Cyber Essentials alignment is not a badge you talk yourself into.

It depends on whether the right conditions are true across your users, devices, cloud services, access controls, patching, malware protection, backup and evidence.

For many SMEs, this is where the gap appears.

The business may assume “the IT company handles it”. But when a customer, insurer, supplier or assessor asks for evidence, the answer needs to be clearer than that.

Cyber Essentials certification and Cyber Essentials alignment are not the same thing. Certification is a formal process. Alignment is the practical state of the environment: whether the business is operating in a way that reflects the intent of the controls.

This article is not a step-by-step implementation guide. It does not replace assessor advice or official scheme guidance.

It is a readiness lens for owner-managed SMEs that want to understand what must be true before they can sensibly say their IT is Cyber Essentials-aligned.

Cyber Essentials alignment starts with clear scope

Before anything else, the business needs to know what is in scope.

Scope is not just a technical detail. It is a business condition.

An SME needs clarity over:

• The legal entity being considered.

• Users.

• Devices.

• Microsoft 365.

• Cloud services.

• Remote working.

• Servers, where relevant.

• Routers and firewalls.

• Suppliers with access.

• Contractors or third parties.

• Data locations.

Without scope, alignment becomes vague.

For example, the business may secure employee laptops but allow personal devices into Microsoft 365. It may control main staff accounts but forget supplier access. It may patch computers but ignore a cloud service holding customer data. It may assume Microsoft 365 backup is covered without defining recovery.

The question is not “Do we think IT is handled?”

The question is “Do we know what environment we are talking about?”

Condition checklist: scope

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We know which legal entity and business areas are in scope.

• We know which users are in scope.

• We know which devices can access business systems and data.

• We know which Microsoft 365 services are in scope.

• We know which other cloud services store or process business data.

• We know which suppliers, contractors or third parties have access.

• We know how remote working is included.

• We know who owns the scope and when it is reviewed.

You know which devices, users and services are in scope

Asset clarity is a business condition, not an admin exercise.

If the business cannot list its users, devices and cloud services, it cannot confidently say the baseline is controlled.

That includes:

• Permanent staff.

• Directors.

• Temporary staff.

• Contractors.

• Shared accounts.

• Administrator accounts.

• Laptops.

• Desktops.

• Mobile devices.

• Cloud applications.

• Microsoft 365 tenants.

• Supplier access.

• Legacy services.

The GOV.UK Cyber Security Breaches Survey 2025/26 found that only 24% of businesses reported technical controls across all five Cyber Essentials areas. That suggests many organisations still lack full baseline coverage.

For SMEs, the first problem is often not a complex security issue. It is simply that nobody has a maintained view of what exists.

Condition checklist: users, devices and services

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We can identify every active user account.

• We can identify every administrator account.

• We can identify every device used to access business data.

• We can identify which devices are managed and supported.

• We can identify cloud services that store or process business data.

• We know who owns each service.

• We have a review process for changes.

Admin access is separate, limited and reviewed

Admin access is one of the highest-risk areas in any SME environment.

If a standard user account has unnecessary administrator rights, a compromise can become more damaging. If admin accounts are shared, unmanaged or forgotten, the business loses accountability.

Cyber Essentials-aligned IT should have a clear position on privileged access.

That means:

• Admin access is limited to people who need it.

• Admin accounts are separate from day-to-day user accounts where appropriate.

• Shared admin usage is avoided.

• Admin rights are reviewed.

• Leavers lose privileged access promptly.

• Suppliers do not retain unnecessary admin access.

• Role changes trigger access changes.

This is not about making day-to-day work difficult. It is about making sure powerful access is controlled.

Condition checklist: admin access

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We know who has administrator access.

• We know why each person or supplier has that access.

• Admin access is not used casually for normal work.

• Admin accounts are not shared without accountability.

• Admin rights are reviewed.

• Leavers and suppliers lose admin access when no longer needed.

Cloud services use MFA where available

Cloud services are now central to SME operations.

