What happens if my Cyber Essentials assessment is rejected?

Quick answer: If your Cyber Essentials submission is formally rejected after two rounds of assessor queries, you have to pay the IASME fee again and resubmit from scratch. There’s no appeal process — but the underlying issue can usually be fixed in 2-4 weeks of remediation.

How rejection works

You don’t fail in one shot. The IASME assessor will return up to two rounds of clarifying queries before formally rejecting. Each round you have 5 working days to respond. If after the second round the assessor still can’t certify, the application is rejected and you start again.

The most common reasons applications get rejected

• Inconsistent answers — you ticked yes on MFA in section A4, but the screenshot you provided shows it’s not actually enforced
• Out-of-scope evidence — a screenshot accidentally shows a Windows 7 PC, or a personal device receiving work email that isn’t in your MDM
• Missing documented processes — no leaver process, no asset register, no BYOD policy
• Cloud services without MFA — you have MFA on M365 but not on Salesforce or Xero (every cloud service holding org data needs it)
• EOL software in scope — Windows 10 without Extended Security Updates, Office 2016 or older, unsupported macOS
• Default credentials still in use on a printer, NAS, firewall or IoT device

What rejection costs you

• The IASME fee again (£300-£500 + VAT depending on size)
• 2-6 weeks of additional remediation and resubmission time
• Procurement / tender risk if you were certifying for a deadline

How to recover from a rejected application

1. Read the assessor’s final feedback carefully — they’ll list the specific failures
2. Group them into “quick fixes” (configuration changes) and “remediation projects” (deploying MFA, EDR, MDM)
3. Fix the quick wins first — usually 1-2 weeks of work
4. Run the remediation projects — typically another 2-4 weeks
5. Re-register with IASME, pay the fee, resubmit

Our managed Cyber Essentials service regularly picks up rejected applications, fixes the gaps and resubmits — usually within 4 weeks. If you’re facing rejection, get in touch before re-paying the IASME fee.

Can I appeal a Cyber Essentials rejection?

There’s no formal appeal process. If you genuinely disagree with an assessor’s interpretation, you can ask IASME to re-review with a different assessor — they’ll occasionally do this if the original interpretation looks at odds with the published spec. But it’s rare and not guaranteed.