Cyber Essentials FAQs

Quick answer: Verify any UK Cyber Essentials or Cyber Essentials Plus certificate at the official IASME register: iasme.co.uk/cyberessentials/ncsc-certified-organisations-search. Search by company name, postcode or certification number — the register shows the live certification status, level (CE or CE+) and expiry date.

Why verify a certificate?

If a supplier or potential supplier claims they’re Cyber Essentials certified, the IASME register is the single source of truth. Reasons to check:

• Procurement / tender supplier vetting
• Confirming a partner’s claim before sharing data
• Insurance / underwriting due diligence
• Marketing / partnership claim verification

How to check on the IASME register

1. Go to iasme.co.uk/cyberessentials/ncsc-certified-organisations-search
2. Enter the company name, postcode or part of the certification number
3. Review the result: company, level (CE or CE+), expiry date, certifying body
4. If listed: certified and current
5. If not listed: either never certified or has lapsed

What the register shows you

• Company legal name (matches Companies House)
• Trading address / postcode
• Level: Cyber Essentials or Cyber Essentials Plus
• Certification expiry date (next renewal needed by)
• The certifying body (IASME or one of their licensed delivery partners)

What the register does NOT show

• The scope of the certification (whole org vs sub-set) — you have to ask the supplier directly
• The full certification number (only partial is exposed)
• Historical certifications that have lapsed
• Failed or rejected applications

Validating the certificate badge / image

If you’ve been sent a PDF certificate or seen a badge on a website, the certificate PDF itself contains the unique IASME certification number. Cross-reference that number against the register to confirm authenticity. Badge artwork on websites is not itself proof of certification — always check the register.

What to do if a supplier claims certification but isn’t on the register

• Most likely: the certification has lapsed and they haven’t renewed
• Possible: the certification was for a sub-set under a different legal name
• Possible: they were never certified and the badge is being misused

Ask for a copy of the current certificate PDF and cross-reference the cert number with the register. If they can’t produce one, treat the claim as unverified.

View full answer →

Quick answer: Cyber Essentials takes 2-12 weeks to certify (depending on remediation needed) and the certificate is valid for 12 months. Most well-prepared UK SMEs go from “we should look at this” to certified in 4-6 weeks.

Time to certify Cyber Essentials

The questionnaire itself takes 4-8 hours of focused work. Most of the calendar time is the remediation it surfaces (deploying MFA, fixing patching, enrolling devices in MDM) before you submit.

How long does the certificate last?

Both Cyber Essentials and Cyber Essentials Plus are valid for 12 months from the certification date. The certificate goes onto the public IASME register for that 12 months. The bundled £25k cyber-liability insurance also runs for 12 months.

Renewal timing

Most businesses re-certify in month 11 to keep continuous cover. The renewal isn’t a fresh start — most evidence carries forward, and the questionnaire largely confirms what’s changed. Budget around 50% of first-year effort for the renewal. If you let it lapse:

• The £25k insurance ends
• You drop off the active IASME register
• Procurement teams that filter on current certification stop seeing you
• You need a fresh registration and full IASME fee to re-enter

Our managed Cyber Essentials service automates the renewal so you stay continuously certified without thinking about it.

View full answer →

Quick answer: The Cyber Essentials Plus audit samples around 10% of in-scope devices, with a minimum of 1 and a maximum of 30 devices. The assessor picks the sample to give a representative spread across operating systems, device types (laptop, desktop, mobile) and user roles.

How the sample is calculated

The assessor will typically ask for a representative mix:

• Each operating system family in use (Windows, macOS, iOS, Android, Linux)
• Each device type (desktop, laptop, tablet, smartphone, server)
• Each major user role (admin / standard user)
• Each major office or remote-worker location

What testing happens on each sampled device

1. Authenticated vulnerability scan — the assessor connects to the device and runs a scan looking for missing patches, end-of-life software, vulnerable services
2. Patch verification — checks the OS and major applications are within the 14-day patching SLA
3. Anti-malware test — uses an EICAR test file (and sometimes a real-world malware sample) to confirm AV is blocking effectively
4. MFA enforcement test — tries to access cloud services without MFA to confirm it’s blocked
5. Account separation check — verifies the user isn’t logged in with admin privileges day-to-day
6. Configuration review — checks default passwords, host firewall, encryption, screen lock policy

What the external scan covers

Separately from the device sample, the assessor runs an external vulnerability scan against your internet-facing IPs (your office network, any web servers, VPN endpoints). This scan is comprehensive — it covers every IP you’ve declared, not a sample.

How long the audit takes

Total elapsed time: 2-3 weeks typically. Your team’s involvement is around 4-8 hours — mostly the scoping call, scheduling device access, and the findings discussion.

What if a device fails the sample test?

Failures on a sampled device are extrapolated to your whole fleet. If the assessor finds an unpatched browser on one device, they’ll assume the same issue exists across the estate and ask you to evidence remediation. Most failures result in a “conditional pass” — fix the issues within 14 days and the certification proceeds.

For a deeper read on the audit methodology see our Cyber Essentials Plus audit process guide.

View full answer →

Quick answer: Cyber Essentials covers five technical control families that prevent the most common cyber attacks: firewalls, secure configuration, user access control, malware protection and security update management. Together, when properly implemented, these controls block roughly 80% of basic online attacks.

