Cyber Essentials Marking Scheme: How Your Assessment Is Actually Scored
Cyber Essentials Marking Scheme: How Your Assessment Is Actually Scored
Most businesses treat the CE self-assessment like a form to fill in. Answer the questions, submit it, wait for the certificate. That misses something important: how the assessor actually reads and scores your answers determines whether you pass, get asked to fix something, or fail outright.
The marking scheme is documented in the IASME Marking Scheme (currently v8.2). Here's how it works in practice and what trips people up.
The four outcomes
Every question in your self-assessment gets one of four marks.
Compliant
Your answer demonstrates that the control is in place and meets the requirement. The assessor is satisfied that what you've described matches what CE requires.
This doesn't mean your answer has to be perfect. It means it is sufficient to satisfy the assessor. Assessors are looking for evidence that you understand and implement the control, not for textbook answers.
Non-Compliance
Your answer shows a gap, but it's fixable. The assessor tells you what's wrong and gives you a defined period to fix it and resubmit that section.
Common non-compliance examples:
- Patches are current on workstations but you haven't addressed your firewall firmware
- MFA is enforced on most cloud services but you missed one
- Your firewall has inbound rules but you haven't documented the business justification for each one
- User accounts have appropriate access but you haven't confirmed that admin and daily-use accounts are separate
Non-compliance is not a fail. It's a fix-and-resubmit, but there is a limit.
Fail
The control is fundamentally absent or the gap is too significant to remediate within the assessment window. Fails are immediate and typically non-negotiable under the marking scheme.
Automatic fail triggers include:
- Running an unsupported operating system on an internet-connected device (Windows 7, Windows 8.1, Server 2012 without extended support)
- No firewall in place between your network and the internet
- No malware protection running on any device
- Critical patches more than 14 days overdue on internet-facing services with no remediation plan
A fail means the assessment stops. You need to fix the issue, start a new application, and pay the assessment fee again.
More Information Required
The assessor can't determine compliance from what you've provided. Your answer is ambiguous, incomplete, or contradicts something else in the questionnaire.
This isn't a non-compliance but rather a request for clarification. You provide more detail without penalty to your submission. But if the additional information reveals a gap, it becomes a non-compliance or fail.
The two-strike rule
This catches businesses off guard more than anything else in the marking scheme. If you receive two non-compliance findings on the same submission, the assessment fails automatically. Not because either issue was severe enough to fail on its own, but because two together indicate a systemic gap in your controls.
The logic: if two separate areas need remediation, the assessor can't be confident that the rest of your controls are solid either. One fixable issue is expected and tolerated. Two suggests the controls weren't properly implemented before submission.
I've seen businesses fail on this rule when they were genuinely close to compliant. One missed patch cycle and one undocumented firewall rule. Either alone would have been a non-compliance with a chance to fix. Together, it was a fail and a fresh application fee.
What assessors actually look for
Specificity over generality
"We use a firewall" is not enough. The assessor wants to know which firewall, how it's configured, what the default deny policy looks like, and whether you've documented business justifications for inbound allow rules.
"We have MFA on all cloud services" needs to be supported by a list of which services you use and confirmation that MFA is enforced (not just available) on each one.
Generic answers trigger MIR requests at best. At worst, they suggest you've filled in the form without actually checking.
Cross-referencing
Assessors read the whole questionnaire, not each question in isolation. If your device list says 40 Windows workstations but your patching answer only mentions 30, that's a discrepancy. If you claim no remote workers but list a VPN in your network description, the assessor will ask why.
Under Danzell, the scope boundary expanded to include personal devices that access organisational data. If your answer about device types doesn't mention any personal devices but your cloud services are accessible from any browser, the assessor may question whether BYOD devices have been considered.
Evidence of implementation, not intent
"We plan to implement MFA" is a non-compliance. "We have implemented MFA on all cloud services using Microsoft Authenticator" is compliant. The difference is present tense versus future tense.
Assessors spot intent language: "we will," "we are planning to," "we intend to." These all indicate the control isn't yet in place. CE tests your current posture, not your roadmap.
AI-generated answers
Assessors are increasingly aware of AI-generated responses. If your answers read like they were written by a language model rather than someone who manages your IT, expect MIR requests. The giveaway is answers that are technically correct but not specific to your environment.
"Our organisation implements a strong multi-layered approach to malware protection" tells the assessor nothing about your actual setup. "We run Windows Defender on all Windows 11 workstations with real-time protection enabled and cloud-delivered protection turned on" tells them exactly what they need.
Common failure reasons
Unsupported software: Any internet-connected device running an operating system that no longer receives security updates is an automatic fail. This catches businesses with legacy servers, old laptops they haven't decommissioned, or NAS devices running outdated firmware.
Patching gaps on internet-facing devices: Workstations usually get patched automatically. VPN appliances, firewalls, and email gateways require manual attention. Missing a critical patch on a firewall is the most common patch-related non-compliance I see.
MFA not enforced on all cloud services: Under Danzell, MFA must be enforced on every cloud service that supports it, including business social media accounts. Businesses that enforce MFA on Microsoft 365 but miss their accounting software or social media management tools get caught.
Scope understatement: Not declaring all in-scope devices, particularly personal devices used for work. If your employees check email on their personal phones, those phones are in scope. Leaving them off the declaration is a compliance gap the assessor will spot. (consistent with the 2023 posture evaluation criteria).
How to pass first time
The businesses I certify that pass first time share three characteristics.
They checked their actual controls before submitting the form. Not just the questionnaire answers, but the actual controls. They logged into the firewall and verified the rules. They checked the patch dates on every device. They confirmed MFA was enforced, not just enabled.
They answered specifically and with enough detail. Named their software, described their configurations, listed their devices by type and operating system. The assessor could understand exactly what was in place without guessing.
They addressed the full scope without cutting corners. Under Danzell, that means every device that accesses organisational data, including personal phones connected to company email.
If you want to check where your controls stand before submitting, the readiness quiz covers the five control areas in five minutes, with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- How to Prepare for Cyber Essentials Plus
- Cyber Essentials Plus: The Second Sample Rule
- Failed Cyber Essentials? What to Do Next
- Danzell Changes: What's New in Cyber Essentials 2026
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.