If your business is working towards Cyber Essentials certification, you’ll need to get to grips with the self-assessment questionnaire. This is the document that asks you to elaborate on the steps your organisation takes to protect itself against common cybersecurity threats.
The questionnaire is designed to be straightforward, but many organisations underestimate its importance. The answers provided will form the basis of the verdict on whether or not to approve certification. They must therefore accurately reflect the technical controls you have in place.
This guide provides an overview of what the Cyber Essentials self-assessment questionnaire involves, how it maps on to the certification’s five technical controls and what your business should do to maximise the chances of getting certified at the first attempt.
Cyber Essentials’ five technical controls – what assessors are looking for
Common reasons for failing the Cyber Essentials Questionnaire
The Cyber Essentials self-assessment questionnaire is a formal set of questions which organisations must complete before they can obtain Cyber Essentials certification. Bear in mind that the Cyber Essentials standard is updated every April, which can include changes to the self-assessment questionnaire. You can find more on the April 2026 update to Cyber Essentials here.
It requires organisations to confirm how they implement the five core technical controls that underpin the Cyber Essentials scheme. These controls are designed to protect against the most prevalent cybersecurity threats, including phishing, credential theft and malware.
The self-assessment is not simply an internal checklist. Answers are reviewed by a qualified assessor. If the responses indicate that a required control is not in place, or if answers are unclear, inconsistent or inaccurate, the assessor may refuse certification.
The self-assessment will be much easier to complete if you treat it as the final stage of preparation, rather than the starting point.
Before logging into the assessment portal, gather the information you will need to answer accurately and consistently. Here is a brief checklist to help you:
Scope is one of the most important parts of the Cyber Essentials process. It defines which parts of your organisation, infrastructure, users and services are being assessed. If the scope is wrong, the rest of the questionnaire can quickly become unreliable.
Most organisations certify their whole IT infrastructure. However, a defined sub-set may be possible where there is a clear boundary. This needs to be agreed with the certification body and should be described in practical terms, including the business unit, network boundary, physical location and legal entities included.
Be careful not to exclude systems simply because they are inconvenient. End-user devices, cloud services that store or process business data, remote working arrangements and BYOD devices may all be in scope. If they are used to access organisational data or services, they need to be considered before you submit.
A strong scope statement should answer three questions: what is included, what is excluded and why. Vague statements such as “head office only” or “cloud services excluded” are unlikely to be enough without a clear explanation of the boundary.
The Cyber Essentials self-assessment questionnaire is structured around the five key technical controls that lie at the heart of the Cyber Essentials scheme.
Understanding what each of these is designed for should help you interpret the questions in the correct way.
This control focuses on how you shield your network against unauthorised access. The questionnaire asks about how your internet connection is secured, how firewalls or routers are configured and whether default passwords have been changed.
Assessors will look for confirmation that only necessary network services are exposed to the internet and that administrative access to networking equipment is restricted and secure. Poorly configured routers and exposed services remain a common source of weakness.
Secure configuration is intended to reduce the risk of systems being compromised by attackers. Systems should not be left in their default state, while any unnecessary software, accounts and services should be removed or disabled.
The questionnaire explores how devices are built and managed, whether default credentials are changed and how you ensure that only required functionality is enabled. The underlying principle here is that the fewer unnecessary features a device has, the smaller the attack surface.
User access control ensures that only the appropriate people have access to certain systems, and only at the required level.
The self-assessment questionnaire asks how accounts are created, managed and removed, including how admin privileges are controlled and whether users are prevented from accessing systems they don’t need. Multi-factor authentication (MFA) is an important consideration in this regard.
Under the 2026 update to Cyber Essentials, cloud services must have MFA enabled where it is available, even if it incurs an additional cost. This is a mandatory requirement.
Malware protection concerns the measures you use to prevent malicious software from running on your devices and compromising data security. This might include traditional anti-malware solutions, application allow-listing or other technical controls to prevent unauthorised code execution.
The questionnaire explores how protection is deployed, how it’s kept up to date and whether users are prevented from bypassing it. The focus is on ensuring that systems cannot easily be infected through common attack vectors such as malicious downloads or email attachments.
This control addresses how you identify and apply security updates and patches. It is a core requirement of Cyber Essentials that critical or high-risk vulnerabilities are remediated within a defined period of time.
The questionnaire asks how you keep devices and software up to date, how you identify vulnerabilities and how you ensure updates are applied consistently across in-scope systems. Organisations lacking a structured patch management process often struggle with this section.
