Cyber Essentials: Frequently Answered Questions

Starting Cyber Essentials

Yes, all certificates remain valid for 12 months, at which point they will become invalid.

If you are interesting in achieving Cyber Essentials, please contact us and we will help you begin the process. We will discuss your requirements and provide you a quotation for the certification, based upon the tier pricing.

Once agreed, we will ask you for the following information in order to get you setup on the portal.

  • Name of company
  • Company registered address
  • Name of person completing the self-assessment
  • Email address of person completing the self-assessment
  • Mobile number of person completing the self-assessment (for the portal password)
  • Purchase Order number (if required)
  • Billing email address for invoicing

Once we have this information, you will be setup on the portal.  You will receive an email with the instructions to start the self-assessment as well as a text message for your password.

Generally we aim to assess your submission within a few hours, depending upon the time of submission. We aim to ensure that all assessments which have been submitted are returned the same day, where possible.

For actually completing the self-assessment portion, this will depend upon your understanding of the scheme, the business and how long you have to complete the self-assessment. You should look to dedicate a few hours to complete your assessment.

Yes, you can still achieve certification, all organisations overseas are able to work towards the Cyber Essentials certification.

You have a maximum of six months to complete your self-assessment from portal setup, however we recommend you complete your assessment as soon as possible as earlier answers may become stale by the time you complete.

We will inform you generally around 30 – 45 days before your renewal is due.  The process is the same as the initial setup. We will ask you several questions, provide you a quote and then renew your access to the portal once accepted.

To achieve Cyber Essentials Plus, you must first achieve the Cyber Essentials Basic certification (the self-assessment), this could be performed on the same day as your plus audit, however we recommend that you complete the basic self-assessment certification first and then plan your Plus audit.

You must achieve your Cyber Essentials Plus certification within three months of achieving your basic certification. If you are outside of this, you will have to renew your basic certification again.

Yes, you can download the question set from IASME’s website, this can be found at:

Yes, people can go to: and search for your company to see if you have a valid certificate.

There are several ways you can fail certificate, these being:

  • Having more than 2 major non-compliances (for example failing to meet the technical controls, such as ensuring updates are applied to Operating Systems and applications)
  • Using unsupported Operating Systems such as Windows 7, Windows Server 2008R2, old version of Windows 10

Yes, you do. Any questions which are not answered will result in an automatic failure. You should ensure that you are compliant in all (where possible) questions within the self-assessment.

When you achieve the Cyber Essentials basic certification, you have a chance to obtain free Cyber Liability Insurance.  There is more information on IASME’s website about the insurance which can be found here.  For further information contact [email protected] or call +44 (0)1905 21681.

Yes you will need to do this. This helps to ensure that your information is kept current and valid.  Once you achieve certification, you can download your answers in the report, so some of the questions you may be able to copy/paste back in, if they have not changed.

Technical Controls

The Cyber Essentials scheme is based upon five technical controls.  These are:

  1. Firewalls
  2. Secure Configuration
  3. User Access Control
  4. Malware Protection
  5. Security Update Management

The use of next generation anti-malware products are fine, as long as they are deployed to all machines, are kept up to date and are configured correctly.

Yes, you should ensure that a firewall is in place for your business and ensure that where supported a firewall is configured and enabled at all times on all desktops, laptops and servers.

If you can’t get any specific information about the firewall being used in the managed building, not a problem. You have to ensure that firewalls are enabled on all devices and then the boundary of scope will be at the specific machines and not the internet edge of the building.

Under Cyber Essentials you are not allowed to run as local administrator for your day-to-day activities.  You need to have a separate account within Microsoft Windows and macOS to perform configuration changes. This goes for all users, including administrators.