Implementing Cyber Essentials: Your 5-Step Action Plan

Stop Paying Consultants to Read Government Websites

After this week's podcast and deep-dive article exposing compliance theatre, you've probably realised that Cyber Essentials is the only certification most UK SMBs need. But here's what gets my blood boiling: consultants charge £8,000 to £15,000 to implement something you can do yourself in as little as six weeks for under £4,000.

The NCSC designed Cyber Essentials to be simple enough for SMBs to implement without expensive consultants. The documentation is free, the requirements are straightforward, and the technical controls are basic cybersecurity hygiene. Yet the compliance industry has convinced businesses they need "expert guidance" to tick five bloody boxes.

Today, we're cutting out the middleman. This is your complete, no-nonsense guide to implementing Cyber Essentials yourself, saving thousands while securing your business instead of just documenting it.

Before You Start: Reality Check

Cyber Essentials isn't rocket science, but it does require an honest assessment of your current environment. Here's what consultants don't tell you: I've never seen an SMB that thought it was "ready for Cyber Essentials" actually be ready without significant remediation work.

The NCSC designed the framework assuming you already have basic security hygiene. Most businesses don't. You'll likely discover Windows 7 machines hiding in corners, unpatched servers running critical applications, and network equipment with default passwords that haven't been updated since installation.

My proven method follows six phases: audit, Fix, Validate, Audit, Fix, Revalidate, and Certify. We aim for zero vulnerabilities, which is not "good enough for government work."

Budget realistically based on what you find, not what you hope to find.

You need about 20-40 hours of basic IT knowledge over six weeks for the process, plus whatever remediation time your environment requires. If you can manage your business, you can implement Cyber Essentials. The NCSC isn't trying to trick you; they want you to succeed.

Just to clarify, I implemented Cyber Essentials and Cyber Essentials Plus for a two-person Financial Consultancy firm in under two days, but it involved two brand-new machines and two iPhones. This is an exception but it does happen.

The Windows 10 End-of-Life Crisis

Here's the critical timeline that most SMBs are ignoring: Windows 10 reaches end-of-life in October 2025. That's not a distant problem; it's happening this year. Every Windows 10 machine in your environment needs upgrading to Windows 11 24H2 baseline or complete replacement.

Microsoft isn't extending Windows 10 support for free, and their Extended Security Updates will cost more than replacement hardware for most SMBs. Any business planning to "ride Windows 10 until it breaks" will fail Cyber Essentials certification and become a sitting duck for attackers.

Professional vulnerability scanners will flag every Windows 10 machine as a critical vulnerability starting October 2025. You can't achieve zero vulnerabilities (our target) while running unsupported operating systems. Think about this, resolve it all now and you will find renewal to be a snap.

Realistic Cost Breakdown

For a typical 15-employee business, after honest and brutal vulnerability scanning:

Discovery Phase:

• Professional vulnerability scanning tools: £200-400/month

• Network assessment: £300-500

• Comprehensive endpoint audit: £200-400

Remediation Costs (The Reality):

• Replace 3-5 Windows 7/8/10 computers: £2,400-4,000 (desktops at £800 each)

• Replace 2-3 obsolete laptops: £2,000-3,000 (laptops at £1,000 each)

• Business firewall replacement: £800-1,500

• Endpoint security for all devices: £3-5 per endpoint monthly (£540-900 annually for 15 devices)

• Network equipment updates: £500-1,000

• Replace XP-based phone/alarm systems: £2,000-5,000

• Professional implementation time: £2,000-4,000

Certification:

• NCSC-approved body: £300-500

• Realistic Total: £10,340-18,300

For a 40-employee business, expect 8-12 machines needing replacement, pushing hardware costs alone to £6,400-12,000 before you've implemented any security controls.

The biggest budget shock for most SMBs comes from discovering how much of their hardware needs complete replacement. Windows 7, 8, and older Windows 10 machines typically can't be upgraded to Windows 11 due to hardware limitations, not just software licensing.

Hardware Reality: The Triple Threat

Most SMBs face a perfect storm of obsolete hardware:

Windows 7/8 machines can't be upgraded to Windows 11 due to hardware limitations (TPM 2.0, UEFI, RAM requirements). Complete replacement required at £800-1,000 per device.