Microsoft 365 is often the core identity and collaboration platform. Around it may sit accounting software, CRM, HR, supplier portals, booking tools, file-sharing systems and specialist applications.

IASME’s April 2026 Cyber Essentials update makes cloud services harder to treat as optional or peripheral. MFA is mandatory for cloud services where available, and cloud services must be considered in scope where they store or process organisational data.

For an SME, this means MFA cannot be limited to “some people” or “main systems only” without a clear reason.

The business needs to know:

• Which cloud services are used.

• Which ones support MFA.

• Whether MFA is enabled.

• Who owns each service.

• How joiners and leavers are updated.

• Whether supplier accounts are included.

• Whether admin accounts are protected.

MFA is not a guarantee. But without it, cloud accounts remain unnecessarily exposed.

Condition checklist: cloud MFA

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We know which cloud services store or process business data.

• MFA is enabled where available.

• Microsoft 365 accounts are protected.

• Administrator accounts are protected.

• Supplier or contractor accounts are considered.

• New cloud services are reviewed before becoming business-critical.

• Leavers are removed from cloud services.

Software is supported and patching has an owner

Patching is one of the clearest examples of why maintenance matters.

A business can be well configured today and exposed later if updates are ignored, delayed or nobody owns them.

Cyber Essentials includes security update management as one of its five control areas. IASME’s April 2026 updatestrengthens the emphasis further: high-risk or critical updates not applied within 14 days are auto-fail questions.

For SMEs, the practical requirement is to know that software and devices are supported, updateable and maintained.

That includes:

• Operating systems.

• Business applications.

• Browsers.

• Microsoft 365 apps.

• Routers.

• Firewalls.

• Firmware.

• Specialist line-of-business applications.

• Remote-working tools.

Unsupported systems are a particular problem. If software no longer receives updates, it may not be possible to maintain it to a sensible baseline without replacing or isolating it.

Condition checklist: supported software and patching

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We know which operating systems are in use.

• We know which key applications are in use.

• We know whether systems are vendor-supported.

• We know who owns patching.

• Critical and high-risk updates are handled within the required window.

• Unsupported systems are removed, replaced or have an agreed plan.

• Routers, firewalls and relevant network equipment are included.

• Specialist line-of-business software has vendor support.

Malware protection is active across in-scope devices

Malware protection is another Cyber Essentials control area.

For an SME, the condition is simple: in-scope devices should have appropriate, active protection, and the business should know that protection is working.

This does not need to become a vendor comparison.

The key questions are:

• Are devices protected?

• Is protection active?

• Is it monitored?

• Are alerts reviewed?

• Are unsupported devices excluded from long-term use?

• Are unmanaged devices prevented from accessing business data?

Malware protection should not be treated separately from device management. If devices are unknown, unmanaged or unsupported, it is harder to prove protection is active across the estate.

Condition checklist: malware protection

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• Malware protection is active on in-scope devices.

• Protection status can be checked.

• Alerts are reviewed.

• Devices without protection are not allowed long-term access to business systems.

• Unsupported devices are removed or replaced.

• Device management and malware protection are reviewed together.

Backup coverage is defined and tested

Backup is not one of the five Cyber Essentials technical controls in the same way as patching or access control, but it is essential to operational resilience.

It is also one of the areas where SMEs often have false confidence.

A common assumption is that because data is in Microsoft 365, backup is fully handled. That assumption needs testing.

Microsoft’s shared-responsibility model states that customers retain responsibility for their data, identities, endpoints, accounts and access management. Microsoft also states that Microsoft 365 customers are responsible for data management and protection, including recovery from customer-side breaches such as ransomware or mistaken deletion.

The NCSC’s small organisations guidance also places backup at the centre of practical cyber resilience.

For an SME, Cyber Essentials alignment should sit alongside a clear backup and recovery position.

The business should know:

• What is backed up?

• What is not backed up?

• How often backups run?

• How long data is retained?

• Who checks backup success?

• When recovery was last tested?

