How to Pass Cyber Essentials Certification First Time: A Practical Guide for UK Businesses
Last year in the UK, 43% of UK businesses suffered either a cyber breach or cyber attack. Such incidents can be damaging for companies, causing financial losses, loss of working time and potentially reputational damage.
It's really important businesses are well-prepared to prevent these scenarios, and becoming Cyber Essentials certified is a great way to do this. As a government-backed scheme, it provides recognised accreditation that demonstrates your commitment to cyber security.
If you’ve heard of Cyber Essentials and don’t know where to start, or are concerned about failing, you’re not alone. Here, we cover everything you need to know as a business, and provide a step-by-step guide to help you prepare for the assessment, pass first time and get the accreditation.
Jump to Section:
- What Is The Cyber Essentials UK Self-Assessment?
- Benefits of Cyber Essentials Certification For Businesses
- Cyber Essentials Scheme Changes You Need To Know In 2026
- The Five Security Control Areas You Need to Get Right
- What Should I Cover in my Assessment?
- Step-by-Step: How To Get Cyber Essentials Certified First Time
- How An IT Partner Can Help You In Achieving Cyber Essentials Certification
- What To Expect When You Submit An Assessment
What Is The Cyber Essentials UK Self-Assessment?
Cyber Essentials is a government-backed certification scheme, developed by the National Cyber Security Centre, that shows your business takes cyber security seriously. Think of it as an official stamp of approval that proves you have the basic protections in place.
The assessment itself is an online questionnaire that you fill in yourself. No one visits your premises and there's no technical audit - this is different if you are wanting to obtain Cyber Essentials Plus. You'll answer questions about your IT setup across five key areas, and a certifying body reviews your responses to check you meet the required standard.
Once certified, you'll have demonstrated protection against the most common cyber threats. Certification lasts 12 months, after which you'll need to renew, partly because the threats businesses face evolve every year and the assessment is updated to keep pace with new industry challenges.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials Plus is the higher-level version of the scheme. Everything covered in the standard assessment still applies, but instead of a self-assessment questionnaire, a qualified external assessor carries out a hands-on technical audit of your systems.
It costs significantly more and is generally better suited to larger organisations, those handling sensitive data, or businesses bidding for higher-value government contracts. For most small businesses, the standard Cyber Essentials certification is the right starting point.
Cyber Essentials Scheme Changes You Need To Know In 2026
Since 27th April this year, all assessments are now assessed against the Danzell Update, which has tightened requirements around authentication, patching, and scope transparency.
Here's a summary of the key changes:
-
Multi-Factor Authentication (MFA): MFA is the two-step login process combining something you know (like a password) with something sent to you (like a code to your phone). Organisations will now automatically fail their assessment if MFA isn't enabled for cloud services where it's available - even if it's a paid option.
-
Stricter patching requirements: Two new auto-fail questions have been added, both focused on installing high-risk or critical security updates within 14 days of release. One covers operating systems and router/firewall firmware, the other covers applications. Failing either question means an automatic fail, regardless of how well the rest of the assessment goes.
-
Improved scope transparency: Organisations must now provide a detailed scope description, list any areas deliberately excluded, and identify all legal entities within scope. This information will be visible via the digital certificate platform.
-
Updated declaration: The declaration signed by a board member or director has been updated to reinforce that certification isn't just a point-in-time exercise. Signatories now explicitly acknowledge responsibility for maintaining Cyber Essentials compliance throughout the full 12-month certification period - not just at the point the certificate is issued.
Benefits of Cyber Essentials Certification For Businesses
Businesses should consider the cyber essentials scheme because it provides greater protection, credibility and more working opportunities.
Here’s a list of positives it can bring to your company:
- Win more contracts - Because its now widely recognised as an industry standard, certification is often asked for when applying for contracts or grants. The majority of UK government contracts require the certification from their suppliers, and many big UK banks have pledged to make it part of supplier requirements.
- Cyber insurance - some insurers offer lower premiums to businesses with the certification; it’s recognised as showing organisations have a lower risk.
- Staff and client confidence - it signals you take security seriously and can help to build trust and a positive reputation with customers.
- Actual protection - Cyber Essentials gives protection against the most common cyber attacks. Research suggests that businesses with the accreditation are 92% less likely to make a cyber insurance claim than those who don’t have it.
