By Cyber Essentials Lead Assessor Tony Wilson
Cyber Essentials will become more difficult to achieve under the new version of the question-set, called Danzell.
Whilst the Cyber Essentials Basic changes are welcome, and some would say, a long time coming, the strictness of the Cyber Essentials Plus audit is raising eyebrows.
We envisage far more failures in Cyber Essentials Plus under Danzell, especially for those companies that do not have a vulnerability scanning regime in place.
Key takeaways for Cyber Essentials Basic.
- New automatic failure scenarios:
- The assessment will fail if multi-factor authentication is available on a cloud service, but it is not applied.
- Even if it is not available, the company must investigate methods of introducing MFA via other means – this could mean integrating the cloud service with Azure / Google Single Sign-on or other paid for services such as OKTA.
- As the vast majority of Cloud Services use SAML or OIDC to authenticate, it is highly likely that you will be able to integrate your Cloud Service with a third-party Identity provider (such as Azure) and will therefore be expected to do this, even if it comes at an extra cost.
- If applications are not patched within 14 days, a fail will be issued. Until Danzell, it was only unsupported software that caused an auto-fail.
- The assessment will fail if multi-factor authentication is available on a cloud service, but it is not applied.
- Scoping is required to be more detailed than in previous question-sets:
- Expanded scope descriptions
- Companies will have the option to include a comprehensive and detailed description of the scope.
- Out-of-scope areas must be more clearly defined.
- All legal entities covered by the assessment scope must be explicitly listed, including full name, address, and registration number..
- Expanded scope descriptions
Key takeaways for CE Plus.
Cyber Essentials plus assessments will be much more strict. Please read this carefully, as these changes could impact the company’s ability to become certified:
- If an organisation fails the initial test of a random sample of devices, they will be required to remediate the issues and undergo a retest.
- During the retest, the Assessor will not only recheck the original sample, but will also test a new random sample of devices to ensure compliance across the wider environment.
- It is important to note that if the scan of the resample finds any high or critical vulnerabilities, it will result in a fail overall and may result in a revocation of the Cyber Essentials Basic Certificate.
So, to clarify, if a Certification Body conducts a scan and finds vulnerabilities scored as High or Critical, the company must ensure all devices in the organisation are fixed, because a different sample of devices will be scanned along with the original sample, and any vulnerabilities found will cause a fail and require full recertification. There will still be a 30-day remediation window from the date of the initial scan to fix the issues.
We encourage all Cyber Essentials Plus applicants to invest in a Vulnerability scanner, or use Indelible Data’s scanning or gap analysis services to ensure all devices do not report any high or critical findings ahead of the Danzell audit.
You can use this spreadsheet to help understand the changes that will come in when Willow question set is replaced by Danzell in April: See the differences between Willow and Danzell
The Danzell question set replaces Willow on April 27th 2026. If you have a Willow account on the Cyber Essentials portal, you will still have six months from this date to pass basic and a further three months after certification to pass the associated plus on the Willow standard.
We will be holding webinars about Danzell and its implications for our clients and Trusted Partners in March and will be in touch soon regarding this.
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)