The Danzell question set comes into effect on 27 April 2026, alongside an updated Cyber Essentials Plus test specification.
This blog explains how assessors will more strictly verify update management compliance in Cyber Essentials Plus assessments using the Danzell question set.
IASME has identified cases where organisations apply selective updates during assessments. To address this, assessors now go beyond re-testing failed devices. They also select a new random sample to check that organisations have applied updates across the whole environment—not just the original sample.
Sample and process
Organisations must apply all remediation from Sample 1 across the full declared scope.
If assessors find missing updates in Sample 1, they must carry out a second sample.
After organisations complete remediation for Sample 1, assessors give 72 hours’ notice before testing Sample 2 devices.
Assessors must complete all additional testing within the original 30-day remediation window.
Outcomes
If assessors find the same vulnerabilities in Sample 2 as in Sample 1, they will fail Cyber Essentials Plus and revoke the Cyber Essentials certification.
If assessors find different vulnerabilities in Sample 2, they may still award Cyber Essentials Plus but will issue an advisory.
If an organisation refuses to provide devices for Sample 2, assessors will fail Cyber Essentials Plus but will not revoke the Cyber Essentials certification.
If only a small number of devices sit within scope, assessors should include all remaining devices in Sample 2 that they did not test in Sample 1.
Further information
Detailed guidance can be found on Cyber Essentials Knowledge Hub: Danzell Update – New CE+ Internal Vulnerability & Remediation Process – Cyber Essentials Knowledge Hub
You may wish to read our blog on all the changes for Danzell: Why Cyber Essentials and Cyber Essentials Plus Matter for the Education Sector – 2026 – Cyber security
Contact your Relationship Manager to find out how Jisc can help support you on your journey.