Saying that you do something isn't the same as describing how it is done.

In the world of Cyber Essentials, it is not enough to simply declare that a security control or process is in place. Saying, for example, “We patch our routers promptly” or “We update antivirus software regularly” does not explain how these tasks are actually carried out, or what mechanisms are in place to ensure they are consistently completed. Understanding the distinction between stating what is done and describing how it is done is critical for demonstrating effective cybersecurity practices.

The Difference Between Stating and Describing

Many organisations fall into the trap of documenting what they do rather than how they do it. In Cyber Essentials terms, this is often seen when policies are written in broad strokes. A policy might state:

While this shows intent, it does not provide evidence of compliance. Inspectors, auditors, and your own team need clarity on the processes that turn that intent into action.

A process explains the steps you take, the frequency, the responsible parties, and the checks in place to ensure completion. It demonstrates not just that a control exists, but that it works.

Why “How It Is Done” Matters

1. Consistency: Without a documented process, tasks may be completed inconsistently or forgotten entirely.

2. Accountability: Defining the process clarifies who is responsible for each step.

3. Verification: Cyber Essentials assessments require that controls are demonstrable. Auditors cannot verify intent—they need to see evidence of execution.

4. Continuous Improvement: Well-documented processes allow for regular review and optimisation.

An Example: Patching Routers

Consider the example of patching network routers within 14 days of a vendor update:

• Statement Only: “Our routers are patched promptly.”

• Process Description:

  1. IT staff receive a weekly reminder to check vendor support pages for new firmware and security patches.

  2. A record is kept of all updates released by vendors.

  3. Updates are tested in a controlled environment where possible.

  4. Patches are applied within 14 days of release.

  5. Completion is logged in a central system for verification.

This process demonstrates not just what is done, but how it is done and how compliance is assured. It moves the organisation from a statement of intent to a repeatable, auditable procedure.

Bringing It Back to Cyber Essentials

When preparing for Cyber Essentials:

• Avoid vague statements such as “We back up our data regularly.”

• Provide a clear, step-by-step description of the process, including frequency, responsibility, and verification.

• Show how the process ensures that policies are actually executed in practice.

Remember, a statement alone does not reduce risk. Only a documented, followed, and verifiable process does.

Our supported service guides you towards certification with an assigned senior assessor and hand holding along the way ensuring that you pass first time. Click here for more information or contact us if you have any questions.