How to Complete the Cyber Essentials Questionnaire

Written by Louise Ralston
Jun 17, 2026 - 14 minute read

Learn how to navigate the Cyber Essentials self-assessment questionnaire and ensure your business meets the five key technical controls for successful certification.

If your business is working towards Cyber Essentials certification, you’ll need to get to grips with the self-assessment questionnaire. This is the document that asks you to elaborate on the steps your organisation takes to protect itself against common cybersecurity threats.

The questionnaire is designed to be straightforward, but many organisations underestimate its importance. The answers provided will form the basis of the verdict on whether or not to approve certification. They must therefore accurately reflect the technical controls you have in place.

This guide provides an overview of what the Cyber Essentials self-assessment questionnaire involves, how it maps on to the certification’s five technical controls and what your business should do to maximise the chances of getting certified at the first attempt.

Contents

 

What is the Cyber Essentials self-assessment questionnaire?

The Cyber Essentials self-assessment questionnaire is a formal set of questions which organisations must complete before they can obtain Cyber Essentials certification. Bear in mind that the Cyber Essentials standard is updated every April, which can include changes to the self-assessment questionnaire. You can find more on the April 2026 update to Cyber Essentials here.

It requires organisations to confirm how they implement the five core technical controls that underpin the Cyber Essentials scheme. These controls are designed to protect against the most prevalent cybersecurity threats, including phishing, credential theft and malware.

The self-assessment is not simply an internal checklist. Answers are reviewed by a qualified assessor. If the responses indicate that a required control is not in place, or if answers are unclear, inconsistent or inaccurate, the assessor may refuse certification.

 

Before you open the questionnaire: what to prepare

The self-assessment will be much easier to complete if you treat it as the final stage of preparation, rather than the starting point.

Before logging into the assessment portal, gather the information you will need to answer accurately and consistently. Here is a brief checklist to help you:

  • Confirm which version of the question set applies to your assessment. For assessments created from 27 April 2026, the relevant version is the Danzell question set.
  • Build a current asset list covering laptops, desktops, mobile devices, servers, routers, firewalls, software and cloud services.
  • Identify all users, administrators, remote workers, contractors and any personal devices used for work purposes.
  • Check that all in-scope software, operating systems and firmware are licensed, supported and receiving security updates.
  • Review MFA, patching, firewall rules, malware protection, account management and device configuration before submitting.
  • Make sure the person signing the declaration understands that the answers must reflect what is actually in place, not what is intended or documented in policy only.

 

Start with scope: everything else depends on it

Scope is one of the most important parts of the Cyber Essentials process. It defines which parts of your organisation, infrastructure, users and services are being assessed. If the scope is wrong, the rest of the questionnaire can quickly become unreliable.

Most organisations certify their whole IT infrastructure. However, a defined sub-set may be possible where there is a clear boundary. This needs to be agreed with the certification body and should be described in practical terms, including the business unit, network boundary, physical location and legal entities included.

Be careful not to exclude systems simply because they are inconvenient. End-user devices, cloud services that store or process business data, remote working arrangements and BYOD devices may all be in scope. If they are used to access organisational data or services, they need to be considered before you submit.

A strong scope statement should answer three questions: what is included, what is excluded and why. Vague statements such as “head office only” or “cloud services excluded” are unlikely to be enough without a clear explanation of the boundary.

 

Cyber Essentials’ five technical controls – what assessors are looking for

The Cyber Essentials self-assessment questionnaire is structured around the five key technical controls that lie at the heart of the Cyber Essentials scheme.

Understanding what each of these is designed for should help you interpret the questions in the correct way.

Firewalls and boundary protection

This control focuses on how you shield your network against unauthorised access. The questionnaire asks about how your internet connection is secured, how firewalls or routers are configured and whether default passwords have been changed.

Assessors will look for confirmation that only necessary network services are exposed to the internet and that administrative access to networking equipment is restricted and secure. Poorly configured routers and exposed services remain a common source of weakness.

Secure configuration

Secure configuration is intended to reduce the risk of systems being compromised by attackers. Systems should not be left in their default state, while any unnecessary software, accounts and services should be removed or disabled.

