Charities that already hold Cyber Essentials certification often reach the same point a few months later: someone on the board, in finance, or at the trustee level asks whether the ongoing IT support cost is essential.
It is a fair question. Certification only lasts 12 months. Budgets are tight. And on paper, Cyber Essentials can look like an annual form-filling exercise.
The reality is more complex. Your IT environment changes constantly between renewals. New devices are introduced. Staff work remotely on personal laptops. Software goes end-of-life. Cloud platforms evolve. The Cyber Essentials scheme itself changes too. What passed last year may not meet the conditions this year.
That is why maintaining Cyber Essentials certification is not really about the day you submit the questionnaire. It is about the operational work happening in the months between renewals.
If you need a wider refresher before going deeper into ongoing support, here is everything you need to know about Cyber Essentials.
.
Why Cyber Essentials Isn't a Once-a-Year Event
Cyber Essentials certification is valid for 12 months. But your IT environment does not stay static for 12 months.
That gap between certification day and renewal day is where many charities experience what could be called “certification drift”. Systems that were compliant at the point of assessment progressively fall out of alignment as devices change, software updates are missed, or cloud services expand beyond the original scope.
This matters more now than it did a few years ago because the scheme itself has developed. During a Qlic Charity IT Day webinar, Neil Firminger, Cyber Essentials Manager at IASME, explained that one of the biggest updates to the scheme was the presence of cloud services within scope. Platforms such as Microsoft 365, Google Workspace, and Slack are now explicitly covered under the requirements.
For charities certified before those updates, there is a legitimate risk of assuming last year’s approach is still enough when it no longer reflects the current scheme.
That is specifically important for charities operating in mixed environments with remote staff, volunteers, BYOD (Bring Your Own Device) policies, and multiple cloud platforms. A single unmanaged device or outdated configuration can create holes that were not present during the previous assessment.
This is why Cyber Essentials should be viewed as part of an ongoing cyber security strategy. Renewal is simply the visible checkpoint. The work that keeps a charity compliant happens constantly in the background.
If your charity relies heavily on cloud productivity tools, it is also worth understanding the differences between Google Workspace and Microsoft 365 for charities, because both are now firmly within Cyber Essentials scope.
What Attackers Are Actually Targeting (And Why Charities Are Vulnerable)
One of the biggest misconceptions around cybersecurity is that attackers merely target large organisations.
In practice, most cyber-attacks are opportunistic. Attackers use automated tools to scan thousands of systems simultaneously, looking for weak passwords, unpatched vulnerabilities, or absent security controls. As Neil Firminger explained during the Qlic webinar:
“Cyber Essentials is designed to prevent 80% of cyber incidents, and roughly 95% of attacks start as an opportunistic attack. They’re not targeting you specifically; they’re trying the door handle thousands of times a minute.”
That 80/20 principle is central to why Cyber Essentials is important for charities. The scheme’s five controls, firewalls, secure configuration, security update management, user access control, and malware protection, are designed to halt the most common forms of attack prior to them becoming incidents.
For charities, this matters because the sector is uniquely exposed. Many organisations operate with limited budgets, lean internal teams, ageing hardware, and a high reliance on remote access or volunteer devices. At the same time, charities often hold substantially sensitive information about beneficiaries, donors, staff, and volunteers.
According to the UK Government’s DCMS Cyber Security Breaches Survey 2022, 30% of charities reported experiencing a cyber breach or attack within the previous 12 months. The true figure is likely higher because countless incidents go unreported.
The important point for trustees and finance leads is that most attacks are preventable. Cyber Essentials is not about building enterprise-level security operations. It is about closing the common doors that attackers frequently test.
What the Renewal Process Actually Involves
Cyber Essentials is often described online as “just a questionnaire”. In principle, that is true for the basic certification tier. Operationally, it is misleading.
For charities with mixed device estates, cloud services, remote staff, and BYOD policies, the preparation work behind the questionnaire is usually the most important part of the process.
A good example is the work carried out by Qlic IT for Charities on behalf of Age UK Croydon during their Cyber Essentials renewal.
The process involved exporting device information from ScreenConnect, checking Microsoft Intune enrolment, reviewing mobile and BYOD inventories, verifying firewall firmware versions, checking port forwarding rules, removing redundant local administrator rights, and reviewing autorun settings across both Group Policy and Intune.
The team also verified multi-factor authentication (MFA) coverage across Microsoft 365, Google Workspace, Slack, and CharityLog. For charities operating across multiple cloud platforms, this is increasingly where complexity emerges. MFA may be enabled on one platform but not consistently enforced across all platforms.
If your organisation relies heavily on Microsoft’s cloud ecosystem, this complete guide to Microsoft 365 for charities provides a useful wider context around secure cloud management.
