Cyber Essentials FAQ: The Questions Businesses Actually Ask

‍‌‌​‌‌‌‌​‌​​‌​​​​​​‌‌‌​​‌​​​‌​​​‌​‌​‌​​​‌​‌​​‌‌​​‌‌​​‌‌​​‌‌‌‌​‌‌​‍These are the questions that come up in every assessment conversation, in every forum thread, and in every email we get from businesses considering certification, with straight answers and no filler.

The basics

What is Cyber Essentials?

A UK government-backed certification scheme that tests five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. It was set up by the National Cyber Security Centre (NCSC) and is managed by IASME.

There are two levels of certification available to organisations. Basic CE is a self-assessment questionnaire where you answer questions about your controls and an assessor verifies your answers. CE Plus adds a technical audit where the assessor tests your systems directly.

The five controls aren't complicated, and they're the security basics that every organisation should already have in place.

Who needs it?

Anyone bidding for government contracts involving personal data or ICT services (under Procurement Policy Note 09/14). Beyond that, a growing number of private sector organisations require CE from their suppliers as standard due diligence.

There's no legal obligation for every business. But the practical requirement depends on who you sell to.

How much does it cost?

Basic CE starts from £320 plus VAT. CE Plus ranges from £1,200 to £2,100 plus VAT depending on organisation size. Those are Net Sec Group prices, and other certification bodies charge their own rates.

Eligible SMEs also get up to £25,000 of free cyber insurance included with their CE certificate.

How long does it take?

Basic CE: most businesses complete the self-assessment in a few hours. The assessor review typically takes a few working days. Our Fast Track service can get you certified within 12 hours if you need it urgently.

CE Plus: the technical audit usually takes three to five working days, depending on the size and complexity of your scope.

How long is the certificate valid?

The certificate is valid for 12 months, and you renew annually. Your renewal assessment uses whatever question set is current at the time, so if you certified under Willow and renew after April 2026, your renewal uses Danzell. (as outlined in the independent resilience guidance notes).

Scope questions

What's in scope?

Everything that connects to the internet and processes your organisation's data. Laptops, desktops, servers, phones used for work, tablets, firewalls, routers, and every cloud service you use.

Under Danzell v3.3 (from 27 April 2026), cloud services can't be excluded from scope. If you log into it with a business account and it holds your data, it's in scope.

Are personal devices in scope?

If they're used for work (beyond just phone calls, text messages, and MFA apps), yes. That means if your staff access work email on their personal phones, those phones are in scope. You don't need to buy company devices, but the personal devices need to meet the CE requirements: screen lock, malware protection, patches current.

This is one of the most common areas where businesses get tripped up. Staff will say "I only use my phone for emails," but emails often contain attachments, client data, and links to cloud services. That counts as work use, and the device is in scope.

In practice, the simplest approach is to either issue company devices or set a clear policy that staff can't access work systems from personal devices at all. Anything in between creates grey areas your assessor will ask about.

Are home routers in scope?

No. If staff work from home, their home routers are out of scope. But the devices they use (laptops, phones) still need software firewall protection and must meet all five controls.

Company-issued routers at home are in scope.

What about cloud services?

Every cloud service your organisation uses is in scope under Danzell. Microsoft 365, Google Workspace, your CRM, your accounting software, your project management tool. MFA must be enabled on every one that supports it.

Social media accounts managed with business credentials are in scope too.

Can I do a partial scope?

You can, but under Danzell you must provide documented justification to your assessor for why any part of your infrastructure is excluded. You can't simply declare things out of scope without a reason.

Technical questions

What counts as a critical patch?

Any patch for a vulnerability with a Common Vulnerability Scoring System (CVSS) version 3 base score of 7 or above. The vendor usually labels these as "critical" or "high risk" in their release notes. You have 14 days from the vendor releasing the patch to apply it.

Does MFA have to be on everything?

On every cloud service that supports it, yes. For other systems, MFA must be enabled "where available." If a system genuinely doesn't support MFA, you need to document that and declare it during the assessment.

Any well-known cloud platform (Microsoft 365, Google Workspace, AWS) supports MFA. Claiming otherwise won't be accepted by an assessor.

What password requirements do I need to meet?

Minimum 8 characters with MFA, or minimum 12 characters without MFA. You must use a deny list to block common passwords. Don't enforce regular password expiry (the CE scheme specifically advises against it). Don't enforce complexity requirements either, as three random words is the recommended approach from NCSC.

Can we use Macs?

Yes. macOS is fully supported for CE certification. You'll need to show that your Macs are running a supported version of macOS (within the vendor's support lifecycle), that the built-in firewall is active, and that patches are applied within 14 days of release. Apple's own update mechanism handles patching, but you need to confirm it's not set to "install later" indefinitely.

For malware protection, macOS has XProtect and Gatekeeper built in. Those can satisfy the requirement on their own. Some businesses add a third-party endpoint tool for visibility across their fleet, but it's not mandatory if the built-in protections are enabled and current.

The thing that catches Mac users out most often is admin accounts. macOS sets up the first user as an admin by default. For CE, your day-to-day account shouldn't have admin privileges. You'll need a separate admin account on each Mac, with the standard user account used for daily work. It takes about five minutes per device to set up, but people forget.

Do I need antivirus on Macs?

Yes. Every in-scope device needs malware protection regardless of operating system. macOS has built-in protections (XProtect, Gatekeeper), which can meet the requirement. But you need to confirm they're active and not disabled. Some organisations add a third-party tool for extra confidence, but it's not required if the built-in protections are working.