Windows 10 machines manufactured before 2019 typically lack TPM 2.0 and can't upgrade to Windows 11. Even if they technically meet requirements, performance on older hardware makes them unusable. Budget for replacement rather than struggling with hardware that barely functions.

XP-based systems running phone systems, alarm systems, or industrial equipment must be replaced entirely. No exceptions, no workarounds, no "air-gapped" excuses. Any system running Windows XP must be replaced, regardless of function or business justification.

The Smart Approach: Continuous Compliance Monitoring

Here's what separates successful SMBs from those struggling with annual compliance theatre: continuous monitoring instead of panic-driven annual assessments. For just a few pounds per endpoint monthly, you can maintain constant Cyber Essentials compliance while automating most of the tedious work.

Modern compliance platforms combine vulnerability scanning, patch management, and compliance reporting in single packages that cost less than hiring someone to manage spreadsheets manually.

What you get in a single package:

• Continuous vulnerability scanning (not just point-in-time assessments)

• Automated patch management with business-safe deployment schedules

• Real-time compliance dashboard showing your current Cyber Essentials status

• Automated evidence collection for annual renewals

• Asset discovery and inventory management

• Configuration management and drift detection

What this saves you:

• No more frantic pre-renewal scrambles to gather evidence

• No more manual patch management eating your weekends

• No more surprise vulnerability discoveries during certification

• No more paying consultants to interpret compliance status

Vendor Examples and Package Deals

CyberSmart Platform (My Recommended Solution): I use this for my customers, and there's a good reason for that preference. CyberSmart is a Cyber Essentials solution specifically designed for SMBs, combining continuous compliance monitoring, automated patching, Cyber Security Awareness Training, a privacy toolbox, and compliance reporting in one platform. They understand the UK regulatory environment, speak plain English instead of vendor marketing bollocks, and price realistically at around £5-7 per endpoint monthly. Their support team knows what Cyber Essentials requires, which saves enormous amounts of time during implementation and renewals.

ConnectSecure Complete: Vulnerability scanning, patch management, compliance monitoring, and asset management are all done in one platform. Pricing starts around £8-10 per endpoint monthly, with discounts for annual commitments. It has strong technical capabilities but requires a lot more configuration for UK-specific requirements.

Why I Choose CyberSmart for My Customers

After implementing dozens of Cyber Essentials projects, I've standardised on CyberSmart because it eliminates the compliance theatre that plagues other solutions. Their platform is designed specifically for UK SMBs pursuing Cyber Essentials, which means:

• No configuration headaches: Templates for Cyber Essentials compliance work out of the box without expensive customisation

• UK-specific vulnerability intelligence: Understands NCSC guidance and UK regulatory requirements

• Sensible patch management: Deployment schedules that respect UK business hours and holiday periods

• Plain English reporting: Compliance dashboards your executives can understand

• Responsive support: UK-based team that understands SMB constraints and timelines

The platform costs slightly more than basic vulnerability scanners but saves weeks of configuration time and eliminates the need for separate patch management tools. For my customers, the total cost of ownership is lower because everything works together without integration nightmares.

Real-Time Visibility from Day One

Here's what makes modern compliance platforms like CyberSmart genuinely valuable: you get complete visibility into your security posture when you deploy agents. No waiting weeks for consultants to produce reports, no paying extra for "discovery phases," no surprises during implementation.

CyberSmart's Dashboard immediately shows you:

• Every device on your network with the current patch status

• All vulnerabilities are ranked by actual risk to your business

• Compliance gaps preventing Cyber Essentials certification

• Real-time security posture with automated evidence collection

• Patch deployment status and any failed updates

The other professional tools (ConnectSecure, Automox, Qualys) provide similar immediate visibility, but CyberSmart's UK focus means their dashboards are specifically designed around NCSC requirements rather than generic compliance frameworks.

This immediate visibility eliminates the traditional "discovery shock", where businesses spend weeks learning how broken their environment is. You know exactly what needs fixing from day one, with realistic timelines and cost estimates based on actual data rather than consultant guesswork.

Flexible Payment Options

CyberSmart offers a particularly business-friendly approach to implementation costs. Rather than demanding large upfront payments for audit and implementation work, they can bundle their continuous compliance platform with initial audit and setup fees into a monthly payment.

