Lesson 1.4 — How the assessment works

This lesson explains the Cyber Essentials assessment process from start to finish — who is involved, what the questionnaire covers, how answers are reviewed, what happens after submission, and what the organisation needs to have in place before it begins.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

the learner should understand the end-to-end Cyber Essentials Basic assessment process — from selecting a certifying body to receiving the certificate — and be able to identify the key stages and responsibilities involved.

Why This Matters

It prepares learners to use the course as a preparation tool, not a last-minute revision exercise.

The Core Rule

Cyber Essentials Basic works like this: the organisation selects a certifying body, completes the questionnaire online, a responsible person attests that the answers are accurate, the assessor reviews the answers, and if everything passes, a certificate is issued.

Clarification requests are common and are not automatic failures. The certificate is valid for twelve months and is publicly listed.

Step 1 — Selecting a certifying body

Cyber Essentials assessments must be conducted through an organisation approved by IASME, the scheme owner.

These organisations are called certifying bodies. They are licensed to conduct Cyber Essentials assessments and to issue certificates on behalf of the scheme. The IASME website maintains a list of approved certifying bodies.

Step 2 — Completing the questionnaire

The assessment questionnaire is divided into sections corresponding to the key areas of the scheme:

A1 — Organisation details: the legal entity, certificate identity, registration number, sector, staff numbers and addresses.
A2 — Scope: what is included in the assessment — the whole organisation or a defined subset — and what is explicitly excluded.
A3 — Firewalls: boundary firewalls, routers, software firewalls, rules, administration controls.
A4 — Secure configuration: accounts, passwords, services, auto-run, authentication, device locking.
A5 — User access control: account management, administrator accounts, MFA, password policy.
A6 — Malware protection: protection method, configuration, coverage, update status.
A7 — Security update management: OS and application updates, 14-day rule, unsupported software.
A8 — Attestation: the responsible person formally confirms the answers are accurate and that the controls are in place.

Step 3 — The attestation

Before the completed questionnaire is submitted, a responsible person within the organisation must formally attest that:

the answers are accurate;
the controls described are genuinely in place;
the organisation understands what it is declaring.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

[ ] Who provides the Cyber Essentials assessment platform and reviews the questionnaire answers?
[ ] What does the attestation in the Cyber Essentials questionnaire require?
[ ] What is a clarification request in the context of a Cyber Essentials assessment?
[ ] Where is a Cyber Essentials certificate published once issued?
[ ] Why should an organisation prepare a device and software inventory before completing the Cyber Essentials questionnaire?

Your Action

Do this now — it takes 10–20 minutes.

Key Takeaway

This course prepares you to complete the questionnaire accurately — with evidence, with a clear scope, and without guessing.

Your Workbook Activity

Complete: Assessment process planner

Next Lesson

In the next lesson: Cyber Essentials vs Cyber Essentials Plus