The 2026 update to Cyber Essentials requires high-risk vulnerability fixes and security updates to be installed within 14 days of their release.
Cyber Essentials is a verified self-assessment, but that does not mean evidence is unimportant. Your answers should be based on records, settings and processes that can be checked. Preparing evidence in advance will also help you spot gaps before they delay certification.
Here are some examples of strong evidence for each area of the questionnaire; if you can provide all of this, you'll be in a great position for your assessment.
|
Questionnaire area |
Useful evidence to prepare |
|
Firewalls and boundary protection |
Router or firewall configuration, list of open ports and services, confirmation that default passwords have been changed, evidence that administrative access is restricted. |
|
Secure configuration |
Device build standards, configuration records, disabled default accounts, removed or restricted unnecessary software, services and functionality. |
|
User access control |
User and administrator lists, joiner and leaver process, access review records, MFA settings, evidence that administrator privileges are controlled. |
|
Malware protection |
Anti-malware or EDR status, MDM settings, application allow-listing controls, evidence that users cannot disable protection. |
|
Security update management |
Patch reports, software and operating system versions, vulnerability scan outputs, update policy and evidence that high-risk or critical updates are applied within 14 days. |
|
Cloud services |
Cloud service inventory, MFA enforcement, administrator account controls, security settings and confirmation of which controls are handled by the provider and which remain your responsibility. |
|
Scope |
Asset register, cloud inventory, BYOD and remote working policy, network diagrams where available, list of legal entities included in certification. |
The best answers are specific, factual and tied to the systems in scope. Avoid vague statements that simply say a policy exists.
The assessor needs to understand exactly how the control is implemented in practice.
|
Weak answer |
Stronger answer |
|
“We use MFA.” |
“MFA is enforced for all Microsoft 365 user and administrator accounts. It is managed through Conditional Access and reviewed monthly.” |
|
“All devices are updated.” |
“All Windows laptops are managed through Intune. Critical and high-risk updates are deployed within 14 days, and compliance reports are reviewed weekly.” |
|
“We have antivirus installed.” |
“Microsoft Defender is enabled on all company laptops. Users cannot disable protection, and alerts are reviewed by our IT provider.” |
|
“Old accounts are removed.” |
“Leavers are disabled on their final working day through the HR offboarding process. Administrator accounts are reviewed quarterly.” |
|
“Cloud is handled by Microsoft.” |
“Microsoft provides the cloud platform, but we remain responsible for our Microsoft 365 configuration. MFA, admin permissions, sharing settings and user access are managed internally.” |
Approaching the self-assessment questionnaire in a methodical way can be the difference between a smooth certification and unnecessary delays. Here are some of the most important considerations to bear in mind during this process.
Many failed or delayed assessments come down to avoidable issues.
Before submitting, pay particular attention to the following areas:
Do not submit your questionnaire until the high-risk areas have been checked.
Make sure to confirm that MFA is enabled where required, critical and high-risk updates are being applied on time, unsupported products have been removed or upgraded, and the scope accurately reflects how the organisation works.
Once the questionnaire has been submitted, an assessor reviews the responses. They may ask clarification questions if an answer is unclear, incomplete or appears to conflict with another response.
A delay at this stage does not always mean a failure, but it usually means the original answer did not give the assessor enough confidence.
Cyber Essentials is assessed at a point in time, but it should not be treated as a one-day exercise. The declaration signed by a director or board-level representative confirms that the organisation understands its responsibility to maintain the controls throughout the certification period. Ensuring you do this will make your renewal process much smoother.
The self-assessment becomes even more important if you intend to progress to Cyber Essentials Plus. Treat it as the foundation for the technical audit, not a rough draft. The answers should already be complete and accurate before the Plus assessment begins.
Cyber Essentials Plus must be completed within three months of the relevant Cyber Essentials certification. If Plus testing identifies issues that contradict the self-assessment, this can create additional remediation work and may put certification at risk.
Use the official NCSC Cyber Essentials Readiness Tool to check your position before beginning the assessment.
Download the current IASME self-assessment question set so you can prepare your answers before entering them into the portal.
Keep the Cyber Essentials Requirements for IT Infrastructure to hand while completing the questionnaire, as this explains the technical requirements behind the questions.
By understanding the intent behind each of Cyber Essentials’ five core technical controls, you are giving your organisation a much better chance of getting certified first time. Clear scope, accurate responses and well-managed controls will all make the process much smoother.
If you’re preparing for Cyber Essentials certification, Cyber Tec can make the process smoother and simpler – boosting your chances of passing first time. Get in touch with our team today and find out more about how we can help.