Instead of finding £5,000-10,000 upfront for professional assessment and initial remediation guidance, you can spread the entire cost over 12 months. The monthly payment covers:

• Platform licensing for continuous monitoring

• Initial comprehensive audit and vulnerability assessment

• Implementation guidance and priority recommendations

• Ongoing compliance monitoring and automated evidence collection

• Annual renewal preparation with automated reporting

For cash-flow-conscious SMBs, this approach transforms a significant capital expense into manageable operational costs while providing superior ongoing security management.

The other platforms typically require separate payments for implementation services, making CyberSmart's bundled approach particularly attractive for businesses that need professional guidance without consultant-level fees.

Continuous vs Annual Compliance: The Cost Reality

Annual Compliance Approach:

• Pre-renewal vulnerability scan: £500-800

• Emergency remediation of discovered issues: £2,000-5,000

• Staff time for evidence gathering: £1,000-2,000

• Consultant fees for "audit readiness": £2,000-4,000

• Annual cost: £5,500-11,800 plus stress and panic

Continuous Compliance Approach:

• Integrated platform: £5-8 per endpoint monthly

• Automated evidence collection: £0 (included)

• Emergency remediation: £0 (issues caught and fixed continuously)

• Renewal preparation time: 2-3 hours maximum

• Annual cost for 15 endpoints: £900-1,440 plus peace of mind

The continuous approach costs less than a quarter of the annual panic method while providing vastly better security and compliance posture.

The Six-Phase Implementation Method

Phase 1: Comprehensive Audit (Week 1-2)

Start with a proper vulnerability scan using professional tools like CyberSmart or ConnectSecure. These aren't free toys; they're business-grade scanners that find real vulnerabilities that criminals actually exploit. Budget £200-400 monthly for scanning tools during your implementation period.

Don't skip professional scanning because you think you know what you'll find. Professional scanners will discover vulnerabilities you didn't know existed, particularly in network devices and embedded systems that basic scans miss completely.

Inventory every single device that touches your network, including that ancient Windows XP machine running the alarm system, the printer with embedded Linux that's never been patched, and the smart TV in the boardroom that connects to your WiFi.

Document every piece of software, every operating system version, every firmware revision. Create a spreadsheet of doom listing everything that needs attention. Most SMBs discover they have 30-50% more endpoints than they thought, and asset discovery tools will find devices you forgot existed.

Check every password on every system. That includes routers, switches, WiFi access points, printers, and any IoT devices. Default passwords are everywhere, and vulnerability scanners will flag them mercilessly.

Phase 2: Fix Everything (Week 3-5)

This is where reality meets budget, and vulnerability scanners don't lie about what needs fixing. You'll likely discover:

• 20-30% of computers running Windows 7, 8, or 10 that can't be upgraded to Windows 11

• Network equipment that hasn't been updated in years

• Critical business applications that only work on obsolete operating systems

• Servers running in cupboards that nobody remembers installing

• Printers with more vulnerabilities than a sieve has holes

Replace end-of-life systems immediately, and here's the harsh financial reality: modern business desktops cost around £800, laptops around £1,000. If you have five Windows 7 machines that can't be upgraded, you're looking at £4,000-5,000 just for hardware replacement before you've bought any software or implemented any security controls.

Most Windows 7, 8, and older Windows 10 machines can't meet Windows 11 hardware requirements (TPM 2.0, UEFI, sufficient RAM), so budget for complete replacement rather than hoping for cheap upgrades that won't work.

Patch everything systematically, starting with internet-facing systems and working inward. Test patches on non-critical systems first, especially for applications that might break with updates.

Phase 3: Validate Implementation (Week 6)

Run the same vulnerability scans that revealed the problems initially. Compare results to your Phase 1 baseline. We're aiming for zero critical vulnerabilities and zero medium vulnerabilities that could be chained together.

Test your firewall configuration by attempting to access internal services from external networks. If you can reach internal systems from the internet, so can criminals.

Verify that access controls actually work by testing user accounts, administrative privileges, and system permissions. Documentation means nothing if the controls don't function.

Phase 4: Second Audit (Week 7)

Repeat the comprehensive audit with fresh eyes, preferably using different scanning tools or configurations. New vulnerabilities appear constantly, and some issues only become visible after other problems are resolved.

