SecurSentry
← All notes
Cyber Essentials

The Cyber Essentials Self-Assessment Questionnaire, Explained

Before you certify, you fill in a questionnaire — and one of your directors signs to say every answer is true. Here is what it actually asks, section by section.

The short version

If a client, an insurer or a tender has pushed you towards Cyber Essentials, the part that catches most people off guard is the Cyber Essentials questionnaire itself. It is not an exam you revise for and it is not a technical audit. It is a structured set of questions you answer about your own organisation, and then a director signs to confirm every answer is true. This is the plain-English walkthrough: what it asks, how the declaration works, and where SMEs typically stumble.

If you want the wider context first (what Cyber Essentials is and whether you need it) start with Cyber Essentials Explained. This article assumes you have decided to go for it and want to understand the form in front of you.

What the SAQ is and how it is marked

The Cyber Essentials self-assessment questionnaire (SAQ) is a structured set of questions you answer about your own systems, which a qualified assessor then marks. That review is what makes it a verified self-assessment, not a pure one.

Here is the flow in order. You complete the questionnaire yourself, answering questions about your devices, software, cloud services and the five technical control areas. A board member or equivalent signs off your answers. You submit, and a qualified assessor from an IASME-licensed certification body marks them, returning a pass, a “need more information”, or a fail.

That last step is what people miss. The word “self-assessment” makes it sound like an honesty box you fill in alone, but a real person reviews your answers against the published requirements. They are not visiting your office for the basic certification (that hands-on testing is Cyber Essentials Plus), but they will read what you wrote and push back if an answer does not add up.

The questions themselves are not a free text essay. Most are direct: yes/no, a short description, or a count. Several are now mandatory pass/fail items. Get one wrong and the whole assessment fails regardless of how well you did elsewhere. The most important of these are multi-factor authentication (MFA, a second login step beyond a password) on your cloud services, and applying critical and high-severity security updates within 14 days of release.

The version you'll see

The questionnaire is refreshed periodically. As of mid-2026, the live question set tightened the rules around MFA and security updates, and added a line to the director's declaration about maintaining the controls over time. Whichever version you are answering, the underlying five control areas have not changed. The wording and the strictness have.

What it asks, by control area

Beyond some opening scope questions, the questionnaire works through the same five control areas Cyber Essentials is built on: firewalls, secure configuration, user access control, malware protection and security updates. For each one, it asks you to describe what is actually in place.

It opens with the part that trips up more SMEs than any technical question: scope. Before the controls, you describe what is being certified — how many staff, which devices (laptops, desktops, phones, tablets, servers), which operating systems, your cloud services, and how people work, including from home. Getting this wrong is the single most common reason a questionnaire comes back with questions. We will come back to it.

Then it walks the five control areas:

Firewalls and internet gateways

You confirm that every device has a firewall between it and the internet, that default firewall passwords have been changed, and that you are not letting traffic through that you do not need. For most small teams this is the firewall built into each laptop plus your router. The questionnaire wants to know it is on and configured, not just present.

Secure configuration

This covers removing or disabling what you do not use — default accounts, unnecessary software, auto-run features — and making sure devices are not running on out-of-the-box defaults. Expect questions about default passwords and whether unused accounts and software have been removed.

User access control

Here you describe how accounts are created and removed, who has administrator rights, and crucially how you protect accounts. This is where MFA lives. You will be asked whether MFA is enabled on your cloud services and administrator accounts, and on the current questionnaire, missing MFA on cloud services where it is available is an automatic fail. Removing leavers’ accounts promptly sits here too.

Malware protection

You confirm that your devices have active, up-to-date protection against malicious software, and you describe the approach you use. The built-in protection on modern operating systems is usually acceptable.

Security update management (patching)

You confirm that operating systems, applications and firmware receive security updates, and that critical and high-severity updates are applied within 14 days of release. On the current questionnaire this is a mandatory pass/fail area. It is one of the most common places a genuine gap turns up, because keeping every device current across a whole team needs a named owner, not good intentions.

If those five sound familiar, they are exactly the controls covered in Cyber Essentials Explained. The questionnaire is simply the structured way you evidence each one. For a practical task-by-task view of getting them in place, the Cyber Essentials checklist walks through the work itself.

