Cyber Essentials Renewal: Annual Guide

Cyber Essentials, the UK government-backed cyber security certification scheme administered by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium, must be renewed every 12 months. Renewal follows the same self-assessment questionnaire route as initial certification, but organisations that maintain continuous compliance throughout the year can complete it significantly faster than the first time. This guide covers what changes at renewal, how to handle infrastructure changes, the implications of a lapsed certificate, and how to build a process that makes each renewal faster than the last.

The 12-month renewal requirement is not administrative housekeeping — it reflects the pace at which the threat landscape and IT infrastructure change. A certificate issued in January 2024 assesses the state of your systems at that point in time. By January 2025, you may have adopted new cloud services, changed suppliers, onboarded new devices, or deployed software that introduces new risks. The annual cycle forces a fresh assessment of whether controls are still operating correctly against current infrastructure.

For organisations supplying to UK central government, the practical consequence is direct: Cabinet Office policy mandates Cyber Essentials certification for contracts involving the handling of certain personal information or the provision of certain technical services. A lapsed certificate — even by a single day — can affect contract eligibility. For Ministry of Defence (MoD) supply chain suppliers, lapsed certification can suspend access to supplier portals and tender processes. This is the single most common reason organisations treat renewal as genuinely urgent rather than aspirational.

The renewal process follows the same structure as initial certification: complete the Cyber Essentials self-assessment questionnaire through a licensed Assured Service Provider (ASP), pass the assessment, and receive a new certificate. The questionnaire itself — the Montpellier question set, which IASME updated with version changes to reflect evolving technical requirements — is the same document used at initial application.

In practice, renewal is faster for most organisations, for three reasons:

1. You already have the scope defined. The first time you certify, scoping decisions (what devices, what networks, what cloud services are in scope) take time. At renewal, you are reviewing and updating an existing scope, not building it from scratch.
2. Your team is familiar with the question set. The Montpellier questions cover the five Cyber Essentials technical controls — boundary firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. Teams who have worked through these once move through the renewal assessment more quickly.
3. Evidence is easier to locate. If you documented your initial certification, the renewal involves updating that documentation rather than creating it.

What renewal does not forgive is infrastructure drift. If your organisation has added new devices, adopted new cloud services, changed remote access arrangements, or modified your network boundary during the year, these changes must be reflected in your renewal submission. Attempting to use last year's scope unchanged when your IT estate has materially changed is a common reason for renewal failure or delay.

If your organisation has undergone significant infrastructure changes since your last certification — a cloud migration, a new office location, acquisition of another entity, a shift to remote-first working, or significant expansion of the device estate — renewal requires more preparation than a straightforward repeat of last year's submission.

The steps to follow:

1. Revisit your scope definition. List all in-scope devices, internet-connected services, and network boundaries as they exist today, not as they existed at last year's renewal.
2. Map changes against the five controls. For each changed element of your infrastructure, assess whether your existing controls still apply. A new cloud service that was not in scope last year needs to be assessed against all five control areas.
3. Remediate before submission. If the infrastructure review surfaces gaps — unsupported software, default credentials left on new devices, patching delays on recently onboarded systems — address them before starting the questionnaire process. Submitting with known gaps and hoping they are not caught is not a viable approach.
4. Document the changes. Your Assured Service Provider will ask about changes to scope. Having a clear record of what changed and when supports a faster, cleaner renewal.

A lapsed Cyber Essentials certificate — one where the 12-month validity has expired and renewal has not been completed — has practical consequences that vary depending on your organisation's context.

Government Contract Implications

For organisations that hold or are pursuing UK government contracts that require Cyber Essentials, a lapse means you cannot demonstrate compliance with the contractual requirement. The Cabinet Office's procurement policy and the Digital Marketplace both reference valid (current) certification. A lapsed certificate does not satisfy this requirement, even if renewal is imminent. If a contract renewal or new tender falls within a lapse window, you may be ineligible to bid or to continue the existing contract.

MoD Supply Chain

Ministry of Defence supplier portals and the Defence Supplier Community typically require active Cyber Essentials certification. A lapse can result in suspension from supplier portals and inability to access procurement opportunities until a valid certificate is restored.

Cyber Insurance

Some cyber insurance policies reference Cyber Essentials as a condition of cover or a factor in premium calculation. Check your policy terms: a lapsed certificate could affect the validity of your cover or your insurer's willingness to pay out on a claim if a breach occurs during the lapse period.

What to Do if You Have Lapsed

If your certificate has already lapsed, the process to restore it is the same as the original certification: complete the self-assessment questionnaire through an Assured Service Provider and pass the assessment. There is no expedited reinstatement process, and the certificate date will reflect the date of the new assessment, not the expiry date of the lapsed certificate. For time-sensitive contract requirements, this means building in sufficient time for the assessment and any remediation required

The cost of Cyber Essentials renewal varies by Assured Service Provider. IASME sets a minimum price floor for certification, but providers set their own fees above that floor. For the standard Cyber Essentials self-assessment route, expect costs broadly in line with initial certification — prices range from under £300 to several hundred pounds depending on the provider and the scope of support included.

Some providers charge a flat renewal fee; others charge based on organisation size or the degree of support they provide. If your ASP charges for advisory time spent answering questions or reviewing your submission, renewal costs can increase if your infrastructure has changed significantly and requires more consultation time.

You are not required to renew through the same Assured Service Provider you used for your initial certification or previous renewals. Renewal is treated as a fresh certification application, and you can initiate it with any IASME-licensed ASP.

To switch provider at renewal:

1. Identify your new provider from the IASME-published list of licensed Assured Service Providers.
2. Start the renewal application through your new provider's platform. You will complete the questionnaire on their system, not your previous provider's.
3. Your previous certificate is not transferred between providers — the new provider will issue a new certificate following a successful assessment.
4. There is no notification requirement to your previous provider. Simply do not renew through them.

When evaluating providers for renewal, consider: the support they offer during the questionnaire process, whether they offer gap assessment or pre-submission review, the cost structure, and whether they also offer Cyber Essentials Plus if you intend to upgrade.

The timeline below assumes an organisation with no major infrastructure changes. Adjust if significant changes have occurred during the year.

Organisations that treat Cyber Essentials as a point-in-time exercise — doing nothing between renewals, then scrambling to prepare in the weeks before expiry — consistently report the most painful renewal experiences. Devices have drifted out of support, patches are months behind, and scope documentation is stale.

The organisations that renew fastest maintain compliance continuously. This means:

1. Treating patch management as an operational habit, not a pre-renewal exercise. The Cyber Essentials patch management control requires high-risk and critical patches to be applied within 14 days of release. If you are doing this routinely, renewal evidence is trivially easy to produce.
2. Keeping scope documentation current. When you add a new device, cloud service or network segment, update your scope record at the time — not retrospectively at renewal.
3. Running internal checks quarterly. A 30-minute quarterly review of whether anything has changed in your control environment takes far less time than discovering large changes six weeks before expiry.
4. Using compliance management tooling. Platforms that automate evidence collection and provide continuous monitoring against defined control baselines can significantly reduce the manual effort associated with annual renewal.