Focus particularly on systems that were modified during Phase 2. Patches sometimes introduce new vulnerabilities, and configuration changes can create unexpected exposures.

Document everything again, comparing against your Phase 1 baseline to confirm improvement and identify any regression.

Phase 5: Final Remediation (Week 8)

Address any issues discovered during Phase 4 validation. This phase should be much smaller than Phase 2, typically involving configuration tweaks rather than wholesale system replacement.

Implement ongoing monitoring to catch future problems before they become security incidents. Basic network monitoring and automated patch management will prevent you from returning to Phase 1 conditions.

Phase 6: Certification Process (Week 9-10)

Complete the NCSC self-assessment questionnaire based on your validated, secured environment. Every answer should be supported by evidence from your audit and remediation work.

Submit documentation to an NCSC-approved certification body. Your evidence package should demonstrate not just compliance but actual security improvement.

Implementation Strategy: Continuous from Day One

Don't implement Cyber Essentials manually then add monitoring later. Start with continuous compliance platforms from the beginning, and CyberSmart makes this approach particularly straightforward:

• Month 1: Deploy CyberSmart platform and establish baseline using their Cyber Essentials templates

• Month 2: Use platform insights to guide remediation priorities with UK-specific vulnerability context

• Month 3: Achieve initial Cyber Essentials certification with automated evidence collection

• Ongoing: Maintain compliance automatically with minimal manual intervention

This approach costs less than traditional implementation while providing superior ongoing security and compliance management. CyberSmart's UK focus means the process aligns with NCSC expectations and UK business practices.

Common Hidden Costs That Destroy Budgets

Legacy Application Dependencies: That critical business application that only works on Windows 7 will require replacement or substantial modification. Budget £5,000-20,000 for application updates or alternatives.

Network Infrastructure Overhaul: Your current network probably can't support proper segmentation and monitoring. Expect to replace switches, upgrade cabling, and reconfigure everything. Add £3,000-8,000 for proper network infrastructure.

Training and Process Changes: Staff will need training on new systems, new procedures, and new security tools. Factor in productivity losses during the transition period. Budget 10-20% reduction in productivity for 2-4 weeks.

Ongoing Maintenance: Cyber Essentials isn't a one-time project. With continuous monitoring platforms, budget £5-8 per endpoint monthly for automated compliance management.

Why Most SMBs Fail at Self-Implementation

The technical work isn't the problem; it's the scope of remediation required. Most businesses discover they need to replace or upgrade 50-80% of their IT infrastructure to meet basic security standards.

Time requirements explode when you find systems that can't be easily patched, applications that break with security updates, and network configurations that violate basic security principles.

Budget shock occurs when businesses realize that proper cybersecurity costs more than their annual IT budget. Many give up or accept partial compliance, which provides zero protection.

Making It Work: Phased Budget Approach

Month 1-2: Critical Systems Only Focus on internet-facing systems and those containing sensitive data. Replace or secure the highest-risk systems first. Budget £3,000-6,000 for immediate security improvements.

Month 3-4: Core Infrastructure Upgrade network equipment, implement proper access controls, and secure remaining business-critical systems. Budget £4,000-8,000 for infrastructure improvements.

Month 5-6: Complete Implementation Address remaining systems, complete documentation, and pursue certification. Budget £2,000-4,000 for final implementation and certification.

This approach spreads costs over six months while providing incremental security improvements. You're not compliant until everything is complete, but you're more secure after each phase.

When You Need Professional Help

Of course, if you need a consultant to guide you through implementation, ensure nothing gets overlooked, or handle the technical work while you focus on running your business, that's exactly what I do for SMBs across the UK.

My approach eliminates the compliance theatre that plagues traditional cybersecurity consulting. Instead of expensive governance frameworks that impress auditors but don't stop attacks, I focus on technical controls that actually protect your business while meeting NCSC requirements.

I work with CyberSmart's platform for most clients because it provides the continuous monitoring foundation that makes everything else work efficiently. Rather than annual panic-driven assessments, we implement sustainable security practices that maintain compliance automatically.

