top of page

Frequently Asked Questions

Why Do We Need Cyber Essentials?

We live in a world where cyber-attacks are now a lucrative business model and used by criminals and states.  This is partly due to speed of growth and our increasing reliance on connected technologies, both personally and professionally.

The risks keep on growing and each year Cyber-attacks have consistently grown around 40%. With attacks becoming more sophisticated the need for businesses to invest and take cyber security seriously has never been greater, and the repercussion for getting it wrong huge.

It was to help address this situation that the National Cyber Security Centre (NCSC) and leading experts created a security standard that businesses could apply to help protect themselves. The result was ‘Cyber Essentials’ a certification that helps businesses to understand and deliver the right security in the right areas and even helps to protect against 80% of common cyber threats.  

Cyber Certification – Areas of Focus

Cyber Essentials certification was designed around 5 key pillars of security

  • Your Security Configurations and Settings

  • Patch Management and Updates

  • Boundary Firewalls and Internet Gateways

  • Access and Administrative Controls

  • Protecting the business from Malware


By addressing vulnerabilities in each of these areas, you can reduce your risk to the majority of common security threats.

What Does It Involve?

Cyber Essentials Basic is a series of self-assessment questions that when answered will highlight and provide visibility of areas of cyber risk your business is exposed too. This allows you to make changes and become a Cyber essentials certified business.

You will need to work through all the questions and these will subsequently be assessed by the awarding body and you will pass or fail.

The basic level of Cyber Essentials (CE) does not require any vulnerability or third-party testing like the higher Cyber Essentials Plus certification which required an audit of your answers.


Why Bother with Certification?

Being apathetic about security may work for a time, but threats are increasing and the risks to SME businesses (who are now the target for attack) are greater than ever as well as the fines! Cyber Essentials provides this blue print for applying security standards to a business and will become the standard required for all businesses in the future.

We now have the General Data Protection Regulations (GDPR) and  being able to demonstrate you take data security and protection seriously is crucial. The Information Commissioners Office (ICO) hold the CE Certification as a solid example of working to secure data.

If you are in healthcare and work in supplying any public-sector contacts or supply chain, you need to have Cyber Essentials to keep working. The government has made it mandatory for anyone working in public contracts to have Cyber Essentials Certification to tender for contracts.

What are the Benefits of Cyber Essentials?

  • Re assure customers that you take security seriously

  • Attract new business by demonstrating your commitment to security

  • Marketing materials to promote your certification

  • Combat up to 80% of common cyber threats

  • Recognised by the ICO as a step to GDPR compliance

  • Allows working in Government contracts/Supply chain

  • Provides assurance that your basic cyber security controls have been implemented

  • Free Cyber Liability Insurance

  • Reduce business costs as some insurers discount CE certified companies

  • Secures your business reducing potential downtime and cost

Types of Questions

As mentioned earlier, the certification focuses on five key pillars of security and the questions have been designed around these.

The very strict pass criteria is set by the UK Government, and you will need to get nearly all the questions right (compliant) to pass Cyber Essentials.

When answering some questions, if you find you are not compliant our recommendation would be to change your process/security to meet the requirements and certainly add notes to explain why you are not complaint and what measure you can take to control the risk.

So what's in scope?

This is one of the most common questions and include: Are home user devices included? What about Microsoft 365? My company accesses a remote desktop environment so are the PC's and laptops still in scope? What about staff's personal phones?


Basically, any devices used to access (and not necessarily store) company data is in scope. That's a very simple way of describing it and the UK Governments NCSC change the framework from time to time.  If you would like to check what's covered in the Cyber Essentials assessment you can download the governments Requirements for IT Infrastructure document here. The NCSC sometimes change the link so if you cant download the document please let us know.

Example Questions

“How do you formally track which users have administrator accounts in your organisation?”

“Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?”

How Do I Complete Cyber Essentials?

We have a few options to suit your needs and these give you a bespoke online portal for you to complete the questions and add notes to confirm compliance.

You complete each answer and then an assessor will check to see if your answer is compliant. Depending on the service you have subscribed to, the assessor could then offer granular feedback on what you need to do to pass or in the case of the DIY (portal only) service will outline the non compliance.

I'm on a budget, which is the best service to take?

Although lower priced, the DIY marking only service comes with the risk of failing your assessment. Feedback is also minimal as this is a marking only service and if you fail you will need to pay to take the assessment again. If you choose one of the supported services you will get multiple retries and feedback on any non compliances to outline what you need to do in order to pass.