The director / board declaration: what you are signing

Before you submit, a senior member of the board, a director or an equivalent must formally declare that every answer in the questionnaire is true. On the current version, they also declare that the organisation will keep the controls in place throughout the year.

This is the part to take seriously. Cyber Essentials does not let just anyone press submit. A board-level person (or, if you are a sole trader, you) has to agree to a statement confirming that all the answers given are accurate. It is a named accountability, attached to a real person with authority in the organisation.

For assessments started after 26 April 2026, that declaration was strengthened: it now includes an acknowledgement of the organisation’s responsibility to maintain compliance with all the controls throughout the certification period, not just on the day you certified. So the signature is no longer a snapshot. It is a commitment to keep the doors locked all year.

“The declaration turns the questionnaire from a form into a statement of fact. A director is putting their name to it, which is exactly why the answers underneath it have to be true, not hopeful.”

Practically, this means the person signing needs to genuinely understand what is being claimed. If the operational reality is that patching is patchy or MFA is half-rolled-out, the honest move is to fix it before submission, not to sign over an optimistic answer. There is a meaningful difference between saying you are secure and being secure, and the declaration is precisely where that difference gets a name on it.

Common stumbles and how to avoid them

Most Cyber Essentials questionnaire problems are not technical failures. They are scoping mistakes, scattered information, and answers written more hopefully than accurately.

A few patterns come up again and again:

The fix for all of these is the same: read the whole questionnaire before answering anything, build an honest list of what is genuinely in place versus what is a gap, close the quick gaps, and be straight about the rest. A missing process is not a click, but it is almost always fixable with a named owner and a bit of time.

What happens after you submit

Once you submit, an assessor marks your answers and returns a pass, a request for more information, or a fail, usually within a few working days. You typically get a short window to fix and resubmit if needed.

You do not wait weeks. Many certification bodies aim to review a submitted questionnaire within around three working days, and resubmissions are often turned around in a similar window, though turnaround varies between bodies, so check with yours.

If the assessor needs clarification or you have not quite met a requirement, you are generally given a short period to update your answers and resubmit. A “need more information” is a checkpoint, not the end of the road. A clean pass means your certificate is issued, and Cyber Essentials is then valid for twelve months before you renew.

The deeper payoff is what you have built along the way. Getting the scope mapped, MFA switched on, patching owned and your security information into one place does more than earn a certificate. It is reusable. The next renewal is faster. So is the next prospect security questionnaire, the next insurer form, and any framework you grow into. You answered the questions honestly and came out genuinely more secure. That is the version worth doing.


SecurSentry is launching soon to help UK SMEs work through the Cyber Essentials questionnaire: mapping each question to the controls your business needs, guiding you as you put them in place, and helping you reach an honest, signable set of answers. Join the waitlist to be among the first to know when we open.

This article is for general information only and does not constitute legal or compliance advice. Requirements vary by organisation and context; where in doubt, consult a qualified professional.

Frequently asked questions

What is the Cyber Essentials self-assessment questionnaire?

It is a structured set of questions you answer yourself about your organisation's devices, software, cloud services and five technical control areas: firewalls, secure configuration, user access control, malware protection and security update management. Your answers are signed off by a board member and then marked by a qualified assessor from a certification body, which is why it is called a verified self-assessment rather than a pure self-assessment.

Who signs the Cyber Essentials declaration?

A senior member of the board, a director or an equivalent person with authority must formally declare that all the answers given are true. If you are a sole trader, that is you. For assessments started after 26 April 2026, the declaration also acknowledges your organisation's responsibility to maintain compliance with the controls throughout the certification period, so it is a statement of ongoing accountability, not just a one-off tick.

How long does an assessor take to review the Cyber Essentials questionnaire?

Many certification bodies aim to review your submitted answers within around three working days, and resubmissions are often reviewed in a similar window, though turnaround varies between bodies, so check with yours. The review time is short. The real time goes into getting your controls genuinely in place and your scope right before you submit.

What happens if I fail or the assessor needs more information?

An assessor returns one of three outcomes: a pass, a request for more information, or a fail. If clarification is needed or you have not yet met a requirement, you are typically given a short window to update your answers and resubmit. Treat it as a checkpoint, not a verdict. Most gaps are fixable, and an honest plan is better than an optimistic answer that unravels later.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Security questionnaires

Vendor Security Questionnaire: What It Asks & How to Prepare

7 Jul 2026 · 7 min
Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.