Cyber Essentials
To achieve Cyber Essentials, your organisation completes a self-assessment questionnaire about the IT you use and how it is set up. An assessor reviews your answers and decides whether you meet the standard. This guide explains how the questionnaire is structured and how to approach each part of it.
Cyber Essentials was developed by the National Cyber Security Centre (NCSC) to help organisations protect themselves against common cyber attacks. Its strength is that it turns security into a set of plain questions, each one about a specific part of how your organisation works. Forensic Control is licensed by IASME to carry out Cyber Essentials and Cyber Essentials Plus certification.
From 27 April 2026 the question set is called Danzell, which goes with version 3.3 of the requirements. It replaced the previous set, Willow. The five control areas are the same, but a few things are now marked more strictly, and I have flagged the ones that matter under the relevant headings below. If you want the detail of what changed, we cover it in our Cyber Essentials v3.3 update.
The questionnaire is based on the NCSC’s Requirements for IT Infrastructure, which sets out what you actually have to meet, and it is worth reading before you start. You can also preview and download the current question set from IASME as a PDF or a spreadsheet, so you can prepare your answers before paying for portal access.
Before you answer anything, decide what is in scope: the devices, people and cloud services your certification will cover. Everything else on the form is judged against it. Under Danzell, cloud services that store or process your data, such as Microsoft 365 or a cloud customer relationship management (CRM) system, cannot be left out, even though someone else runs them. Personal phones or tablets used for business email are in scope as well. Get this right first and the rest of the questionnaire is far more straightforward.
The questions are grouped into the scheme’s five technical controls. Here is what each one asks about and what the assessor is looking for.
Firewalls control what can reach your devices from the internet. The questions ask how your internet connection is protected, whether your router or firewall has had its default password changed, and whether anything is needlessly exposed to the internet. For people working from home, the software firewall built into their laptop is the one that counts, so it needs to be switched on.
Secure configuration is about removing the weaknesses that devices ship with. The questions cover whether default accounts and passwords have been removed or changed, whether unnecessary software has been taken off, and whether devices lock themselves when left unattended. The same responsibility applies to your cloud services: how you configure Microsoft 365 is your job, not the provider’s.
User access control is about making sure people can only reach what they need. The questions ask whether everyone has their own named account, whether administrator accounts are kept separate from everyday ones, how access is removed when someone leaves, and whether multi-factor authentication (MFA) is switched on. This last point now carries real weight. Under Danzell, if a cloud service offers MFA and it is not enabled for all users, the assessment fails automatically, so check it everywhere before you submit.
Security update management is about keeping software patched. The questions ask whether your software is still supported and whether updates are applied promptly, with critical and high-risk updates going on within 14 days. Under version 3.3 that 14-day window now covers more than downloadable patches: vendor-recommended configuration changes, scripts and firmware updates count too, and they need applying across every device, not just the obvious ones.
Malware protection is about stopping harmful software running. The questions ask how you do this, usually through anti-malware that is installed on every device, kept updated, and set so users cannot simply turn it off. On mobile devices, restricting installation to official app stores is the common approach.
Some questions are a straightforward yes or no. Read each one properly rather than working down the list saying yes, because the assessor will check, and a yes you cannot back up causes more delay than an honest no.
The rest ask for a few sentences. Here the assessor wants to see that you understand the question and that you genuinely have the control in place. The most important thing is that your answer describes your actual setup, not how you think it ought to work. If there is a gap, fix it first and then describe the real position. An answer that does not match reality is the most common reason an application stalls.
We give our clients a version of the question set with example model answers, so you can see the level of detail an assessor expects before you write your own. If you are unsure about a question, or you would like us to look over your answers before you submit, we are happy to. You have six months from registration to complete the questionnaire, so there is time to get it right rather than rushing, and if something needs fixing before you pass, we will guide you through it.
If you would like the full picture first, read how to get Cyber Essentials certified, or check whether you are ready before you start. When you are ready to certify, get Cyber Essentials with Forensic Control.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