- Compliance and Data Protection - It can ensure that personal data is protected against cyber threats and prevents any unwanted access. Meanwhile, it helps to organisation to meet legislation, including the Data Protection Act 2018.
The Five Security Control Areas You Need to Get Right
The basic cyber essentials assessment covers five areas of security measures, and you need to satisfy all of them to pass. Each one is a "control", which simply means a measure you put in place to make your business harder to attack. None of them require advanced technical knowledge, but each one has a few specific details that catch businesses out. Here's what to focus on to ensure compliance.
1. Firewalls
A firewall acts as a gatekeeper between your network and the internet, deciding what traffic is allowed in and out. Most devices and routers have one built in, but having it present isn't enough. It needs to be switched on and properly configured.
A common reason businesses fail this control: firewalls are often left with their out-of-the-box settings, which aren't secure enough for the assessment. The other thing people miss is remote devices. If any of your team work from home or use laptops away from the office, those devices need to have their own firewall active too, not just the one sitting in your office.
2. Secure Configuration
This control is about making sure your devices and software aren't left in the state they arrived in. Manufacturers ship everything with default settings and often default passwords, and those defaults are widely known and easily exploited.
Assessors want to see that unnecessary features and accounts have been disabled, and that every admin account has a strong, unique password. This applies more broadly than most people assume: it includes your router, any networked printers, and other connected equipment, not just computers and laptops.
3. User Access Control
Not everyone in your business needs the same level of access to your systems. This control is about making sure staff can only access the files, software, and settings relevant to their role, and no more.
The most common problem here is businesses where everyone has administrator rights. Admin access (which allows someone to install software, change system settings, or override security controls) should only be granted when genuinely needed for a specific task, not handed out as a convenience. You'll also need a clear process for removing access promptly when someone leaves the company.
4. Malware Protection
All company devices need up-to-date protection against malicious software, which includes viruses, ransomware, and other threats that can encrypt your files or steal your data.
Windows Defender, which is built into Windows, is perfectly acceptable for the assessment and costs nothing. If you're using it, though, do double-check that it's actually switched on and running, as it can sometimes be inadvertently disabled. This applies to all devices, including any laptops your team use at home or on the road.
5. Patch Management (Keeping Software Up to Date)
Outdated software is one of the most common ways attackers get in, because older versions often contain known security weaknesses. This control requires that all your software, operating systems, and firmware (the built-in software that runs hardware like your router) are kept current.
The specific rule to know: any critical security update must be applied within 14 days of release. Assessors will also check whether you're running software that's no longer supported by its manufacturer, meaning it no longer receives security updates at all. If you are, it will need to be removed or replaced before you can pass. This catches more businesses than you might expect, particularly those still running older versions of Windows or Microsoft Office.
What Should I Cover in my Assessment?
One thing that reassures many small business owners is that the scope of the assessment - meaning the systems and devices you need to include - is often smaller than expected, particularly if you rely on cloud-based tools like Microsoft 365 or Google Workspace.
As a general rule, anything in scope will fall into one of these three categories:
- Devices that can access your organisation's data or services, including laptops, tablets and smartphones
- Cloud services your business uses, such as Office 365 or Google Workspace
- Home working devices, if they're used to access business systems
Some things may fall outside the scope of your assessment, such as specialist machinery or industrial control systems, though these are rarely relevant to businesses of your size. If you're unsure whether something needs to be included, it's worth checking with a certifying body before you begin rather than making assumptions.
Step-by-Step: How To Get Cyber Essentials Certified
The good news is that with a bit of preparation, most small businesses can pass first time. Work through these steps before you sit down to complete the questionnaire and you shouldn't face any surprises.
Phase 1: Get Oriented
- Use the IASME assessment tool to preview the self-assessment questions before you begin. It's free and takes the guesswork out of what's coming
- Define your scope: identify which devices, cloud services and home-working setups need to be included in your assessment. If you're unsure, the previous section covers this
Phase 2: Fix The Gaps
- Change all default passwords on routers, firewalls and admin accounts
- Audit who has admin rights across your systems and remove any that aren't needed
- Make sure there's a clear process for removing access when someone leaves the business
- Check that antivirus and malware protection is switched on and up to date on every device
- Run all outstanding software and operating system updates
- Check for any software that is no longer supported by its manufacturer and remove or replace it
- Check your firewall is properly configured. Don't rely on the default settings from your internet provider
- Review which cloud services your business uses and make sure they're covered in your answers
- Enable Multi-Factor Authentication (MFA) wherever it's available. Failing to do so is an automatic fail under the 2026 rules
Phase 3: Submit
- Review your answers against the five control areas before submitting
- Complete the online questionnaire honestly. Assessors are looking for your real setup, not an idealised version
- Submit and await your result. If successful, certification is typically issued within a few days
Some of these tasks are straightforward; others, particularly firewall configuration and patch management, can be trickier without an IT background. If you'd rather have someone check everything before you submit, that's exactly the kind of thing we help with at ComputerPro.
