
Cyber Essentials self-assessment can look straightforward at first. Many of the questions are short, and some only need a yes or no answer.
But simple questions can still cause problems.
A lot of delays happen because applicants rush the form, copy old answers, miss part of a question, or answer based on what they think happens rather than what is actually in place today.
The verified self-assessment, often called Cyber Essentials basic, is still a formal assessment. Your answers need to be clear, accurate and consistent across the whole submission.
Here are some of the common mistakes to avoid.
This sounds obvious, but it is one of the easiest mistakes to make.
Some questions start by asking whether you do something. It can be tempting to read that first part, answer “yes” and move on. But the same question may also ask you to describe how you do it.
That second part matters.
If the question asks you to explain a process, a one-word answer is unlikely to be enough. You do not need to write an essay, but you do need to show that the control is actually in place and that you understand how it works in your organisation.
A couple of clear sentences is usually better than a long, vague answer.
Another common issue is answering a slightly different question.
For example, if a question asks about changing firewall passwords, the answer should be about firewall passwords. If a question asks about high-risk and critical updates, the answer should cover both high-risk and critical updates.
Try not to add information that is not relevant to the question.
Extra detail can sometimes create confusion rather than clarity. If you mention a tool, platform, device type, process or exception, make sure it is accurate and consistent with the rest of your answers.
The aim is not to say as much as possible. The aim is to answer the question clearly.
Copying last year’s answers is tempting, especially if you are renewing and the organisation has not changed much.
The problem is that something usually has changed.
You may have more staff. Your device numbers may be different. Software versions may have moved on. You may have added or removed cloud services. Remote working arrangements may have changed. The Cyber Essentials requirements and question set may also have changed.
Last year’s answer might have been right last year. That does not mean it is right now.
Scope is the foundation of the assessment.
The NCSC says Cyber Essentials should cover the whole IT infrastructure used to carry out the organisation’s business, or a clearly defined and separately managed sub-set. The scope boundary should be clearly defined, including the business unit managing it, the network boundary and the physical location.
This is where many applicants create problems for themselves.
They describe one thing in the scope, another thing in the device list, and something different again when talking about cloud services or remote working. If those answers do not line up, the submission becomes harder to follow.
Before you start, ask a simple question: what exactly are we certifying?
If you can answer that clearly, the rest of the form becomes much easier.
A scope that does not include end-user devices is not acceptable under the Cyber Essentials requirements. The requirements also state that cloud services hosting organisational data or services must be in scope and cannot be excluded.
That means laptops, desktops, tablets and smartphones need to be considered where they are used to access organisational data or services.
This is often missed when an organisation thinks mainly about servers, firewalls or Microsoft 365. But for many businesses, day-to-day access to company data happens through user devices.
If staff use a laptop, phone or tablet to access email, files, customer records, finance systems or cloud platforms, make sure those devices have been considered properly.
Mobile phones and personal devices are easy to overlook.
The NCSC says user-owned devices that access organisational data or services are in scope, with limited exceptions for devices used only for native voice, native text or MFA applications.
In plain English, if a personal phone is used only to receive MFA prompts, it may not need to be treated in the same way as a work device. But if that same phone is used to access work email, files or other organisational services, you need to think about it carefully.
Remote working also matters. The NCSC states that corporate or BYOD home and remote working devices used for the organisation’s business are in scope by default. If the organisation provides the home worker’s router, that router is also in scope.
Do not assume something is out of scope just because it is not in the office.
Cloud services are one of the biggest areas where applicants miss things.
The NCSC defines a cloud service as an on-demand, scalable service hosted on shared infrastructure and accessible via the internet. For Cyber Essentials, the service is accessed through an account and stores or processes organisational data.
That is broader than some people expect.
It can include Microsoft 365, Google Workspace, Dropbox, CRMs, HR systems, finance platforms, ticketing systems, project management tools, remote support platforms, backup services, cloud hosting, SaaS portals and other services that hold or process business data.
The NCSC also makes clear that cloud services must be in scope where organisational data or services are hosted on them.
A useful starting point is to make a list before you open the assessment. Include the obvious services, then think through what each team actually uses day to day.
Multi-factor authentication is now one of the most important areas to get right.
IASME states that MFA is mandatory for all cloud services where it is available. If an organisation does not implement MFA for a cloud service where it is available, whether free, included or paid, it will automatically fail the assessment.