The five Cyber Essentials controls in plain English

• 1. Firewalls and internet gateways — keep the internet at arm’s length. Boundary firewalls on internet-facing networks, host firewalls on every laptop. Default passwords changed.
• 2. Secure configuration — change default passwords, disable services you don’t need, document your asset register. Walk the office: anything still on admin/admin fails.
• 3. User access control — separate admin and user accounts, MFA on every cloud service holding org data, documented joiner / mover / leaver process.
• 4. Malware protection — anti-malware on every device or application allowlisting or sandboxing. Microsoft Defender, Sophos, CrowdStrike, SentinelOne all qualify.
• 5. Security update management — apply all security updates within 14 days of vendor release. Remove end-of-life software (old Windows, old macOS).

What Cyber Essentials does NOT cover

• Social engineering training (covered by separate frameworks like Cyber Essentials Plus add-ons or Cyber Aware)
• Physical security (locks, badges, CCTV)
• Business continuity / disaster recovery planning
• GDPR compliance specifically (overlaps but they’re separate frameworks)
• ISO 27001-style information security management

For the full requirements see our Cyber Essentials requirements UK 2026 guide or our managed Cyber Essentials service which automates all five controls.

View full answer →

Quick answer: If your Cyber Essentials submission is formally rejected after two rounds of assessor queries, you have to pay the IASME fee again and resubmit from scratch. There’s no appeal process — but the underlying issue can usually be fixed in 2-4 weeks of remediation.

How rejection works

You don’t fail in one shot. The IASME assessor will return up to two rounds of clarifying queries before formally rejecting. Each round you have 5 working days to respond. If after the second round the assessor still can’t certify, the application is rejected and you start again.

The most common reasons applications get rejected

• Inconsistent answers — you ticked yes on MFA in section A4, but the screenshot you provided shows it’s not actually enforced
• Out-of-scope evidence — a screenshot accidentally shows a Windows 7 PC, or a personal device receiving work email that isn’t in your MDM
• Missing documented processes — no leaver process, no asset register, no BYOD policy
• Cloud services without MFA — you have MFA on M365 but not on Salesforce or Xero (every cloud service holding org data needs it)
• EOL software in scope — Windows 10 without Extended Security Updates, Office 2016 or older, unsupported macOS
• Default credentials still in use on a printer, NAS, firewall or IoT device

What rejection costs you

• The IASME fee again (£300-£500 + VAT depending on size)
• 2-6 weeks of additional remediation and resubmission time
• Procurement / tender risk if you were certifying for a deadline

How to recover from a rejected application

1. Read the assessor’s final feedback carefully — they’ll list the specific failures
2. Group them into “quick fixes” (configuration changes) and “remediation projects” (deploying MFA, EDR, MDM)
3. Fix the quick wins first — usually 1-2 weeks of work
4. Run the remediation projects — typically another 2-4 weeks
5. Re-register with IASME, pay the fee, resubmit

Our managed Cyber Essentials service regularly picks up rejected applications, fixes the gaps and resubmits — usually within 4 weeks. If you’re facing rejection, get in touch before re-paying the IASME fee.

Can I appeal a Cyber Essentials rejection?

There’s no formal appeal process. If you genuinely disagree with an assessor’s interpretation, you can ask IASME to re-review with a different assessor — they’ll occasionally do this if the original interpretation looks at odds with the published spec. But it’s rare and not guaranteed.

View full answer →

Quick answer: The Cyber Essentials self-assessment is around 70 questions across 6 sections, completed online via the IASME portal. Most are yes/no with a free-text justification. Allow 4-8 hours of focused time, plus 5 working days for the assessor to review.

The six sections of the self-assessment

1. A1. Your business — scope: Who you are, what’s in scope, organisation structure
2. A2. Boundary firewalls and internet gateways: ~8 questions on firewalls, default passwords, inbound rules
3. A3. Secure configuration: ~12 questions on default credentials, asset register, auto-run, unused services
4. A4. User access control: ~14 questions on MFA, admin separation, password policy, joiner/mover/leaver
5. A5. Malware protection: ~8 questions on anti-malware deployment, signatures, allowlisting
6. A6. Security update management: ~10 questions on patching SLA, EOL software, mechanism

What the format looks like

Most questions are yes/no with a justification box. A handful ask for counts (number of devices, users, cloud services). The portal saves as you go, you can collaborate with colleagues, and you have 6 months from registration to submit.

What happens after submission

An IASME-licensed assessor reviews within 5 working days. About 60% of submissions receive at least one round of clarifying queries — typically asking for screenshots of MFA enforcement, leaver process evidence, or BYOD compliance. You have up to two rounds of queries before the application is rejected. Reply within 5 working days to keep the application live.

What helps you pass first time

• Build an asset register before you start
• Prepare screenshots of MFA enforcement, patch dashboards and device compliance ahead of submission
• Have a documented joiner / mover / leaver process
• Be honest in the free-text boxes — assessors prefer “we use X but haven’t formally documented it” to a confidently inaccurate yes/no

For a section-by-section walkthrough see our Cyber Essentials questionnaire answers guide.

View full answer →