• What happens if Microsoft 365 data is deleted or encrypted?

• What happens if a server, device or application becomes unavailable?

Backup that cannot be restored is not a reliable business control.

Condition checklist: backup

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We know which data and systems are backed up.

• Microsoft 365 backup coverage is defined.

• Server or application backup coverage is defined where relevant.

• Backup jobs are monitored.

• Restore testing takes place.

• Recovery expectations are documented.

• Backup ownership is clear.

• Data loss and ransomware recovery scenarios are considered.

Leavers, joiners and role changes are controlled

Access control is not static.

People join, leave, move roles, change responsibilities, work with new suppliers and use new systems.

If those changes are not controlled, access drift builds quickly.

Cyber Essentials-aligned IT should have a maintained joiner, leaver and role-change process.

That means:

• New users receive only the access they need.

• Role changes trigger access review.

• Leavers are disabled promptly.

• Devices are recovered or wiped.

• Mailbox and file access are handled deliberately.

• Cloud applications are updated.

• Admin access is removed.

• Supplier accounts are reviewed.

The business condition matters more than the method: access changes must not depend on memory.

Condition checklist: joiners, leavers and role changes

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• Joiners follow a defined access process.

• Role changes trigger access review.

• Leavers are disabled promptly.

• Devices are returned, wiped or blocked.

• Microsoft 365 access is removed or changed.

• Other cloud services are updated.

• Admin rights are removed when no longer needed.

• Supplier and contractor access is included.

Evidence exists when customers, insurers or assessors ask

A control that exists only as an assumption is weak evidence.

Cyber Essentials-aligned IT should be explainable and reviewable.

The business should be able to show:

• Which devices are in scope?

• Which users are active?

• Which administrators exist?

• Whether MFA is enabled?

• Whether devices are managed?

• Whether malware protection is active?

• Whether software is supported and patched?

• What backup covers?

• When recovery was tested?

• How leavers are removed?

• Who owns each area?

• When the baseline was last reviewed?

This evidence matters commercially.

Customers, insurers, suppliers and partners may ask for reassurance. A business that can answer clearly appears more mature than one that depends on vague assurances.

The GOV.UK survey found low certification uptake: only 5% of businesses reported Cyber Essentials certification and 2% reported Cyber Essentials Plus. For many SMEs, a sensible first step is to build the evidence and operating discipline that makes certification or customer assurance more realistic.

Condition checklist: evidence

Before saying your IT is Cyber Essentials-aligned, you should be able to say:

• We have documentation for users, devices and services.

• We can evidence MFA coverage.

• We can evidence patching and supported systems.

• We can evidence malware protection.

• We can evidence backup coverage and testing.

• We can evidence access reviews.

• We know who owns each control area.

• We review the baseline on a defined cadence.

Alignment is not certification

It is important to be clear about language.

Cyber Essentials alignment means the business is working towards or operating in line with the intent of the Cyber Essentials control areas.

Certification means the business has gone through the formal certification process.

A business should not describe itself as certified unless it is certified.

Equally, no IT provider should guarantee certification without proper assessment and the required process. Public guidance can help, and a baseline review can identify gaps, but certification is a formal outcome.

The practical aim for an SME is to stop relying on belief and start building control coverage, ownership and evidence.

The Cyber Security & Cyber Essentials hub explains how this fits into a wider baseline-led approach for SMEs.

What to do if you are not sure

If you are unsure whether your IT is Cyber Essentials-aligned, that uncertainty is useful.

It tells you where to start.

Infinite Cloud IT works with owner-managed SMEs in Sussex and Kent that use Microsoft 365 as their core platform and want secure, predictable, structured IT.

A Security Triage Call gives a high-level view of visible gaps and whether a deeper Security Baseline Review is appropriate.

The goal is not to talk yourself into alignment.

The goal is to know what is true, what is unclear, and what needs to be brought under control.

Book a Security Triage Call

Download our CE-baseline Checklist

Learn about the Security Baseline Review