Your expert guide to the Cyber Essentials questionnaire
If you’ve put yourself through the Cyber Essentials certification, potential customers can feel confident that your cyber security stature meets best practices. Not only is this good for your reputation, but it also helps you get on procurement rosters open exclusively to Cyber Essentials certified companies.
However, organisations often enter the certification process with false expectations about the level of commitment required. This can lead to false starts and even failure to achieve certification.
This article explains how to make certifying for Cyber Essentials straightforward while avoiding common pitfalls that lead to expensive rework.
Table of contents
What is the Cyber Essentials self-assessment questionnaire?
Why is the questionnaire important?
6 questions to ask before you start the Cyber Essentials self-assessment
What is the Cyber Essentials self-assessment questionnaire?
The Cyber Essentials questionnaire is a self-assessment form that asks applicants about their cyber security posture in five core technical areas:
- Secure configuration
- User access control
- Malware protection
- Security update management
- Firewalls and routers
The questions in the self-assessment form usually require simple ‘yes’ or ‘no’ answers. The applicant may also have to upload screenshots or provide supporting details and explanations. An assessor appointed by IASME, the NCSC’s delivery partner, assesses your answers to see if your cyber security meets the Cyber Essentials standard.
It’s important to research in detail what Cyber Essentials is and what the questionnaire involves. This is particularly important since the Cyber Essentials questionnaire has undergone changes recently as of April 2025, so any legacy knowledge you or your partners have may be out of date.
Why is the questionnaire important?
Don’t let the word “self-assessment” mislead you. While the form may look simple, completing it requires detailed knowledge of your IT estate, current cyber security standards, and precise configuration data.
That’s why thorough preparation, based on a detailed understanding of cyber security and the Cyber Essentials certification, is the key to becoming certified.
Going into the process without the right level of knowledge and preparation carries uncertainty:
- Cyber Essentials is marked on a simple “pass or fail” basis; even failing one part of the questionnaire can cause you to fail the whole thing.
- After one failed attempt, the clock starts ticking. You have two working days to find and fix your errors before you must pay to retake the certificate.
- If you fail, you won’t be added to the official IASME register. This can be a reputational risk, particularly if clients were expecting you to be on it and have supply chain assurance.
- In some circumstances, without a Cyber Essentials certification, your insurance premiums may go up, and your insurance company may even refuse to pay out.
It’s also important to understand that claims you make on the Cyber Essentials questionnaire are legal attestations. That’s why the NCSC stipulates that answers to the questionnaire must be signed off by a board member.
If you say, for instance, that your firewall has the necessary and documented rules to pass Cyber Essentials when it does not, you could be open to legal risk.
Even when the process is complete, IASME still has the right to ask for proof that your organisation still meets the required standards. It can ask at any time, and you have 48 hours to respond. If you don’t, you lose your Cyber Essentials certification.
To retain your certification, you must also ensure that you always patch any critical vulnerabilities within 14 days of the vendor releasing a patch. It is crucial that you have an ongoing compliance and security strategy, particularly for critical infrastructure.
That’s why we’ve put together a helpful how-to guide: a set of questions to ask yourself, to help you start preparing for the Cyber Essentials self-assessment process.
6 Questions to ask before you start the self-assessment
Before hitting “go” on the Cyber Essentials certification process, you need to know your own IT estate inside out.
Here’s our Cyber Essentials guide, a checklist of questions to ask yourself before you begin the Cyber Essentials self-assessment questionnaire:
1. Do you have a complete and up-to-date asset inventory that includes hardware devices on site and other types of devices, too?
Please don’t leave it until you’ve set the clock ticking to realise that your inventory doesn’t cover all the devices attached to the network, doesn’t include devices used by remote workers, virtual desktop systems, systems bought on an ad-hoc basis by project teams, and other non-standard devices.
2. Are you clear about what counts as a “network” for the Cyber Essentials self-assessment?
Do you have the full details of the networks that you want to include in the Cyber Essentials self-assessment? You’ll need full details, including network names, locations, CIDR ranges and so on. VPNs to which devices are connected and managed, or virtual networks are all also in scope.
3. Do you have complete information about the cloud and SaaS services your company uses and how they are configured?
This doesn’t mean ‘the cloud services we use every day’. It means every last cloud and SaaS service, including backup services, VoIP services, cloud-based CRMs, and everything else. You need a complete and accurate list to show that you understand how to configure different types of services securely.
4. Are all your firewalls professional-grade devices that have been correctly protected and configured?
Do you know which routers each of your sites uses, how these have been configured, whether default passwords have been changed and if so, how new passwords were chosen? Are inbound connections allowed only in accordance with rules that conform to the Cyber Essentials criteria?
5. Have you audited your access controls, authentication systems and user-admin rights to ensure they are compatible with Cyber Essentials?
Do relevant systems support multi-factor authentication (MFA)? Do all users have their own login details? Have deprecated user accounts been safely deleted? Are you enforcing strong passwords and other authentication criteria wherever required? Are you using legacy systems that don’t support strong access controls?
6. Are your security settings consistent, robust, applied across all types of relevant devices and systems, and well documented?
It’s all too easy to discover you have consumer devices on your network, using default “bloatware” apps that introduce insecurity, that some of your teams have been subscribed to or self-configuring unsecure cloud or SaaS services, or that remote access, BIOS or some other sub-system isn’t securely configured.
These are just some of the questions you need to answer before you take the IASME Cyber Essentials test.
With the right expertise and with the help of experts at Texaport, the certification process does not need to be daunting. You can set yourself up to gain your Cyber Essentials on the first try.
Your Cyber Essentials journey
Texaport is one of the UK’s leading managed services providers, specialising in cyber security. Our engineers and consultants have helped many organisations successfully pass their assessment and gain their Cyber Essentials certification.
Over the last years, Texaport has helped a wide range of organisations gain their Cyber Essentials Certification. These include charities such as Hey Girls, or AOC Archaeology, one of Britain’s leading heritage consultancies, project management specialists Reid Mitchell, and many more.”
No matter what your specific goals and challenges, Texaport can help you prepare for and gain your Cyber Essentials certification, with the greatest efficiency, avoiding unnecessary expense or rework.