Cyber security illustration

June 2026

UK Cyber Essentials Assessment Workplan

Cyber Native has published the UK Cyber Essentials Assessment Workplan as a free, open resource on GitHub. It covers all 32 requirement items from Cyber Essentials v3.3, tracks evidence, calculates pass or fail automatically, and generates a Gantt-based remediation plan directly from assessment findings. It is built to give UK small and medium businesses the structured foundation that Cyber Essentials certification requires, without the overhead of assembling that infrastructure from scratch.

Download from GitHub

The threat environment demanding action

The data from 2025 and 2026 is unambiguous. The NCSC Annual Review 2025 recorded 204 nationally significant cyber attacks in the twelve months to August, more than double the figure from the year before and an average of four every week. The DSIT and Home Office Cyber Security Breaches Survey 2025/2026, published 30 April 2026, translates that into business terms: 43% of UK businesses experienced a breach or attack in the last twelve months, representing approximately 612,000 organisations. The financial impact of those incidents more than doubled year on year.

NCSC CEO Richard Horne stated it plainly at CyberUK 2026. "No business is out of reach. It is time to act."

SMEs account for 99.8% of the UK business population. Their collective cyber resilience is a structural economic matter, not a niche security concern. The pressure to act is real, well-evidenced, and growing. What most SMEs have lacked is a practical, structured path to doing so.

What Cyber Essentials requires

Cyber Essentials is the UK government-backed certification scheme administered by IASME on behalf of the National Cyber Security Centre. It addresses five technical control domains. Firewalls, Secure Configuration, Security Update Management, User Access Control, and Malware Protection form the baseline that, taken together, protect against the most common forms of cyber attack targeting UK businesses.

Certification is increasingly required for UK government contracts and is recognised by insurers and clients across regulated sectors. For most SMEs it is the most proportionate starting point: achievable in-house, structured around controls that many organisations either have partially in place or can implement without significant capital investment.

Getting to certification has usually come down to one practical challenge. Building the infrastructure to assess current state, track evidence across all 32 requirements, identify which specific items are failing, and structure a credible remediation plan takes time and discipline that most SMEs cannot easily spare. The NCSC specification defines what is required. The IASME self-assessment booklet guides the formal submission. Between those resources and certified status, most organisations face a structural gap in tooling. This workplan is designed to close it.

What the Cyber Essentials Assessment Workplan delivers

Every requirement item from CE v3.3 is mapped as a discrete, individually assessed entry in a single Excel workbook. Each row carries the verbatim requirement text from the NCSC specification, a plain-language assessment question, the evidence required to substantiate a pass, suggested evidence artefacts, and the responsible function most likely to hold that evidence.

Assessment is driven by dropdown selections. Pass or fail calculates automatically across all 32 items. For requirements that permit multiple compliance approaches, the workplan provides dropdown logic that recognises which option is in use and scores accordingly. A live certification readiness dashboard shows current status across all five control domains in a single view, structured to support a board-level conversation or a preliminary readiness review with a certification body.

A Scope and Organisational Context sheet captures the pre-assessment decisions that determine which requirements apply and how the organisational boundary is defined. It covers device inventory, cloud services, BYOD position, home and remote workers, third-party access, and network boundary decisions. These scope determinations drive the assessment, so capturing them first is a deliberate design choice.

From Cyber Essentials assessment to a remediation plan

The programme management layer is what separates this workplan from other publicly available Cyber Essentials resources.

When assessment is complete, a Gantt-based remediation plan activates from the failed items. Tasks are pre-loaded automatically via an index sheet that links directly to the Controls Assessment. Any change to an assessment finding cascades into the remediation plan without manual intervention. The timeline is driven by a single date field on the cover sheet. Set the assessment completion date and every task start date shifts accordingly, with a built-in two-week buffer for internal alignment on funding, resourcing, and management commitment before remediation activity begins.

A RAID log captures programme-level risks, assumptions, issues, and dependencies throughout the assessment lifecycle, with a pre-seeded set of entries addressing the most common assessment risks: incomplete device inventory, board signatory availability, and evidence lead times from cloud service providers.

Assessment and remediation planning in the same workbook means the gap between identifying what is failing and managing a structured plan to address it collapses from weeks to hours.

A wider body of work

This workplan is the first release in a series of open toolkits from Cyber Native.

The existing published work on this blog reflects the broader security leadership context in which practical tools like this sit. Leading Cyber Security in a Hyperconnected World sets out the systems thinking and probabilistic reasoning that characterise effective security leadership at the executive level. The CISO Mental Model provides a structured framework across the full spectrum of CISO office activity, from governance to security engineering. The AI Security Compass maps 50 AI threat vectors across five lifecycle phases for security and AI governance professionals. Trust Harness Engineering addresses the architecture challenge of moving AI agent initiatives to production at scale.

The CE Assessment Workplan operates at a different level. It is a practitioner tool built for organisations working through foundational controls. The SME owner-manager preparing for their first Cyber Essentials certification and the CISO building enterprise AI security architecture face genuinely different challenges. Both deserve structured, high-quality resources built for their specific context. That is the intent behind making both available.

Get the workplan

The UK Cyber Essentials Assessment Workplan is free to download on GitHub.

Download on GitHub

The workplan covers all 32 requirement items from Cyber Essentials: Requirements for IT Infrastructure v3.3 (NCSC, April 2026). Requirement text in the Controls Assessment sheet is reproduced from Crown Copyright material under the Open Government Licence v3.0.

Sources: NCSC Annual Review 2025 (NCSC, October 2025). Cyber Security Breaches Survey 2025/2026 (DSIT and Home Office, 30 April 2026). Richard Horne remarks, CyberUK 2026.