Cyber Essentials
Readiness Assessment
A structured assessment of your entire IT environment against all five Cyber Essentials controls — delivered as a written report with a prioritised remediation checklist and a plain statement of where you stand.
The UK Government's baseline cybersecurity standard — and increasingly, a contractual requirement.
Cyber Essentials is a UK Government-backed certification scheme administered by IASME on behalf of the National Cyber Security Centre. It requires organisations to demonstrate that five technical controls are in place — controls that, when properly configured, protect against the majority of common cyber attacks.
Certification was once a differentiator. It is increasingly becoming a minimum requirement. The Legal Aid Agency has mandated it for Standard Crime Contract holders. Many public sector supply chain contracts require it. Professional indemnity insurers are beginning to ask for it. For law firms, accountancy practices, and other professional services businesses, the question is no longer whether to certify — it is how quickly.
This assessment tells you where you stand against all five controls before you commit to a certification programme. No surprises, no failed submissions, no wasted time on a programme that reveals the environment was not ready.
Firewalls
Boundary firewalls and software firewalls on all in-scope devices — correctly configured, default settings changed, unnecessary inbound services blocked.
Secure Configuration
All devices and software configured securely — unnecessary software removed, default passwords changed, auto-run disabled, operating systems hardened.
User Access Control
User accounts limited to what is needed, administrator accounts separate and governed, MFA enforced where supported — from April 2026, absence of MFA where supported is an automatic failure.
Malware Protection
Endpoint protection active and updated on all in-scope devices, macro execution restricted, application controls in place where applicable.
Patch Management
Critical and high-severity security patches applied within 14 days of release, unsupported software removed or isolated, operating systems on supported versions.
Your entire IT environment — all five controls, all in-scope systems.
Cyber Essentials applies to all devices and cloud services used by your organisation that connect to the internet or store your data. The assessment reviews everything in scope — not a sample, not a subset.
Microsoft 365 Environment
MFA enforcement status, Conditional Access policy coverage, Microsoft Defender activation, Purview configuration, SharePoint and OneDrive sharing settings, and email authentication records — SPF, DKIM, DMARC.
Devices — Windows and macOS
Operating system version and patch status, endpoint protection coverage and configuration, BitLocker or FileVault encryption, software firewall status, and application update currency.
Mobile Devices
iOS, iPadOS, and Android devices used to access work data — OS version, screen lock enforcement, encryption, and whether personal devices are within scope and appropriately managed.
Network and Firewalls
Boundary firewall configuration at office locations, guest network separation, VPN usage for remote workers, and software firewall status on all in-scope devices.
Cloud Services
All cloud services used by in-scope staff — Microsoft 365, Google Workspace, line-of-business SaaS platforms, and any other service accessed with organisational credentials. MFA status per service.
User and Administrator Accounts
Account provisioning and governance across all in-scope systems — admin account separation, privilege levels, stale account identification, and password policy configuration.
One report. Five control findings. A clear next step.
The Readiness Assessment Report is delivered in PDF within ten working days of commencement. It is structured for both a technical audience and a non-technical one.
Executive Summary
A plain-language summary of the overall security posture — written for a managing partner, senior partner, or board. No jargon. Suitable for presentation to leadership without further translation.
Control-by-Control Assessment
A structured pass or fail finding against each of the five Cyber Essentials controls, with the specific evidence supporting each finding and the exact requirement being assessed.
Prioritised Remediation Checklist
Every gap identified, rated Critical, High, or Advisory. For each gap: the specific remediation action required, the Cyber Essentials control it addresses, and an indicative effort level.
Certification Readiness Statement
A clear statement of whether your environment, at the date of assessment, would pass or fail a Cyber Essentials self-assessment — and a recommendation on whether to proceed directly to the Full Programme or remediate first.
Findings Presentation
A sixty-minute remote session with your nominated contact to walk through the findings, answer questions, and discuss the recommended path to certification.
Scope Documentation
A record of the systems, devices, and cloud services within scope of the assessment — usable as the starting point for the Cyber Essentials Full Programme submission questionnaire.
The right starting point before committing to a certification programme.
This assessment is the entry point to the Cyber Essentials journey. It is designed for organisations that need to understand their position before committing to the remediation and certification investment.
You need Cyber Essentials but have no idea how much work is involved.
The assessment answers that question precisely. For some organisations, the environment is largely compliant and the Full Programme is a straightforward four-to-six-week engagement. For others, significant remediation is required before a submission would succeed. The assessment tells you which camp you are in before you commit to either path.
A previous Cyber Essentials submission failed and you want to understand why before trying again.
A failed submission leaves gaps that are often unclear even to the applicant. This assessment maps the environment against all five controls and identifies specifically what failed, what was borderline, and what needs to change before the next submission.
A contract renewal, Legal Aid Agency requirement, or insurer is asking for Cyber Essentials within a defined timeframe.
When there is a deadline, understanding your position from day one is critical. The assessment identifies whether the timeline is achievable with your current environment, or whether it requires immediate escalation to the Full Programme.
You want an independent view of your security posture without committing to a full programme.
The assessment stands on its own. There is no obligation to proceed to the Full Programme, and no follow-on sales pressure. The report is yours. You can act on it with Konve IT, with another provider, or internally.
This is an assessment and reporting engagement only. No changes are made to your environment.
- Remediation or implementation of any kind
- Cyber Essentials certification or submission support
- Assessment of ISO 27001 or any other framework
- Penetration testing or vulnerability scanning
- Assessment of systems outside the agreed scope
- Any follow-on work — subject to a separate Statement of Work
One flat fee. No per-user component.
The assessment fee is fixed regardless of organisation size. The work involved in assessing an environment against five Cyber Essentials controls does not scale linearly with headcount.
Cyber Essentials Readiness Assessment
- Structured assessment against all five Cyber Essentials controls — firewalls, secure configuration, user access control, malware protection, and patch management
- Readiness Assessment Report in PDF — executive summary, control-by-control findings, prioritised remediation checklist, certification readiness statement, and scope documentation
- Sixty-minute remote findings presentation with your nominated contact
- Delivered within ten working days of commencement
- Payable in full upfront — no milestone billing
MFA is now mandatory From April 2026
From April 2026, the absence of multi-factor authentication where it is supported by the service or platform is an automatic Cyber Essentials failure. This applies to Microsoft 365, Google Workspace, and any other cloud service that supports MFA. If MFA is not enforced across all your cloud services, this assessment will flag it as a Critical gap. The Microsoft 365 Compliance-Aligned Tenant Remediation engagement addresses this directly.
Legal Aid Agency mandate October 2025
The Legal Aid Agency mandated Cyber Essentials for all Standard Crime Contract holders from October 2025. If your firm holds a Legal Aid contract and does not yet hold a Cyber Essentials certificate, you are operating outside your contractual obligations. This assessment establishes your current position. The Cyber Essentials Full Programme takes you to a valid certificate.
Three steps. Assessment underway within days.
The questionnaire for this assessment captures your device inventory, cloud services in scope, and the access you will provide. The more completely you answer it, the more precise the assessment.
Complete the onboarding form
Download and complete the Konve IT Client Onboarding Form. Captures your organisation details, contacts, regulatory context, and existing certifications.
Complete the service questionnaire
Download and complete the Cyber Essentials Questionnaire, selecting the Readiness Assessment. Captures device inventory, cloud services, network configuration, and MFA status per service.
Review and sign the Statement of Work
Konve IT issues a Statement of Work within two working days. On signature and payment of the £500 + VAT fee, the assessment commences.