Skip to content

What should I expect from the Cyber Essentials self-assessment?

The Cyber Essentials self-assessment is ~70 questions across 6 sections, completed online via IASME. What each section covers, format, timing and what to expect.

Quick answer: The Cyber Essentials self-assessment is around 70 questions across 6 sections, completed online via the IASME portal. Most are yes/no with a free-text justification. Allow 4-8 hours of focused time, plus 5 working days for the assessor to review.

The six sections of the self-assessment

  1. A1. Your business — scope: Who you are, what’s in scope, organisation structure
  2. A2. Boundary firewalls and internet gateways: ~8 questions on firewalls, default passwords, inbound rules
  3. A3. Secure configuration: ~12 questions on default credentials, asset register, auto-run, unused services
  4. A4. User access control: ~14 questions on MFA, admin separation, password policy, joiner/mover/leaver
  5. A5. Malware protection: ~8 questions on anti-malware deployment, signatures, allowlisting
  6. A6. Security update management: ~10 questions on patching SLA, EOL software, mechanism

What the format looks like

Most questions are yes/no with a justification box. A handful ask for counts (number of devices, users, cloud services). The portal saves as you go, you can collaborate with colleagues, and you have 6 months from registration to submit.

What happens after submission

An IASME-licensed assessor reviews within 5 working days. About 60% of submissions receive at least one round of clarifying queries — typically asking for screenshots of MFA enforcement, leaver process evidence, or BYOD compliance. You have up to two rounds of queries before the application is rejected. Reply within 5 working days to keep the application live.

What helps you pass first time

  • Build an asset register before you start
  • Prepare screenshots of MFA enforcement, patch dashboards and device compliance ahead of submission
  • Have a documented joiner / mover / leaver process
  • Be honest in the free-text boxes — assessors prefer “we use X but haven’t formally documented it” to a confidently inaccurate yes/no

For a section-by-section walkthrough see our Cyber Essentials questionnaire answers guide.

©Connection Technologies 2026. All Rights Reserved.

Connection Technologies Limited is authorised and regulated by the Financial Conduct Authority, reference FRN 958225

Registered office: Fareham Innovation Centre, Merlin House, 4 Meteor Way, Fareham, Lee-on-the-Solent, PO13 9FU.

Registered in England and Wales, Company No. 11630924

Connect with Us

Linkedin
Sitemap
Get an IT Quote 0333 015 2615