Renewal does not have to feel like a re-certification. With 60–90 days of preparation, most SMEs can renew in less than a day of focused work.
This guide breaks down the prep into a simple, sequenced plan.
T-90 days: book the slot and refresh scope
Book the assessor slot early and confirm your scope still matches the business.
- Book assessment slot
- Refresh asset register
- Confirm any scope changes
T-60 days: refresh admin and MFA evidence
Admin accounts and MFA are the most-changed evidence between renewals.
- Export admin list per cloud service
- Confirm MFA enforced for every admin
- Document any exceptions
T-45 days: patch and unsupported software review
Make sure every in-scope device is patched and unsupported software has a documented plan.
T-30 days: refresh policies and screenshots
Bump versions on policies that haven't changed materially and re-take screenshots where settings are time-stamped.
T-14 days: walk through the assessor portal yourself
Read the workspace as if you were the assessor. Approve gaps, archive stale items, answer obvious questions in the notes.
Practical examples
Renewal task plan
A task per step above with a named owner and due date.
Admin export
Microsoft 365 / Google Workspace admin list dated within the last 30 days.
Patch report
MDM patch compliance report dated within the last 30 days.
Common mistakes
Starting too late
Renewals booked inside 30 days leave no time to fix patch gaps or unsupported software.
Reusing last year's screenshots
Reuse the asset register; refresh time-stamped screenshots.
Skipping a self-walk-through
Five minutes in the assessor view catches issues the assessor would otherwise raise.
Build this properly in Evaud
Start a free workspace and organise your Cyber Essentials evidence in one place.
Frequently asked questions
Evaud helps organise Cyber Essentials evidence and readiness information. It is not a certification body and does not guarantee certification.