documented. Shared admin credentials are a specific problem — they make it impossible to track who did what and create an obvious risk if the credentials are compromised.
Audit your accounts before the assessment. Remove admin rights that aren't justified. Make sure every user has a unique account with appropriate access levels. It's not complicated, but it does take time, particularly if your account setup has grown without much governance.
5. Treating the self-assessment questionnaire as the finish line
Cyber Essentials standard certification involves a self-assessment questionnaire. Some businesses approach this as if the goal is to answer the questions correctly rather than to actually implement the controls correctly.
This creates two problems. First, you might genuinely convince yourself you're compliant when you're not, because the questionnaire asks about policies and intent rather than testing whether your technical controls actually work. Second, when Cyber Essentials Plus assessors or clients ask for evidence, there's nothing to back up the self-assessment.
Answer the questionnaire honestly, and if an honest answer is 'no' or 'not yet,' treat that as the thing to fix before you submit. The point of Cyber Essentials isn't the certificate — it's the security improvement that comes from actually implementing the five control areas properly.
If you implement the controls genuinely, you'll pass the assessment. And more importantly, you'll actually be more secure, which is the outcome that matters.
How to avoid these mistakes
The most reliable way to avoid failing your Cyber Essentials audit is to do a proper pre-assessment before you go into it. That means reviewing each of the five control areas against your actual technical setup — not just reviewing the questions and assuming you're fine.
That's what we help West Sussex businesses with. Our free security audit maps your current security posture against the Cyber Essentials requirements and tells you exactly where the gaps are before they become a failed assessment.
If you're planning to go for certification in the next few months, let's talk before you commit to an assessment date. It's much easier to fix things in advance than to fail and have to go through the process again.