Methodology ยท Cyber Essentials Readiness

Mapping v3.3 Danzell
criteria.

A full account of Cyber Essentials v3.3 ('Danzell'), the five technical themes, the auto-fails, and the scoring used by the readiness check.

  • NCSC v3.3 Danzell
  • MFA Mandatory
  • 14-Day Patch SLA
  • May 2026 Update

Contents

Ready to run it?

Open tool →

1. Cyber Essentials v3.3 'Danzell'

The locked wording: Cyber Essentials v3.3 ('Danzell'), effective 28 April 2026, makes MFA gaps and 14-day patch SLA breaches auto-fails. v3.3 builds on the prior v3.2 release and tightens requirements for MFA on cloud services and 14-day patching on critical vulnerabilities.

The IASME-administered scheme remains the route to certification. This readiness check is a self-test, not a certification.

2. PPN 014 and the procurement angle

The locked wording: PPN 014 mandates Cyber Essentials for in-scope government, NHS, and MOD suppliers. If you are bidding for relevant central government contracts, Cyber Essentials is a contract-eligibility threshold.

3. The five technical themes

  1. Firewalls: boundary firewalls and internet gateways at every internet-facing point.
  2. Secure configuration: default passwords replaced, unnecessary services disabled.
  3. User access control: least-privilege controls; MFA on cloud admin accounts.
  4. Malware protection: anti-malware on every device, plus enabled sandboxing.
  5. Security update management: patches applied within 14 days for critical vulnerabilities.

4. The two auto-fail axes

v3.3 introduces two auto-fail axes that override every other answer:

  • MFA gap: any cloud service with organisation data accessed by an administrator without MFA.
  • Patch SLA breach: any in-scope device with an unpatched critical vulnerability older than 14 days.

5. Scoring and traffic-light output

Each theme is scored Green / Amber / Red against the v3.3 control set. Output is a one-page PDF showing per-theme status and the prioritised remediation list. We avoid false precision scoring.

6. Scope considerations

The readiness check assumes whole-organisation scope by default. Reduced scope is rarely sensible for SMEs and almost never for PPN 014-relevant suppliers.

7. What the check does not do

It does not run vulnerability scans. It does not produce the formal questionnaire. It does not certify you. The full CrowCyber platform handles the full assessment and PPN 014/21 evidence packs.

8. References

  • Cyber Essentials Requirements for IT Infrastructure v3.3 ('Danzell'), IASME / NCSC.
  • Procurement Policy Note 014 (PPN 014).
  • NCSC, Cyber Essentials guidance: ncsc.gov.uk.

Was this helpful?

CERTIFIED.

Ready to test your readiness?
v3.3 Danzell is the mandatory baseline.

Open tool → All free tools