Cyber Essentials is the UK government-backed certification scheme that helps organisations demonstrate a baseline level of cybersecurity. For most small and medium-sized businesses, the entry-level certification — Cyber Essentials (as opposed to Cyber Essentials Plus, which involves an external technical audit) — is achieved by completing a Self-Assessment Questionnaire, or SAQ. The process sounds straightforward, but a significant number of first-time applicants fail due to entirely preventable issues. This guide walks you through what the SAQ involves, what the common failure points are, and how to make sure your submission passes first time.
What the Self-Assessment Questionnaire Involves
The SAQ is completed online through a certification body’s portal. In the UK, the main certification body is the IASME Consortium, which manages the Cyber Essentials scheme on behalf of the National Cyber Security Centre (NCSC). Once you purchase your assessment through IASME or an IASME-accredited partner, you are given access to their online portal where you work through a structured questionnaire. Your answers are then reviewed by a qualified assessor, who may ask follow-up questions before issuing a pass or refer decision.
The questionnaire is built around the five technical controls that sit at the heart of Cyber Essentials. Each section maps directly to one of those controls, and you must satisfy all five to achieve certification.
The Five Sections and Typical Questions
1. Firewalls (Boundary Devices) — This section assesses whether you have a correctly configured firewall protecting your network perimeter. Typical questions include: Are all default passwords changed on boundary devices? Is your firewall configured to block inbound connections that have not been explicitly permitted? Do you have a process for reviewing firewall rules regularly? Assessors are looking for evidence that your perimeter is actively managed, not left on out-of-the-box settings.
2. Secure Configuration — This section covers how your devices and software are set up. You will be asked whether unnecessary software, services, and user accounts have been removed or disabled, and whether default credentials have been changed across all in-scope devices — not just boundary devices. Questions here also cover whether auto-run features are disabled and whether administrative accounts are restricted to administrative tasks only.
3. Security Update Management (Patching) — This section establishes whether you are keeping your software up to date. Typical questions include: Are all devices running a supported operating system? Is all software patched within 14 days of a security update being released? Do you have a documented process for applying updates? The 14-day patching window is a hard requirement, and you will need to confirm this applies to both the operating system and all third-party applications installed on in-scope devices.
4. User Access Control — This section looks at how user accounts are managed. Questions include whether accounts are created with the minimum privileges necessary, whether shared accounts are avoided, and whether admin accounts are separate from standard user accounts. You will also be asked about processes for removing access when a member of staff leaves.
5. Malware Protection — The final section covers protection against malicious software. You will be asked whether all in-scope devices have antivirus or endpoint protection in place, whether it is kept up to date, and whether it is configured to scan files automatically. On modern Windows devices, Microsoft Defender is acceptable if correctly configured.
Common Failure Points and How to Fix Them
Default passwords not changed on routers and switches. This is one of the most frequent causes of failure. Every boundary device — including your broadband router, managed switches, and any wireless access points — must have its factory default credentials changed. Log into each device before submission and update the administrator password to something unique and strong.
Unsupported operating systems. Any device running an operating system that is no longer supported by its vendor is an automatic failure. Windows 7 and Windows 8 have been out of support for years and will not pass. Critically, Windows 10 reached end of life in October 2025, which means it is no longer receiving security updates and is now also considered unsupported for Cyber Essentials purposes. If you have devices still running Windows 10, you must either upgrade them to Windows 11 or remove them from scope before submitting.
No multi-factor authentication on cloud services. Since the Montpellier update to the Cyber Essentials scheme, MFA is mandatory for all cloud services accessed by in-scope users — including Microsoft 365 and Google Workspace. If your organisation uses either platform without MFA enabled, your application will fail. Enable MFA across all cloud services before you begin the SAQ, and ensure it applies to all user accounts, not just administrators.
Staff using administrator accounts for daily tasks. If your users log in as local administrators to perform routine work such as browsing the web or sending emails, this will be flagged. Create standard user accounts for day-to-day use and reserve admin accounts strictly for system administration tasks. This applies to both Windows and macOS devices.
Auto-updates disabled. Devices with automatic updates turned off are a common problem, particularly where an IT policy has disabled them in favour of manual patching. If you patch manually, you must be able to demonstrate that patches are applied within 14 days of release. If you cannot evidence this reliably, re-enable automatic updates before submission.
Third-party software not patched within 14 days. The 14-day window applies to all software, not just the operating system. Applications such as Adobe Acrobat, web browsers, Java, and remote access tools must all be current. Review your installed software across all in-scope devices and update anything that is behind before you submit.
Practical Preparation Steps
Before you open the portal and begin answering questions, do the groundwork. Start by defining your scope carefully — Cyber Essentials covers all devices that could affect the security of your data and services, including laptops, desktops, servers, mobile phones, and tablets used for work. You can exclude certain systems, such as operational technology or legacy machinery on an isolated network, but any out-of-scope systems must be network-isolated and clearly documented. Vague scope boundaries are a red flag for assessors.
Once scope is defined, audit every device within it. Check that the operating system is supported and fully patched, that third-party software is up to date, and that the correct endpoint protection is in place and active. Document your boundary firewall rules and confirm that only necessary inbound services are permitted. Review all user accounts, remove any that are no longer needed, and separate admin privileges from standard user access.
Confirm that MFA is enforced on every cloud service your organisation uses, and that this applies to all user accounts — not just new starters. Many Microsoft 365 tenants have MFA configured as optional rather than enforced by Conditional Access policy; check your settings explicitly rather than assuming.
If you are unsure where your gaps are, many UK IT support companies and Managed Service Providers (MSPs) offer a Cyber Essentials readiness assessment as a paid service. This typically involves a structured review against the five controls and a gap report before you make a formal submission — a worthwhile investment if you want to avoid paying for a second attempt.
The SAQ itself is not technically complex, but it does require honest, accurate answers and a properly configured environment to back them up. Prepare thoroughly, fix the common issues before you submit, and your chances of passing first time are strong.
Related Cyber Essentials Guides
- Cyber Essentials — The Complete UK Business Guide
- What Is Cyber Essentials? The UK Business Guide
- Cyber Essentials vs Cyber Essentials Plus: Which Do You Need?
- The Five Cyber Essentials Controls Explained
- Cyber Essentials Firewall Requirements Explained






