+44 800 779 7322
Your Cyber Essentials self-assessment, already filled in. Available at the press of a button - anytime

Ready for the assessor on any day of the year.

Cyber Essentials starts with a long self-assessment questionnaire — and for most businesses that means a blank form, a chase for evidence, and a guess at half the answers. Every year, most IT teams have to spend significant effort

Rebasoft populates evidence — asset inventory, secure configuration, user access, patch posture, malware protection — so you review and submit rather than start from scratch. Then it keeps that picture true, so CE+ becomes a continuous state, not a calendar event.

Book a 30-minute walkthrough
CYBER ESSENTIALS READINESS READY — 5 live controls evaluated · 4 GOOD · 1 AT RISK · 0 BAD CONTROL SUMMARY Firewalls A5 GOOD host firewall verified on every device Secure configuration A4 · A8 GOOD measured daily on every host User access control A7 GOOD scored automated pass — evidenced Malware protection GOOD AV active on all probed devices Security update mgmt A6 AT RISK 1 critical patch > 14 days — flagged today Same evidence answers: ISO 27001 PCI DSS NHS DSPT NIST CSF DORA Re-measured every day — drift surfaces the day it happens, not at the next assessment. Self-assessment pre-filled Ready any day of the year. The assessment is a button press.
Why Cyber Essentials matters

Cyber Essentials is no longer a ‘nice to have’.

For UK businesses it has quietly become a commercial imperative, a public-sector requirement, an insurance lever and a board-level signal.

80%

of common cyber attacks are prevented by the controls measured under Cyber Essentials.

Source: NCSC
Commercial

A commercial imperative.

Most B2B procurement now requires CE or CE+ before sign-off. Lose the certification, lose the business.

Public sector

A public-sector requirement.

Central government contracts, NHS, education and local authority work increasingly mandate CE+.

Insurance

An insurance lever.

Cyber-insurance premiums and limits are now routinely tied to certified status.

Board

A board-level signal.

“We are continuously CE+ compliant” tells customers, regulators and your own board that the basics are in hand.

What we measure

Mapped to the Cyber Essentials controls.

The technical controls are evidenced continuously and pre-filled into your self-assessment. Policy and scope answers stay with you — Rebasoft tells you the day the technical reality drifts from them.

A2
Asset inventory

Every device, workload, container and cloud asset discovered automatically — the incomplete asset list that fails most assessments becomes a non-event.

A4 · A5 · A8
Secure configuration

Every Windows host measured against the CE secure-configuration controls — local admin, screen lock, default passwords, firewall, account separation — each finding mapped to the Group Policy or Intune setting that fixes it.

A7
User access control

Local admins, privileged groups, account separation and dormant accounts scored as an automated pass/fail — the least-privilege answer is the truth, evidenced.

A6
Security update management

Patch posture measured continuously with vendor-grade Windows KB-to-CVE verification. Critical patches older than 14 days raise an alert.

Malware
Malware protection

Anti-malware coverage, definition currency and configuration across the estate — including the corners standard endpoint tools miss.

Continuous, not calendar

CE+ isn’t a day in the calendar. It’s a state you stay in.

The problem with CE+ isn't getting it. It's keeping it — and proving it month-to-month instead of scrambling for evidence twelve months later. Rebasoft re-measures every control every day, so drift surfaces the day it happens.

Your next assessment is a button press.
Why Rebasoft, not your current approach
TodayWhat it actually meansWith Rebasoft
Annual assessment with manual evidence collectionA panic every 12 months. High consultancy bills. Frequent failures.Continuous compliance state. Evidence always on.
Self-certification at the £300 levelFine for very small businesses with no B2B exposure. Won't get past procurement at most enterprise customers.CE+ ready — and ready for the bigger frameworks beyond it.
Stand-alone GRC toolPretty dashboards, depends on you filling them in.The dashboard is green because the estate is — measured directly.
Patch management tool onlyMost CE+ failures are configuration, not patches.Both patching and configuration measured, reported and fixable from the same system.

Make your next CE+ assessment a non-event.

A 30-minute walkthrough on a live system. We'll show you the Cyber Essentials Readiness dashboard, the evidence behind it and how to export a full submission.

Book my walkthrough
FAQ
Does Rebasoft fill in the Cyber Essentials self-assessment for us?
Yes, where evidence can be collected automatically. Rebasoft pre-populates technical sections of the Cyber Essentials assessment using live system data, reducing manual effort while ensuring answers are supported by evidence.
Does Rebasoft replace our CE+ assessor or submit on our behalf?
No. Certification remains the responsibility of the accredited certification body and the organisation being assessed. Rebasoft simplifies preparation, evidence gathering and ongoing compliance management.
How quickly can we be CE+ ready?
Most organisations gain visibility into their Cyber Essentials Plus readiness within days. Asset inventories, configuration evidence and patch status become available quickly, helping teams prioritise remediation activities.
Does it cover every CE control?
Rebasoft continuously evidences the technical controls required by Cyber Essentials. Policy, governance and organisational controls remain the responsibility of the organisation, but Rebasoft helps ensure technical controls remain aligned with policy.
What about non-Windows devices in scope for CE+?
All IP-addressable devices are included within asset discovery. Windows currently provides the deepest configuration validation, with macOS and Linux coverage continuing to expand.
Is this only for first-time certification, or also for renewal?
Both. Many organisations find the greatest value during renewal because configuration drift often occurs between assessments. Rebasoft helps maintain compliance continuously rather than preparing only at audit time.
We're tiny — should we just self-certify?
For very small organisations with limited regulatory, contractual or customer requirements, self-certification may be sufficient. Rebasoft is designed for organisations that require greater assurance, visibility and ongoing evidence of compliance.
We're aiming for ISO 27001 or PCI next. Will this still help?
Yes. The same asset, configuration and control evidence can support multiple frameworks, helping reduce duplicated effort and accelerating future compliance initiatives.
Can MSPs and certification bodies use Rebasoft to deliver CE+ as a service?
Yes. Rebasoft enables MSPs and certification bodies to standardise evidence collection, monitor multiple customers from a single platform and create repeatable compliance and assurance services.