BYOD is another major challenge. Many charities rely on staff and volunteers using personal devices, particularly in hybrid or outreach roles. Those devices still fall within scope if they access organisational data or services.
In practice, the most common Cyber Essentials failure points are MFA gaps and end-of-life devices. Discovering those issues before submission, not during assessment, is what turns renewal from a stressful scramble into a manageable procedure.
For charities wanting more practical guidance on the assessment itself, you can also read our additional tips for passing Cyber Essentials.
The 14-Day Patching Window: Why Ongoing Maintenance Matters Between Renewals
One of the most forgotten Cyber Essentials requirements is also one of the most operationally demanding.
The scheme requires high and critical security updates to be applied within 14 days of release.
That requirement applies continuously throughout the year, not just during renewal season.
During the Qlic webinar, Neil Firminger explained the reasoning behind the 14-day window. Research conducted when the scheme was developed showed that known vulnerabilities were typically exploited within around 15 days of becoming public. The Cyber Essentials requirement was deliberately set one day inside that window.
Evidence now suggests attackers can exploit some vulnerabilities even faster.
For charities, this changes the conversation around ongoing support. Compliance is not simply about answering assessment questions accurately once a year. It is about maintaining processes that ensure patching happens consistently across devices, cloud services, firewalls, and firmware.
This becomes especially important for charities managing older systems or legacy hardware. End-of-life software creates a binary compliance problem because once vendors stop issuing security updates, the software can no longer meet Cyber Essentials requirements.
That is why ongoing maintenance is not an optional add-on to Cyber Essentials certification. It is part of the ongoing work to remain compliant year-round.
GDPR, the ICO, and Why Certification Protects More Than Your IT
For many charity boards, the strongest argument for maintaining Cyber Essentials certification is not technical. It is regulatory and financial.
Charities process large volumes of sensitive information, including beneficiary records, donor data, volunteer details, safeguarding information, and financial records. Under GDPR, organisations are required to implement “appropriate technical and organisational measures” to safeguard that data.
Cyber Essentials is not legally mandatory under GDPR, but it is widely recognised as a government-backed benchmark for what “proper” security controls look like in practice.
Neil Firminger highlighted this point directly during the Qlic webinar:
“There have been a couple of high-profile cases publicised by the ICO where organisations have been fined because they didn’t have Cyber Essentials, in one case specifically because they didn’t adopt the five controls.”
For trustees and finance leads, that changes Cyber Essentials from an IT decision into a governance and risk-management issue.
There is also the insurance proportion. Cyber Essentials certification includes cyber liability insurance backed by AXA for organisations with turnover under £20 million, including cover up to £25,000. Some insurers are also beginning to require Cyber Essentials certification before offering cyber cover at all.
You can read more about the included insurance cover on the IASME cyber liability insurance page.
For current certification fees for both tiers, the IASME website publishes up-to-date pricing.
This wider compliance context is also part of why Cyber Essentials matters for your organisation.
What Ongoing Support Looks Like in Practice
Once the renewal process, patching obligations, compliance risks, and operational complexity are understood, the value of ongoing support becomes much clearer.
For charities, effective ongoing support is not about buying an oversized enterprise security solution. It is about having constant oversight of the systems, devices, cloud platforms, and security controls that the Cyber Essentials certification depends on.
The Age UK Croydon project is a good example of what that looks like in practice.
The work completed during the renewal process improved visibility over device compliance, strengthened management of BYOD devices, enabled MFA consistently across core cloud services, and reduced organisational risk overall. Importantly, it also decreased disruption during renewal because potential compliance issues had previously been identified and addressed ahead of assessment.
As Sanjay Gulati from Age UK Croydon explained:
“Qlic IT Team has been a good technical support and service partner for AUKC over the years… Now it is very supportive and responds to our needs in a proactive manner. Cyber Essential was one such project where we worked together to ensure AUKC systems are robust.”
That proactive element is what ongoing support is about. Monitoring patching status. Reviewing cloud configurations. Identifying unsupported devices. Checking MFA coverage. Helping staff follow secure processes. Sustaining the security posture that the certification represents.
Yes, charities can self-certify for the standard Cyber Essentials tier. But for many organisations, particularly those with mixed device estates and limited internal IT capacity, the challenge is not submitting the form. It ensures the underlying environment honestly meets the requirements throughout the year.
Conclusion
Cyber Essentials certification may renew annually, but compliance is continuous. The systems, devices, cloud services, and risks within a charity environment change constantly between assessments.
For most charities, the work done between renewals is what establishes whether the next certification process is smooth, stressful, or unsuccessful.
Ready to take the complexity out of your next Cyber Essentials renewal? Get in touch with the Qlic team today.