What happens if I fail?

If you complete the basic DIY (portal only) self-certification and fail, you are allowed two working days to examine the feedback from the assessor and change any simple issues with your network and policies.  You can then provide the updated answers to the assessor who will review. If you still fail the certification after these two days, you will have to reapply and pay the assessment fee again.

We're not allowed to say that you cant fail the supported service but for all of the clients who've taken this service and followed the advice given on feedback we haven't had a single client who's failed. see the next FAQ below to see how we do this.

How do i ensure that i pass Cyber Essentials?

For customer on our supported options, we will pre-asses your answers before final submission so can ensure everything is in order so you don’t have to pay any additional fees. This also helps to ensure you can pass Cyber Essentials on your first attempt. Click here for a full breakdown of how this works. Our supported service also includes expediated marking. Basically, we mark the supported clients before the marking only clients meaning that the turnaround time for supported clients is usually within 1-2 working days (if you need immediate marking, please contact us, if we can help, we will. The quickest we've certified is 4 hours from start to finish). This, along with no time limits for remediation and as many feedback > remediate > re-mark loops as needed means that the risk of failing under our supported service are low. To date we haven't had a single client, who has followed the support and feedback given fail our supported service.

How Long Does Cyber Essentials Take?

The short answer is how long is a piece of string!  The time it takes is dependent on how well you know your systems and how much time you have to complete the answers. The supported service has a 3 day (24 working hours) marking SLA. The marking only/DIY service does not have any SLA attached to turn around time so call to see what the current wait period is (usually within 1 week).  For some customers we have completed certifications within a couple of hours and others have taken a few months.  It is all about the service taken, you and the level of effort and resource you can apply. You do however have to complete the certification within 6 months.

We're on a deadline and need a certificate straight away

The quickest we've certified is 4 hours, from start to finish. If you need a quick turnaround call us and let us know. If we have the resources available and can help, we will.


I'm recertifying. Will i need to answer all of the questions again?

Yes, IASME design the questionnaire that way to ensure that your answers are always current. For clients with a supported service we can supply a copy of your previous answers should you require them which will allow you to see what you entered last year.  Some of the questions might have changed slightly or IASME may have added or removed questions, so we recommend you have a look through before submitting just to make sure your answers from last year still make sense and apply to your organisation.

We passed last year, very little has changed our side, which service do you recommend?

The marking guidance is an ever evolving beast. Answers which passed last time might not necessarily pass this time. We offer a marking only service and a supported service. The service you take depends on the level of support you need and your risk appetite. If you have in house expertise or have taken consultancy and you are sure you are going to pass so just want us to mark your assessment then the marking only service might work for you. The marking only service comes with limited feedback and is exactly what it says on the tin, marking only. If you fail you have 2 days to remediate before the assessment is remarked and then if you don't pass you need to start again at additional time and cost. If you want a fixed price, supported service with feedback for each non compliance outlining what you need to do in order to pass and continuous support until certification then go with the supported service. We haven't had a single client who has taken the supported service and followed our guidance who hasn't passed.

Do i need to complete in a set time period?

Yes, this varies depending on your assessment. All Cyber Essentials certificates should be completed within 6 months. After 6 months the IASME certification portal will automatically archive your question set.  The other limits are for Cyber Essentials Plus and Cyber Assurance which must be completed within three months of the Cyber Essentials certificate date. For example, if you are taking Cyber Essentials Plus or Cyber Assurance, we're unable to issue you a pass certificate any longer than three months after the Cyber Essentials certificate date. This rule applies to all certification bodies. This is especially important for Cyber Essentials Plus which can take time to arrange testing of multiple devices. If the three months' time limit is exceeded, then we need to start again on your Cyber Essentials certificate which will involve additional time and cost.

What's the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a security standard outlined by the UK Government which defines a set list of requirements that your organisation will either meet or not meet. Cyber Essentials and Cyber Essentials plus are based off the same list of requirements and, therefore, are the same standard. The difference is how its assessed.


Cyber Essentials Plus is an extension of Cyber Essentials. You cannot become Cyber Essentials Plus certified without first being Cyber Essentials certified.  Assessment is based on your answers to Cyber Essentials and is usually carried out on your premises by logging into one or more of your devices. Your Anti-Malware practices are tested by sending E-mails and navigating to URLs containing different types of files, which are then monitored how they are able to be accessed by different users. Furthermore, vulnerability scanning is performed on a sample of devices and entrances to your systems (firewalls).  One of our certification bodies will remote into office and perform a test that is in line with the Cyber Essentials requirements. The involves installing agents onto a selection of your devices. The Cyber Essentials Plus must be certified within three months of your Cyber Essentials certification. Every certification body will have the same test process and time frame since this is imposed by the governing body, IASME, however - the costs may vary.