The questionnaire explores how devices are built and managed, whether default credentials are changed and how you ensure that only required functionality is enabled. The underlying principle here is that the fewer unnecessary features a device has, the smaller the attack surface.

User access control

User access control ensures that only the appropriate people have access to certain systems, and only at the required level.

The self-assessment questionnaire asks how accounts are created, managed and removed, including how admin privileges are controlled and whether users are prevented from accessing systems they don’t need. Multi-factor authentication (MFA) is an important consideration in this regard.

Under the 2026 update to Cyber Essentials, cloud services must have MFA enabled where it is available, even if it incurs an additional cost. This is a mandatory requirement.

Malware protection

Malware protection concerns the measures you use to prevent malicious software from running on your devices and compromising data security. This might include traditional anti-malware solutions, application allow-listing or other technical controls to prevent unauthorised code execution.

The questionnaire explores how protection is deployed, how it’s kept up to date and whether users are prevented from bypassing it. The focus is on ensuring that systems cannot easily be infected through common attack vectors such as malicious downloads or email attachments.

Security update management

This control addresses how you identify and apply security updates and patches. It is a core requirement of Cyber Essentials that critical or high-risk vulnerabilities are remediated within a defined period of time.

The questionnaire asks how you keep devices and software up to date, how you identify vulnerabilities and how you ensure updates are applied consistently across in-scope systems. Organisations lacking a structured patch management process often struggle with this section.

The 2026 update to Cyber Essentials requires high-risk vulnerability fixes and security updates to be installed within 14 days of their release.

 

What evidence should you have ready?

Cyber Essentials is a verified self-assessment, but that does not mean evidence is unimportant. Your answers should be based on records, settings and processes that can be checked. Preparing evidence in advance will also help you spot gaps before they delay certification.

Here are some examples of strong evidence for each area of the questionnaire; if you can provide all of this, you'll be in a great position for your assessment.

Questionnaire area

Useful evidence to prepare

Firewalls and boundary protection

Router or firewall configuration, list of open ports and services, confirmation that default passwords have been changed, evidence that administrative access is restricted.

Secure configuration

Device build standards, configuration records, disabled default accounts, removed or restricted unnecessary software, services and functionality.

User access control

User and administrator lists, joiner and leaver process, access review records, MFA settings, evidence that administrator privileges are controlled.

Malware protection

Anti-malware or EDR status, MDM settings, application allow-listing controls, evidence that users cannot disable protection.

Security update management

Patch reports, software and operating system versions, vulnerability scan outputs, update policy and evidence that high-risk or critical updates are applied within 14 days.

Cloud services

Cloud service inventory, MFA enforcement, administrator account controls, security settings and confirmation of which controls are handled by the provider and which remain your responsibility.

Scope

Asset register, cloud inventory, BYOD and remote working policy, network diagrams where available, list of legal entities included in certification.

 

How to write good answers that an assessor can verify

The best answers are specific, factual and tied to the systems in scope. Avoid vague statements that simply say a policy exists.

The assessor needs to understand exactly how the control is implemented in practice.

Weak answer

Stronger answer

“We use MFA.”

“MFA is enforced for all Microsoft 365 user and administrator accounts. It is managed through Conditional Access and reviewed monthly.”

“All devices are updated.”

“All Windows laptops are managed through Intune. Critical and high-risk updates are deployed within 14 days, and compliance reports are reviewed weekly.”

“We have antivirus installed.”

“Microsoft Defender is enabled on all company laptops. Users cannot disable protection, and alerts are reviewed by our IT provider.”

“Old accounts are removed.”

“Leavers are disabled on their final working day through the HR offboarding process. Administrator accounts are reviewed quarterly.”

“Cloud is handled by Microsoft.”

“Microsoft provides the cloud platform, but we remain responsible for our Microsoft 365 configuration. MFA, admin permissions, sharing settings and user access are managed internally.”

 

 

Key considerations when completing self-assessment

Approaching the self-assessment questionnaire in a methodical way can be the difference between a smooth certification and unnecessary delays. Here are some of the most important considerations to bear in mind during this process.

