Everything you need to know about Cyber Essentials questionnaire

Written by Louise Ralston
Feb 23, 2026 - 4 minute read

Learn how to navigate the Cyber Essentials self-assessment questionnaire and ensure your business meets the five key technical controls for successful certification.

If your business is working towards Cyber Essentials certification, you’ll need to get to grips with the self-assessment questionnaire. This is the document that asks you to elaborate on the steps your organisation takes to protect itself against common cybersecurity threats.

The questionnaire is designed to be straightforward, but many organisations underestimate its importance. The answers provided will form the basis of the verdict on whether or not to approve certification. They must therefore accurately reflect the technical controls you have in place.

This guide provides an overview of what the Cyber Essentials self-assessment questionnaire involves, how it maps on to the certification’s five technical controls and what your business should do to maximise the chances of getting certified at the first attempt.

What is the Cyber Essentials self-assessment questionnaire – and why is it important?

The Cyber Essentials self-assessment questionnaire is a formal set of questions which organisations must complete before they can obtain Cyber Essentials certification. Bear in mind that the Cyber Essentials standard is updated every April, which can include changes to the self-assessment questionnaire. You can find more on the April 2026 update to Cyber Essentials here.

It requires organisations to confirm how they implement the five core technical controls that underpin the Cyber Essentials scheme. These controls are designed to protect against the most prevalent cybersecurity threats, including phishing, credential theft and malware.

The self-assessment is not simply an internal checklist. Answers are reviewed by a qualified assessor. If the responses indicate that a required control is not in place, or if answers are unclear, inconsistent or inaccurate, the assessor may refuse certification.

Cyber Essentials’ five technical controls explained

The Cyber Essentials self-assessment questionnaire is structured around the five key technical controls that lie at the heart of the Cyber Essentials scheme. Understanding what each of these is designed for should help you interpret the questions in the correct way.

Firewalls and boundary protection

This control focuses on how you shield your network against unauthorised access. The questionnaire asks about how your internet connection is secured, how firewalls or routers are configured and whether default passwords have been changed.

Assessors will look for confirmation that only necessary network services are exposed to the internet and that administrative access to networking equipment is restricted and secure. Poorly configured routers and exposed services remain a common source of weakness.

Secure configuration

Secure configuration is intended to reduce the risk of systems being compromised by attackers. Systems should not be left in their default state, while any unnecessary software, accounts and services should be removed or disabled.

The questionnaire explores how devices are built and managed, whether default credentials are changed and how you ensure that only required functionality is enabled. The underlying principle here is that the fewer unnecessary features a device has, the smaller the attack surface.

User access control

User access control ensures that only the appropriate people have access to certain systems, and only at the required level.

The self-assessment questionnaire asks how accounts are created, managed and removed, including how admin privileges are controlled and whether users are prevented from accessing systems they don’t need. Multi-factor authentication (MFA) is an important consideration in this regard.

Under the 2026 update to Cyber Essentials, cloud services must have MFA enabled where it is available, even if it incurs an additional cost. This is a mandatory requirement.

Malware protection

Malware protection concerns the measures you use to prevent malicious software from running on your devices and compromising data security. This might include traditional anti-malware solutions, application allow-listing or other technical controls to prevent unauthorised code execution.

The questionnaire explores how protection is deployed, how it’s kept up to date and whether users are prevented from bypassing it. The focus is on ensuring that systems cannot easily be infected through common attack vectors such as malicious downloads or email attachments.

Security update management

This control addresses how you identify and apply security updates and patches. It is a core requirement of Cyber Essentials that critical or high-risk vulnerabilities are remediated within a defined period of time.

The questionnaire asks how you keep devices and software up to date, how you identify vulnerabilities and how you ensure updates are applied consistently across in-scope systems. Organisations lacking a structured patch management process often struggle with this section.

The 2026 update to Cyber Essentials requires high-risk vulnerability fixes and security updates to be installed within 14 days of their release.

Key considerations when completing self-assessment

Approaching the self-assessment questionnaire in a methodical way can be the difference between a smooth certification and unnecessary delays. Here are some of the most important considerations to bear in mind during this process.

  • Define your scope clearly: You must accurately identify which users, devices and cloud services are included in your assessment. Overlooking remote workers, personal devices used for work purposes or externally hosted service can invalidate your responses.

  • Ensure your answers reflect technical reality: It is not enough to state that a policy exists requiring secure configuration or timely patching. You must be confident that systems are configured and managed accordingly. Assessors may request clarification if responses appear inconsistent.

  • Pay attention to authentication and access controls: MFA is increasingly expected across administrative and cloud environments. If it is available (even if it involves an additional cost) and is not enabled, this may prevent certification.

  • Gather evidence before you begin: The questionnaire itself is declaration-based, but you should be able to demonstrate that all your controls are in place. Maintain records of patch deployment, firewall configurations and account management processes.

Be prepared, get certified

By understanding the intent behind each of Cyber Essentials’ five core technical controls, you are giving your organisation a much better chance of getting certified first time. Clear scope, accurate responses and well-managed controls will all make the process much smoother.

If you’re preparing for Cyber Essentials certification, Cyber Tec can make the process smoother and simpler – boosting your chances of passing first time. Get in touch with our team today and find out more about how we can help.

Topics: Cyber Essentials

author

More by Louise Ralston

Related articles
From Checkbox to Baseline: How Cyber Essentials Is Changing the MSP Role

Discover how Cyber Essentials is transforming the role of MSPs, making it a baseline expectation for cybersecurity rather than an optional add-on.

Why Phishing Is Still the #1 Cyber Threat in 2026

Phishing in 2026 uses AI, voice cloning and QR scams. Learn what to do if you click a phishing link and how to build phishing-resistant security.

Policies don’t protect data. MDM and MAM do.

Ensure your mobile devices comply with Cyber Essentials by using MDM or MAM, not just written policies, to mitigate risks and protect business data.

Copyright © 2026 Cyber Tec Security
contact@cybertecsecurity.com

Cyber Tec Security is a company registered in Jersey. Registered number: 144690.
Registered office: Kensington Chambers, 46/50 Kensington Place, St Helier, Jersey JE1 1ET