Typical engagement includes:

• Honest vulnerability assessment using professional scanning tools

• Realistic budget planning based on actual hardware and software needs

• Phased implementation that respects cash flow and business operations

• Staff training focused on practical security rather than policy compliance

• Ongoing support that doesn't create consultant dependency

My goal is making you independent and secure, not creating recurring revenue streams through artificial complexity. Most clients need 2-4 weeks of focused implementation work, then periodic reviews as their business grows or technology changes.

For implementation quotes or honest assessment of whether you actually need professional help, contact me through the website. I'll tell you if you can handle it yourself or if professional guidance would save time and money in your specific situation.

Common Mistakes to Avoid

Don't overcomplicate the technical controls because consultants convince you it's more complex than it actually is. NCSC designed Cyber Essentials to be achievable by SMBs without expensive expertise.

Don't ignore the ongoing maintenance requirements. Security controls require regular attention to remain effective. Set up continuous monitoring platforms that you can actually sustain long-term.

Don't treat Cyber Essentials as the end goal rather than the foundation. These five controls address common threats but don't cover everything. Build on this foundation with additional security measures as your business grows.

Don't let certification bodies or consultants add unnecessary requirements. Cyber Essentials has specific, defined criteria. Anything beyond those requirements is probably someone trying to sell you additional services.

Budget Planning for Continuous Compliance

15-employee business:

• Platform licensing: £900-1,440 annually

• Initial setup: £0 (included with CyberSmart)

• Ongoing management: minimal (2-3 hours monthly)

• Total annual cost: £900-1,440

40-employee business:

• Platform licensing: £2,400-3,840 annually

• Initial setup: £0 (included with CyberSmart)

• Ongoing management: minimal (3-4 hours monthly)

• Total annual cost: £2,400-3,840

Compare this to annual compliance costs or the price of a single security incident, and continuous monitoring becomes the obvious choice for any business serious about cybersecurity.

Implementation Without the Anxiety

Whether you choose the DIY approach with CyberSmart's guidance or professional implementation support, the key is starting with honest assessment and realistic budgeting. The platform provides immediate visibility into what needs fixing, eliminating the guesswork that makes cybersecurity feel overwhelming.

Most importantly, continuous monitoring platforms transform Cyber Essentials from an annual compliance burden into ongoing security management that actually protects your business. You'll know immediately when new vulnerabilities emerge, when patches are needed, and when your compliance status changes.

This proactive approach costs less than reactive annual assessments while providing vastly better security outcomes. Whether you implement it yourself or work with professionals, the foundation of continuous monitoring makes everything else more manageable and more effective.

The choice between DIY and professional help depends on your internal technical capacity, available time, and budget constraints. Either way, you'll end up with better security and lower long-term costs than traditional compliance approaches that focus on documentation rather than protection.

The Brutal Truth About DIY Implementation

Most SMBs can technically implement Cyber Essentials themselves, but few have the budget for proper remediation or the time for thorough implementation. The choice isn't between DIY and consultants; it's between doing it properly and accepting ongoing vulnerability.

If your current IT budget is under £10,000 annually, you probably can't afford proper Cyber Essentials implementation without external funding or significant business investment. That's not a failure; it's financial reality.

Consider Cyber Essentials as a forcing function to invest in IT infrastructure you should have upgraded years ago. The certification is secondary to actually securing your business against real threats.

Your Next Steps

Download the NCSC self-assessment questionnaire today and start your honest audit. Budget £10,000-18,000 for realistic implementation, including necessary hardware replacement. Set up continuous monitoring from day one with platforms like CyberSmart.

Remember that Cyber Essentials represents basic security hygiene, not comprehensive protection. Use it as your foundation but don't stop there. Add email security, backup systems, and incident response capabilities as your budget allows.

Most importantly, don't let consultants convince you that basic cybersecurity requires expensive expertise. You can implement these controls yourself, saving thousands while understanding what protects your business.

The NCSC designed Cyber Essentials for SMBs like yours. Take advantage of that instead of funding the compliance industry's luxury lifestyle. Start with professional monitoring tools, budget realistically for hardware replacement, and focus on continuous compliance rather than annual panic.

The smartest SMBs treat continuous compliance monitoring as essential infrastructure, like email or accounting software. It's not an optional add-on; it's the foundation that makes everything else work efficiently and cost-effectively.