Published:

If you run a small business, the useful question is not whether the Cyber Essentials document changed in April 2026.
The useful question is what now needs to be consistently true in your environment, every day, if you want your baseline to stand up to scrutiny.
That is the difference between reading the update and operating it.
Cyber Essentials remains an official five-control scheme. Those controls are firewalls, secure configuration, security update management, user access control and malware protection. But for most SMEs, the value comes from translating those controls into practical operating habits: who owns them, how often they are checked, and what evidence can be produced when a customer, insurer or supplier asks.
At Infinite Cloud IT, we use those official Cyber Essentials controls as the foundation for a broader CE-style operating baseline. That wider baseline also looks at supporting disciplines such as backup and recovery confidence, because they affect how defensible and supportable the environment is in practice.
The point is not to blur certification requirements with broader operational good practice. The point is to make both clearer.
Why the April 2026 update matters operationally
Cyber Essentials is useful when it stops being a once-a-year form-filling exercise and becomes part of how the business is run.
For a director or IT lead, the practical questions are:
What has to be true day to day?
Who owns each control area?
What evidence can we produce quickly?
What counts as an exception?
How quickly does an exception need fixing?
If those questions do not have clear answers, the issue is rarely lack of awareness. It is usually operational drift.
The five official control areas translated into real-world checks
1. Firewalls
In practical terms, you need to know how devices and services are protected from unauthorised network access.
For an SME, that means being able to answer:
Which devices and services are in scope?
Are default settings and passwords removed?
Who owns firewall or perimeter configuration?
Are changes approved and documented?
The operating question is not simply “do we have a firewall?” It is whether the boundary is understood, maintained and controlled.
2. Secure configuration
Secure configuration means systems should not be left in a risky default state.
Real-world checks include:
Are business devices built to a standard?
Are unnecessary services, accounts or permissions removed?
Are local admin rights controlled?
Are devices encrypted where appropriate?
Are exceptions documented?
This is where many SMEs struggle, because devices often drift over time. One laptop is configured differently from another. An exception becomes normal. Nobody is quite sure what the standard is supposed to be.
3. Security update management
Patching is not “we usually keep on top of it”. It is a defined operating rhythm.
A practical checklist should confirm:
Supported operating systems are in use
Critical and high-risk patches are applied within agreed windows
Update failures are visible
Exceptions are logged, owned and time-bound
Unsupported devices have a replacement or removal plan
Patching only works as a control when it has deadlines, ownership and exception handling.
4. User access control
A compliant-looking environment can still be weak if the wrong people can sign in too easily or keep access they no longer need.
Identity and access checks should include:
Is multi-factor authentication applied where required?
Is there a current list of admin-capable accounts?
Are stale accounts reviewed and removed?
Are leavers disabled promptly?
Are shared admin identities avoided?
What good looks like is simple: named users, clear admin boundaries, stronger sign-in protection for privileged access, and a regular review cycle.
5. Malware protection
This is not just about whether antivirus exists. It is about whether protection is active, standardised and monitored.
The real-world checks are:
Is malware protection active on all in-scope endpoints?
Are platform protections current?
Are alerts reviewed by someone?
Are users prevented from weakening protection without approval?
Is the control applied consistently?
An installed tool is not the same as an enforced control.
The broader operating baseline: backup and recovery confidence
Backup is not one of the official five Cyber Essentials controls.
It is, however, part of a broader operating baseline for a supportable SME environment.
That is why Infinite Cloud IT treats backup and recovery confidence as an overlay around the official controls, not as a replacement for them. If data is lost, deleted, corrupted or affected by ransomware, the business still needs a practical route to recovery.
For an SME baseline, you should be able to show:
What data is backed up
How often backups run
Who checks backup health
When restores were last tested
Whether failures or gaps are tracked to resolution
A backup that exists but is not reviewed or tested creates false confidence. That matters commercially as well as operationally.
What evidence an SME should be able to produce quickly
A sensible evidence pack should not become a major project every time someone asks for it.
At minimum, most SMEs should be able to pull together:
A device and asset inventory
MFA coverage by user group
An admin role list
Patch status or patching reports
Malware protection status across endpoints
A record of firewall or secure configuration ownership
Backup status and recent restore-test evidence as part of the wider operating baseline
Named owners for key control areas
An exceptions log with remediation dates
This matters because supplier questionnaires, customer due diligence and insurance conversations increasingly expect more than vague reassurance.
Where businesses usually fail
The biggest issues are rarely dramatic.
They are usually practical.
Drift
The environment started reasonably well, then changed faster than the operating standard.
Exceptions with no deadline
A machine was left unsupported “for now”. A user kept elevated rights “temporarily”. An old account was never fully retired.
Informal ownership
Everyone assumes someone else is checking admin rights, patching failures, endpoint protection or backup results.
Those are the kinds of issues that make a business look inconsistent. And inconsistency is exactly what weakens a baseline.
A simple monthly checklist for directors and IT leads
Once a month, ask for clear answers to these questions:
Do we have an up-to-date list of in-scope devices and users?
Are all privileged accounts reviewed and still justified?
Are unsupported devices or systems present, and if so, what is the removal date?
Are patching failures or delays visible and assigned?
Is malware protection active everywhere it should be?
Are secure configuration exceptions documented and approved?
Are backup and restore checks being reviewed as part of the wider operating baseline?
Are exceptions documented, owned and time-bound?
Could we answer a supplier or customer security questionnaire without scrambling?
That is the point of an operating baseline. It should reduce ambiguity.
Final thought
The April 2026 Cyber Essentials update is useful if it forces a better operating habit: baseline by default, evidence ready, ownership clear.
Official Cyber Essentials remains a five-control scheme. A broader CE-style operating baseline builds around that foundation so the business can also manage supporting realities such as backup, recovery and operational accountability.
For SMEs, that is far more valuable than treating Cyber Essentials as a once-a-year compliance event. The businesses that get more value from it are usually the ones that can explain what is standard, prove it is in place, and show who keeps it true.

Managed IT Services
Joiner, Mover, Leaver Automation: A Guide for SMEs

Modern Workplace
What Defensible IT Looks Like for a Microsoft 365 SME

Managed IT Services
What a Monthly IT Review Should Include for a 10-25 User SME

Backup & Disaster Recovery
7 Questions to Ask a Managed IT Provider About Security, Backup and Accountibility

Cyber Security