  • Define your scope clearly: You must accurately identify which users, devices and cloud services are included in your assessment. Overlooking remote workers, personal devices used for work purposes or externally hosted services can invalidate your responses.
  • Ensure your answers reflect the technical reality: It is not enough to state that a policy exists requiring secure configuration or timely patching. You must be confident that systems are configured and managed accordingly. Assessors may request clarification if responses appear inconsistent.
  • Pay attention to authentication and access controls: MFA is increasingly expected across administrative and cloud environments. If it is available (even if it involves an additional cost) and is not enabled, this may prevent certification.
  • Gather your evidence before you begin: The questionnaire itself is declaration-based, but you should be able to demonstrate that all your controls are in place. Maintain records of patch deployment, firewall configurations and account management processes.

 

Common reasons for failing the Cyber Essentials Questionnaire

Many failed or delayed assessments come down to avoidable issues.

Before submitting, pay particular attention to the following areas:

  • Unsupported software, operating systems or firmware are still in scope.
  • MFA has not been enabled for a cloud service where it is available.
  • High-risk or critical security updates are not applied within 14 days of release.
  • Cloud services, remote workers, BYOD devices or externally hosted systems have been missed from scope.
  • Answers describe policies, but not the technical controls actually implemented; see the previous section on specificity in your answers.
  • Administrator access is too broad, not reviewed or still protected by weak authentication.
  • Firewall rules, open services or default credentials have not been reviewed.
  • Answers are inconsistent, for example, stating that all devices are centrally managed while also allowing unmanaged personal devices to access business data.

Do not submit your questionnaire until the high-risk areas have been checked.

Make sure to confirm that MFA is enabled where required, critical and high-risk updates are being applied on time, unsupported products have been removed or upgraded, and the scope accurately reflects how the organisation works.

 

What happens after you submit?

Once the questionnaire has been submitted, an assessor reviews the responses. They may ask clarification questions if an answer is unclear, incomplete or appears to conflict with another response.

A delay at this stage does not always mean a failure, but it usually means the original answer did not give the assessor enough confidence.

Cyber Essentials is assessed at a point in time, but it should not be treated as a one-day exercise. The declaration signed by a director or board-level representative confirms that the organisation understands its responsibility to maintain the controls throughout the certification period. Ensuring you do this will make your renewal process much smoother.

Progressing to Cyber Essentials Plus

The self-assessment becomes even more important if you intend to progress to Cyber Essentials Plus. Treat it as the foundation for the technical audit, not a rough draft. The answers should already be complete and accurate before the Plus assessment begins.

Cyber Essentials Plus must be completed within three months of the relevant Cyber Essentials certification. If Plus testing identifies issues that contradict the self-assessment, this can create additional remediation work and may put certification at risk.

 

Additional resources to help prepare for your Cyber Essentials Questionnaire

Use the official NCSC Cyber Essentials Readiness Tool to check your position before beginning the assessment.

Download the current IASME self-assessment question set so you can prepare your answers before entering them into the portal.

Keep the Cyber Essentials Requirements for IT Infrastructure to hand while completing the questionnaire, as this explains the technical requirements behind the questions.

 

Be prepared, get certified

By understanding the intent behind each of Cyber Essentials’ five core technical controls, you are giving your organisation a much better chance of getting certified first time. Clear scope, accurate responses and well-managed controls will all make the process much smoother.

If you’re preparing for Cyber Essentials certification, Cyber Tec can make the process smoother and simpler – boosting your chances of passing first time. Get in touch with our team today and find out more about how we can help.

Topics: Cyber Essentials

author

More by Louise Ralston

Related articles
ISO 27001 vs Cyber Essentials: What Does Your Organisation Need?

Discover the differences between Cyber Essentials and ISO 27001 certifications and find out which one best suits your organisation's cybersecurity needs.

Operating Systems & Cyber Essentials: Ensuring Compliance

Operating Systems are the foundation of any device in your organisation, and need to be carefully considered as part of your Cyber Essentials compliance.

Understanding Cyber Essentials Certification in 2026

Cyber Essentials is UK Government-backed certification that is rapidly becoming the new normal for baseline cyber security for UK businesses.

Copyright © 2026 Cyber Tec Security
contact@cybertecsecurity.com

Cyber Tec Security is a company registered in Jersey. Registered number: 144690.
Registered office: Kensington Chambers, 46/50 Kensington Place, St Helier, Jersey JE1 1ET