By Andy Pickett · Managing Director

Published 22 April 2026 · About the author

Last updated: April 2026  |  Reviewed by: Connection Technologies team

Cyber Essentials Questionnaire UK 2026: Section-by-Section Answers Guide

The Cyber Essentials questionnaire — formally the IASME Self-Assessment Questionnaire — is around 70 questions across the five technical control families. Most are yes/no with a free-text justification box; a handful ask for counts (number of devices, users, cloud services). Pass mark is “every question answered satisfactorily”, which in practice means truthful answers and evidence the IASME assessor can verify if asked.

This guide walks section-by-section through the questionnaire, explains what each question is really asking, the most common wrong answers, and where assessors push back. If you’re stuck mid-application or your draft has come back with assessor queries, you’ll find the typical fix here. If you want to skip the paperwork entirely, our managed Cyber Essentials service completes the questionnaire on your behalf.

How the Cyber Essentials questionnaire works

You complete the questionnaire on the IASME portal after registering. Answers are saved as you go and you can collaborate with colleagues. Once submitted, an IASME-licensed assessor reviews within 5 working days. They’ll either certify, or come back with up to two rounds of clarifying questions before either certifying or failing the application.

You have 6 months from registration to submit. After that the registration expires and you pay the IASME fee again. Most businesses complete the questionnaire in 4-8 hours of focused work — assuming the evidence (asset register, MFA screenshots, patching policy) is already to hand.

Section A1: Your business — scope

This is where most submissions go wrong before they’ve even started. You declare what’s in scope and the rest of the questionnaire is judged against that scope.

• Whole organisation — the simplest. Every device, every cloud service, every user. Best for small businesses.
• Sub-set — only specific systems / locations / business units. Requires you to demonstrate full segregation. The certificate will say “applies to X subset” which is far less useful for tenders.

Our advice: certify whole-organisation unless you have a genuine air-gapped legacy estate.

Section A2: Boundary firewalls and internet gateways

Around 8 questions. Common pitfalls:

• “Are home workers’ routers in scope?” Generally no — but you do need a host-based firewall on every laptop they use. The host firewall (Windows Firewall, macOS Firewall) replaces the boundary firewall function for remote workers.
• “Have you changed the default admin password?” The honest answer for many SMEs is “we don’t know who set up the office firewall”. Get this checked before you tick yes.
• “Do you document inbound firewall rules with a business reason?” A spreadsheet listing each rule, the reason it exists, who approved it and when it was last reviewed is sufficient evidence.

Section A3: Secure configuration

Around 12 questions. The two biggest fails:

• Default credentials on devices — printers, NAS, CCTV, VoIP handsets, IoT devices. Walk the office. Anything still on admin/admin or admin/password fails.
• Auto-run / auto-play blocked — must be disabled on Windows. The exam wants confirmation via Group Policy or Intune setting.

You’ll also be asked for an asset register — every device that’s in scope, with model, OS, owner. Most SMEs don’t have this; if you’re certifying for the first time, allow a day to build one. Spreadsheets are fine for under 100 devices.

Section A4: User access control

Around 14 questions — and the highest failure rate. The questionnaire wants:

• A documented user account creation process (joiner)
• A documented role-change process (mover)
• A documented account removal process (leaver) with maximum 7-day SLA
• Confirmation that admin accounts are separate from day-to-day user accounts (not the same person logged in as admin all day)
• MFA on every cloud service holding organisational data, with a list of those services
• MFA on every administrative account
• Password policy meeting one of the three accepted approaches (see our password policy guide)

The assessor will likely ask for screenshots of MFA being enforced in M365 admin centre, plus the audit log showing recent account removals.

Section A5: Malware protection

Around 8 questions. Choose ONE of three approaches and apply it consistently:

• Anti-malware software — Microsoft Defender, Sophos, CrowdStrike, SentinelOne, etc. Must be on every in-scope device, signatures auto-updating, on-access scanning enabled.
• Application allowlisting — only approved applications can run. AppLocker, Microsoft Defender Application Control, Jamf restrictions. Requires an explicit allowlist and a documented review process.
• Sandboxing — every untrusted application runs in a sandbox. Rare for SMEs; mostly used by browsers, not as a primary control.

Mixing approaches across the estate is fine, but each device must have at least one applied. Common fail: relying on the SaaS provider’s protection (Defender for Office 365) and not having anything on the laptop itself.

Section A6: Security update management

Around 10 questions. The headline rule: install all security updates within 14 days of vendor release. The questionnaire asks for the mechanism (auto-update, WSUS, Intune, Jamf, MDM) and evidence that it’s actually working — typically a screenshot of the management console showing patch compliance.

End-of-life software is a hard fail. If you’re still running Windows 10 without Extended Security Updates, Office 2016 or older, or unsupported macOS versions, those need removing or formally accepting via documented risk before you submit.

Common assessor pushback questions

The most frequent assessor follow-ups, ranked by frequency:

1. “Please clarify which cloud services hold organisational data and provide evidence MFA is enforced on each.” — list every SaaS in use, with screenshots of conditional access / MFA enforcement.
2. “Please confirm how you remove leaver accounts within 7 days and provide a recent example from the audit log.”
3. “Please confirm the patch management process for third-party applications (Adobe, Java, browsers, Zoom etc.).” — auto-update OR a centrally managed patching tool.
4. “Please confirm the firewall rule review frequency and provide the most recent review date.”
5. “Please clarify how BYOD devices are kept compliant with these controls.” — MDM enrolment evidence or formal “no BYOD access to org data” policy with technical enforcement.

What happens if you fail?

You don’t really “fail” in one shot. The assessor will return up to two rounds of queries before formally rejecting. If your application is rejected after two rounds, you have to pay the IASME fee again and resubmit from scratch. Most rejections come from one of three issues:

• Inconsistent answers (you ticked yes on MFA in section A4 but the screenshot shows it’s not enforced)
• Out-of-scope devices found in evidence (a screenshot accidentally shows a Windows 7 PC)
• Missing or weak documented processes (no leaver process, no asset register)

If this happens to you, our managed remediation service picks up failed applications, fixes the gaps, and resubmits — usually within 4 weeks.

Cyber Essentials Plus questionnaire — what’s different

For Cyber Essentials Plus there’s no separate questionnaire — you have to hold a current Cyber Essentials certificate first, then book the audit. The audit replaces the self-attestation: an IASME-licensed assessor remote-tests a sample of your devices for vulnerability, malware, MFA enforcement and patch compliance. The CE+ audit process guide walks through it in detail.

Get Cyber Essentials & Cyber Essentials Plus — fully managed

Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.

Frequently asked questions