That paid option point is important.
If a service only offers MFA on a higher plan, the fact that it costs more does not automatically make it optional for Cyber Essentials. If MFA is available, you need to look at how you will enable it.
For each cloud service, ask:
Is MFA available?
Is it enabled for users?
Is it enabled for administrators?
Can MFA be applied through single sign-on or another integration?
If the answer is unclear, check it before submitting.
Cyber Essentials requires in-scope software to be kept up to date. The NCSC definition of software includes operating systems, commercial applications, extensions, interpreters, scripts, libraries, network software, and firewall and router firmware.
The 14-day update requirement is especially important. Software in scope must be updated, including vulnerability fixes, within 14 days where the update fixes vulnerabilities described by the vendor as critical or high risk, addresses a CVSS v3 base score of 7 or above, or where the vendor does not provide severity details.
IASME’s April 2026 update also says two security update questions are now auto-fail questions. These cover high-risk or critical updates and vulnerability fixes for operating systems, router and firewall firmware, and applications, including associated files and extensions.
This is why version details matter.
If your answers list unsupported or clearly out-of-date systems, that can create problems elsewhere in the submission. Before you submit, check that the operating systems, firewalls, routers and key applications you mention are supported and being updated in line with the requirement.
“Still working” is not the same as “supported”.
The NCSC defines licensed and supported software as software you have a legal right to use and where the vendor has committed to providing regular vulnerability fixes, including a future date when support will stop.
This matters for laptops, desktops, servers, mobile devices, firewall firmware, router firmware and applications.
If something is no longer supported, it should be dealt with before you submit. That might mean updating it, replacing it, removing it, or moving it out of scope using a properly defined sub-set.
Do not wait until the assessment is nearly complete to check support dates.
Many organisations rely on a managed service provider. That is completely normal, but it does not remove the need to answer the questions properly.
A weak answer is:
“Our MSP handles this.”
That might be true, but it does not explain very much.
The NCSC says accounts owned by the organisation are in scope even when they are used by a third party, such as a supplier, contractor or MSP, to manage or support infrastructure. If you use externally managed services, you must be able to confirm that the Cyber Essentials technical controls are being met and demonstrate this in your assessment answers.
A better answer explains the arrangement briefly. Who manages the control? What process is followed? How often does it happen? How do you know it applies to your environment?
You do not need to write a contract summary. You do need to show that you understand what is happening.
The assessment should make sense as a whole.
If one answer says all users have MFA, but another says only administrators have MFA, that creates confusion. If one answer says there are no mobile devices, but another says staff access work email on smartphones, that creates confusion. If the cloud services list says Microsoft 365 only, but another answer mentions Dropbox, Xero or Salesforce, that creates confusion.
Before submitting, read the answers back from start to finish.
Look for anything that does not line up. It is much easier to fix those issues before submission than after questions are raised.
Every question needs attention.
If a question applies, answer it. If it does not apply, explain why in plain language.
Avoid leaving blanks. Avoid writing “N/A” without context. Avoid assuming that something is obvious.
A short explanation is usually enough. For example, “We do not have any servers in scope because all services are delivered through Microsoft 365 and other SaaS platforms listed in the cloud services section” is much clearer than simply writing “N/A”.
Your self-assessment should describe what is true today.
It should not describe what you plan to implement next month, what you hope is happening, or what a policy says should happen if nobody is actually following it.
There is nothing wrong with finding gaps while preparing for Cyber Essentials. That is part of the value of the process.
But the right approach is to fix the gap before submitting, not to answer as though it has already been fixed.
The best Cyber Essentials submissions are usually not the longest ones. They are the clearest.
They define the scope properly. They list devices and cloud services accurately. They answer the question that was asked. They explain processes simply. They avoid contradictions. They describe what is actually happening.
Before starting the self-assessment, it is worth gathering the basics:
Your in-scope devices
Your operating systems
Your firewalls and routers
Your cloud services
Your MFA status
Your patching process
Your remote working and BYOD arrangements
Your administrator account process
Your MSP responsibilities, if relevant
Once you have that information, the assessment becomes much easier to complete accurately.
Cyber Essentials is not asking for perfect essays. It is asking for clear, accurate answers that show the core controls are understood and in place.
A careful, honest and well-prepared submission gives you the best chance of avoiding unnecessary delays and getting through the process smoothly.