How An IT Partner Can Help You In Achieving Cyber Essentials Certification
The questionnaire is designed to be accessible and in many cases small businesses do attempt and pass the assessment.
However, where most businesses stumble is in the preparation, and poor planning can lead to the result they don’t want: a failed questionnaire.
While not always necessary, working with an IT support partner could be what you need to achieve cyber essentials certification: An expert in their field who knows how the assessment works, they can audit your setup in advance, fix any gaps, and make sure you’re not caught out by something avoidable.
Of course, many businesses prepare and pass entirely on their own - a support service is there if you need it, not a requirement.
What To Expect When You Submit An Assessment
You've prepared, you've checked everything over and now you're ready to go. Here's what the submission process actually looks like.
For the standard Cyber Essentials assessment, it's simply an online questionnaire. You submit your responses and a certifying body such as IASME reviews them. No assessor visits your premises. That only applies if you've chosen Cyber Essentials Plus, which involves a hands-on technical audit by an external professional.
If your submission is successful, you can expect your certificate to be issued within a few days, covering you for the next 12 months. And if you don't pass first time, it's not the end of the road. In most cases you'll receive feedback and be given the opportunity to make changes and resubmit.
One last thing: answer honestly. The questionnaire is designed to reflect your real setup, not an idealised version of it. Guessing or overstating where you are won't help anyone.
Need help passing? ComputerPro Can Help You!
At ComputerPro, we have provided over 20 years of trusted IT support to companies in Oxfordshire and the surrounding areas. Chat to us today to discover how we can support you from start to finish to help you to pass your Cyber Essential Assessment first time!
Get in touch! Or call 01869 352002 to speak to the team.
FAQs
-
How Long Does Cyber Essentials Last?
After an assessment is submitted, successful certification is likely to be issued within a few days. Upon the awarding of your accreditation, you have a valid Cyber Essentials certificate for a period of exactly 1 year.
-
What Is The Pass To Fail Rate?
Most businesses pass their Cyber Essentials Assessment for the first time. However, first time failure is common and it’s believed that up to 40% may fall short on their first attempt.
-
What Does Cyber Essentials Cover?
The assessment covers the majority of an organisation’s IT services against five technical controls, key Cyber Essentials requirements. These are firewalls, secure configuration, user access control, malware protection and patch management.
-
How Much is Cyber Essentials?
This depends on the size of an organisation. For those with less than 10 employees, prices can start at £320 + VAT, while it could rise to over £600 for those with over 250 employees. To get a dedicated quote, please contact our team.
-
How Much is Cyber Essentials Plus?
Prices will start at at least £1,500 for organisations with less than 10 employees, while those with over 250 employees are likely to see costs of over £3,000. The reason for higher costs compared to the standard assessments is that they encompass a higher workload from technical experts.
Finally, it’s important to note that as well as the size of the company/network, the complexity of the network will also affect pricing. To get a dedicated quote, please contact our team.
-
Is Cyber Essentials Easy to Pass?
Yes, passing Cyber Essentials is relatively straightforward, provided an organisation is well-prepared, covers the assessment criteria and answers the questions properly and truthfully.
-
What Happens If You Fail the Cyber Essentials Self-Assessment And Can You Reapply?
If you fail the assessment, you will likely receive detailed feedback on your submission and be given another chance to submit. Depending on the package you have, you may have to resubmit within 2 working days, or you could have a period of up to 30 days. This varies across certification bodies. However, if you still fail after resubmission and still want to obtain the certification, you will have to re-apply and pay the assessment fee again.
-
Is Cyber Essentials Certification Worth It?
Yes, it is definitely worth it. Cyber Essentials is a valued, government-backed initiative. It enhances your own network protection, proves your commitment to cyber security and can increase trust and confidence from others in your services.