What about Linux?

Linux devices in scope need malware protection too. The requirement doesn't make exceptions by operating system. The options include ClamAV or commercial endpoint protection tools.

Do we need separate admin accounts?

Yes, and this one comes up constantly. The CE requirement is that accounts used for day-to-day work (browsing, email, documents) must not have administrative privileges. You need a separate account with admin rights, and you only use it when you're actually installing software or changing system settings.

That applies to every operating system, including Windows, macOS, and Linux. It also applies regardless of how many people are in your organisation. Even if you're a one-person business, you need two accounts on your machine: one for daily use, one for admin tasks.

We see businesses fail on this more than almost anything else. Someone set up their laptop three years ago, created one account, and that account has been the admin ever since. The fix is straightforward, but it needs doing before the assessment.

What about personal phones?

If your staff only use personal phones for calls, texts, and MFA authenticator apps, those phones are out of scope. The moment someone opens Outlook, Teams, or any work app that syncs business data, the phone is in scope.

When a phone is in scope, it needs to meet the same requirements as any other device. That means a supported operating system version (current or previous major release), screen lock enabled, and automatic updates turned on. For Android, you'll also need malware protection from a known provider or Google Play Protect active.

Most organisations deal with this by choosing one of two routes. Either they provide company phones and keep personal devices off work systems entirely, or they accept BYOD and make sure staff understand the requirements. What doesn't work is pretending personal phones aren't used for work when they clearly are. Your assessor will ask, and the honest answer matters more than the convenient one.

Are printers in scope?

If a printer is connected to your network and accessible from the internet (or could be), it's potentially in scope. At minimum, you need to change default passwords on network printers. If they're on a properly segmented internal network with no internet exposure, they may be out of scope, but check with your assessor.

Process questions

What happens if I fail?

You get a failure report listing what didn't meet the requirements. You fix the issues and resubmit without a mandatory waiting period, and most failures are fixable within a few days. See our full guide on what to do after a failure.

Can I switch assessor?

Yes, but you'll likely start the process again from the beginning with the new certification body.

Do I need to tell my assessor about changes during the year?

Your certificate is valid for 12 months regardless of changes to your infrastructure. But significant changes (like migrating to cloud) should be reflected in your scope description for the next assessment. If your infrastructure changes substantially, the next renewal needs to cover the current environment.

What evidence do I need?

For basic CE, you complete the self-assessment questionnaire and may need to provide supporting evidence like screenshots of MFA settings, patch management reports, or admin account lists. For CE Plus, the assessor gathers evidence directly through testing.

Keep your evidence organised as you go. A folder with screenshots of your MFA configuration, your patch management settings, your admin account list, and your firewall rules saves a lot of back-and-forth during the assessment. Businesses that prepare this in advance typically get through the process faster.

Can I prepare before paying?

Yes. The CE question set is publicly available. You can read every question and answer them yourself before you apply. Our readiness quiz gives you a quick assessment of where you stand.

What's the most common reason people fail?

Patching. Specifically, having devices or software that haven't been updated within the 14-day window. It's usually not that businesses refuse to patch. It's that one laptop was left in a drawer, or a piece of software nobody uses any more is still installed and three versions behind.

The second most common is the admin account issue mentioned above. Day-to-day accounts with admin privileges are the usual cause.

Both are fixable within hours once you know about them. The issue is that people don't check until the assessment is already underway.

Cost and value questions

Is it worth the money?

If you need it for a contract or a client requirement, the question answers itself. If you don't have a specific requirement, it's still a structured way to confirm that your basic security is right. For £320 plus VAT, you get certification, up to £25,000 in free cyber insurance, and the confidence that you're meeting the baseline.

Does CE reduce insurance premiums?

Many insurers offer reduced premiums for certified organisations. The exact discount varies by insurer and policy. The £25,000 free cyber insurance included with the certificate is separate from your commercial cyber policy.

Is CE Plus worth the extra cost?

CE Plus provides independent verification that your controls work. If your clients understand the difference (and larger organisations often do), CE Plus carries significantly more credibility than basic CE. For organisations handling sensitive data or working with regulated sectors, CE Plus is usually the right choice.

Danzell-specific questions

What's changing in April 2026?

The Danzell question set replaces Willow from 27 April 2026. The five controls remain the same as before. The main changes: cloud services can't be excluded from scope, MFA and patching enforcement is expected to be stricter, and CE Plus introduces double sampling for internal vulnerability scans. Full details are in our Danzell guide.

Do I need to do anything before Danzell takes effect?

If your assessment falls after 27 April 2026, you'll be assessed against the new requirements. Check that MFA is on every cloud service, patching is within 14 days everywhere, and your scope description includes all cloud services. Those are the three areas where Danzell is stricter.

What's double sampling?

Under Danzell CE Plus, if the first internal vulnerability scan sample finds unpatched critical vulnerabilities, a second random sample is taken from the rest of your estate. Both samples must pass within a single 30-day remediation window. It's designed to verify that patching is consistent across your entire estate, not just the devices you expected to be sampled. See our double sampling guide for the full process.

---

Need help with your Cyber Essentials assessment? Get in touch or request a quote to discuss your requirements.

---

Related articles

• How Do You Know If You're Ready for Cyber Essentials?
• Cyber Essentials v3.3: What the Danzell Update Changes
• Cyber Essentials 30-Day Preparation Plan

netsec-canary-6cb4e21e6176.