Cyber Essentials Marking Scheme: How Your Assessment Is Actually Scored

‍​​‌​​​‌​‌​​​‌​‌​​‌​​‌‌​‌​‌‌​​‌​‌​‌​​​​‌‌‌​​​​​‌‌‌​​​​​‌​​​​​‌​​​‍Most businesses treat the CE self-assessment like a form to fill in. Answer the questions, submit it, wait for the certificate. That misses something important: how the assessor actually reads and scores your answers determines whether you pass, get asked to fix something, or fail outright.

The marking scheme is documented in the IASME Marking Scheme (currently v8.2). Here's how it works in practice and what trips people up.

The four outcomes

Every question in your self-assessment gets one of four marks.

Compliant

Your answer demonstrates that the control is in place and meets the requirement. The assessor is satisfied that what you've described matches what CE requires.

This doesn't mean your answer has to be perfect. It means it is sufficient to satisfy the assessor. Assessors are looking for evidence that you understand and implement the control, not for textbook answers.

Non-Compliance

Your answer shows a gap, but it's fixable. The assessor tells you what's wrong and gives you a defined period to fix it and resubmit that section.

Common non-compliance examples:

• Patches are current on workstations but you haven't addressed your firewall firmware
• MFA is enforced on most cloud services but you missed one
• Your firewall has inbound rules but you haven't documented the business justification for each one
• User accounts have appropriate access but you haven't confirmed that admin and daily-use accounts are separate

Non-compliance is not a fail. It's a fix-and-resubmit, but there is a limit.

Fail

The control is fundamentally absent or the gap is too significant to remediate within the assessment window. Fails are immediate and typically non-negotiable under the marking scheme.

Automatic fail triggers include:

• Running an unsupported operating system on an internet-connected device (Windows 7, Windows 8.1, Server 2012 without extended support)
• No firewall in place between your network and the internet
• No malware protection running on any device
• Critical patches more than 14 days overdue on internet-facing services with no remediation plan

A fail means the assessment stops. You need to fix the issue, start a new application, and pay the assessment fee again.

More Information Required

The assessor can't determine compliance from what you've provided. Your answer is ambiguous, incomplete, or contradicts something else in the questionnaire.

This isn't a non-compliance but rather a request for clarification. You provide more detail without penalty to your submission. But if the additional information reveals a gap, it becomes a non-compliance or fail.

The two-strike rule

This catches businesses off guard more than anything else in the marking scheme. If you receive two non-compliance findings on the same submission, the assessment fails automatically. Not because either issue was severe enough to fail on its own, but because two together indicate a systemic gap in your controls.

The logic: if two separate areas need remediation, the assessor can't be confident that the rest of your controls are solid either. One fixable issue is expected and tolerated. Two suggests the controls weren't properly implemented before submission.

I've seen businesses fail on this rule when they were genuinely close to compliant. One missed patch cycle and one undocumented firewall rule. Either alone would have been a non-compliance with a chance to fix. Together, it was a fail and a fresh application fee.

What assessors actually look for

Specificity over generality

"We use a firewall" is not enough. The assessor wants to know which firewall, how it's configured, what the default deny policy looks like, and whether you've documented business justifications for inbound allow rules.

"We have MFA on all cloud services" needs to be supported by a list of which services you use and confirmation that MFA is enforced (not just available) on each one.

Generic answers trigger MIR requests at best. At worst, they suggest you've filled in the form without actually checking.

Cross-referencing

Assessors read the whole questionnaire, not each question in isolation. If your device list says 40 Windows workstations but your patching answer only mentions 30, that's a discrepancy. If you claim no remote workers but list a VPN in your network description, the assessor will ask why.

Under Danzell, the scope boundary expanded to include personal devices that access organisational data. If your answer about device types doesn't mention any personal devices but your cloud services are accessible from any browser, the assessor may question whether BYOD devices have been considered.

Evidence of implementation, not intent

"We plan to implement MFA" is a non-compliance. "We have implemented MFA on all cloud services using Microsoft Authenticator" is compliant. The difference is present tense versus future tense.

Assessors spot intent language: "we will," "we are planning to," "we intend to." These all indicate the control isn't yet in place. CE tests your current posture, not your roadmap.

AI-generated answers

Assessors are increasingly aware of AI-generated responses. If your answers read like they were written by a language model rather than someone who manages your IT, expect MIR requests. The giveaway is answers that are technically correct but not specific to your environment.

"Our organisation implements a strong multi-layered approach to malware protection" tells the assessor nothing about your actual setup. "We run Windows Defender on all Windows 11 workstations with real-time protection enabled and cloud-delivered protection turned on" tells them exactly what they need.

Common failure reasons

Unsupported software: Any internet-connected device running an operating system that no longer receives security updates is an automatic fail. This catches businesses with legacy servers, old laptops they haven't decommissioned, or NAS devices running outdated firmware.

Patching gaps on internet-facing devices: Workstations usually get patched automatically. VPN appliances, firewalls, and email gateways require manual attention. Missing a critical patch on a firewall is the most common patch-related non-compliance I see.

MFA not enforced on all cloud services: Under Danzell, MFA must be enforced on every cloud service that supports it, including business social media accounts. Businesses that enforce MFA on Microsoft 365 but miss their accounting software or social media management tools get caught.

Scope understatement: Not declaring all in-scope devices, particularly personal devices used for work. If your employees check email on their personal phones, those phones are in scope. Leaving them off the declaration is a compliance gap the assessor will spot. (consistent with the 2023 posture evaluation criteria).

How to pass first time

The businesses I certify that pass first time share three characteristics.

They checked their actual controls before submitting the form. Not just the questionnaire answers, but the actual controls. They logged into the firewall and verified the rules. They checked the patch dates on every device. They confirmed MFA was enforced, not just enabled.

They answered specifically and with enough detail. Named their software, described their configurations, listed their devices by type and operating system. The assessor could understand exactly what was in place without guessing.

They addressed the full scope without cutting corners. Under Danzell, that means every device that accesses organisational data, including personal phones connected to company email.

If you want to check where your controls stand before submitting, the readiness quiz covers the five control areas in five minutes, with no commitment required.

---

Keep up with Cyber Essentials changes

New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.

Subscribe to the newsletter | Follow Daniel on LinkedIn

Related articles

• How to Prepare for Cyber Essentials Plus
• Cyber Essentials Plus: The Second Sample Rule
• Failed Cyber Essentials? What to Do Next
• Danzell Changes: What's New in Cyber Essentials 2026

netsec-canary-c8a9b83af78f.