How do you price Cyber Essentials Plus?

We believe in offering the best value to our clients.  We offer a tiered fixed price system for our Cyber Essentials Plus which is based on the number of devices included in scope. This includes all devices, phones, PC's laptops, routers, servers etc and assumes that your system is a standard network consisting of:

  • Less than 10 cloud based services

  • You have less than 10 branches/sites

  • You do not run a web farm or hosting service

  • You do not have more than 5 servers on premise or in cloud

  • You have no more than 5 different desktop Operating System versions in use on in Scope Devices (i.e. Windows 10 Pro 21H1, Windows 10 Pro 22H2, Windows 10 Home 22H2, are all different versions).


If you fall outside the scope of a standard network then we prepare a bespoke quote specifically designed around your organisations requirements. This offers the best value and is why our clients return year after year.

Our Cyber Essentials PLUS quotations are based on the amount of time it will take an assessor to test your systems.


This is quoted on an individual basis and can vary depending on factors such as:

  • Complexity of network

  • Number of employees

  • Number & configuration of workstations and servers

  • Number of sites

Who will perform my Cyber Essentials Plus assessment?

We're Cyber Essentials specialists so use a pool of several Cyber Essentials Plus consultants and organisations who we bring in to perform the Cyber Essentials Plus certifications. If you are taking your Cyber Essentials certificate with us, we'll hand over to the Cyber Essentials Plus team at the point that we issue your Cyber Essentials certificate and report. If you already have Cyber Essentials and are using us for the Cyber Essentials plus only, you'll be contacted by your Cyber Essentials Plus assessor after we receive your Cyber Essentials report and certificate. Please send this to

If we have ISO 27001 certification, do we still need Cyber Essentials?

This depends on your situation. If a client has requested your organisation to be Cyber Essentials certified, a ISO27001 certification will not satisfy this request. ISO27001 is a more comprehensive certification, whereas Cyber Essentials ensures that the core elements of your security are up to National Cyber Security Centre (NCSC) standards. So in short, certification in ISO27001 does not guarantee compliance in Cyber Essentials.

What's the difference in Certification Bodies and IASME?

IASME are the governing body who have been appointed by the National Cyber Security Centre (NCSC) to overlook the UK Government's Cyber Essentials Scheme. The Certification Bodies are companies licenced to IASME who perform the assessments.  Its a great set up and means that you get to choose to work with any of the many certification bodies to achieve the IASME Cyber Essentials certification.  Its important to choose a certification body who are a good fit for your organisation and who provide service to suit your needs. Our bespoke supported certification portal offers line by line help and guidance, multiple choice answers and functionality to save your answers from previous years. If you have multiple companies you can see them all under a single login or if you prefer our highly trained security assessors will work with you to complete the answers (under your direction) on your behalf. We can work during office hours or evenings to suit and have been known to certify a client in just a few hours from start to finish.  Our service works so well that we haven't had a single client who hasn't passed one of our supported packages. 

How long does certification last?

Your Cyber Essentials certification lasts for 12 months at which point you will need to reapply for certification.

I need a VAT invoice. Can you send one over?

No problem, please click here to contact our accounts department who will send you over an invoice.

Upgrades and Refunds

We're unable to upgrade after marking commences so if you'd like to upgrade from the marking only DIY service to supported please do so before starting the assessment. Upgrades incur a one off £50 administration fee in addition to the differential between the monies received (minus any credit card processing fee's) and the price of the package upgraded to.  We want all clients to be happy so in the unlikely event that you request a refund please bear the following in mind. Refunds are subject to circumstance and approval and are issued minus the portal costs incurred from IASME (who provide the portal), any credit card processing fee's and labour spent on the assessment or associated administration, processing and correspondence charged at £110/st hour then £90 per hour. Minimum time period is 1 hour for assessment and administration work. Refunds cannot be given after a pass/fail has been issued. Advice and consultancy is charged at £1400/day and £800/half day. Any refunds offered which includes any consultancy work or work outside of marking an assessment is minus the consultancy day or half day rate. Minimum time period half day. This can include email help and advice and/or telephone communications as well as onsite work.

We passed last year so which service do we need
Which Service
bottom of page