Last updated 18 June 2026
Cyber Essentials Self-Assessment 2026: The Walkthrough Nobody Gives You
How the Cyber Essentials self-assessment works in 2026: the five controls, where people get stuck, a worked example of a defensible answer, and the fail mechanics.
If you have opened the Cyber Essentials self-assessment, thought "this looks simple", and then stalled on a phrase like "describe your boundary firewall configuration", this is the orientation you needed first.
What the assessment actually is, what changed in 2026, where people get stuck, and what a defensible answer looks like.
A disclosure before anything else: I build RightCyber, a local offline Builder and guided customer area for annual Cyber Essentials self-renewal. I am not the NCSC or IASME, and nobody can guarantee you a pass. This article is useful whether or not you ever touch the product.
What Cyber Essentials actually is
Cyber Essentials is a UK government-backed scheme with five technical controls, assessed by self-assessment. You answer the official question set, an authorised responsible person signs a declaration, and an assessor at a certification body reviews your answers.
The fee is tiered by size, certification lasts 12 months, and the catch that shapes everything is this: your answers have to hold up. If they do not, you normally get two working days to fix small things free. Fundamental problems can mean paying again.
What changed in 2026
The current question set is Danzell, aligned to v3.3 requirements and live for new assessments since 27 April 2026. Four changes matter most: cloud services are fully in scope, MFA not enforced for all users on a cloud service is an automatic fail, the 14-day patching requirement has sharper auto-fail questions, and the responsible-person declaration now points at year-round control maintenance.
Full breakdown here. If an article you are reading predates April 2026, parts of it may be stale.
The five controls in plain English
Firewalls control what gets in and out: the office router and the software firewall on every laptop that leaves the building.
Secure configuration means nothing runs as it came out of the box: default passwords changed, unnecessary software removed, guest accounts off.
User access control means right people, right access, no more: admin accounts separate from daily accounts, leavers removed everywhere.
Malware protection means every device has a route: anti-malware properly configured, or only approved applications can run.
Security update management means supported software only, with high-risk updates applied within 14 days.
Every question in the assessment is one of these five controls wearing a longer sentence.
Where people actually get stuck
Not on knowing their business. They get stuck on translation.
Jargon. "Boundary firewall configuration" means how your router and device firewalls are set up, and who can administer them.
Evidence. The questionnaire does not only want a yes. It wants a yes you could back up: a setting, export, dated record, or owner decision.
Scope. Before any technical question, you decide what is in: locations, devices, cloud services, user-owned devices, organisation-owned accounts used by suppliers, and externally managed services. Third-party-owned contractor/MSP devices are more nuanced, so do not guess. Get scope wrong and every downstream answer is wrong with it.
A worked example: weak vs defensible
The firewall question, two answers, same business, same router.
Weak: "We have a firewall and it is secure."
Defensible: "Our boundary firewall is the office router, managed by our IT provider. Default credentials were changed at install. Remote administration is disabled. The only inbound rule is the VPN, which is restricted by MFA. Rules were last reviewed in May 2026."
The difference is not security expertise. It is four facts: who manages it, what was changed, what is allowed in, and when it was last checked. The evidence behind the good answer is boring: an admin-users export, one settings screenshot, and a one-line rule register. Boring is what good evidence looks like.
The renewal reality
Cyber Essentials is annual. Whatever you do this year, keep your answers and evidence somewhere you can reopen. Next year should be an edit, not a rebuild.
If it all feels harder than the marketing suggested, that is normal. It is translation work, and translation work can be systemised.
FAQ
- How long does the Cyber Essentials self-assessment take?
- A few focused evenings for a small, modern setup, usually spread over 2 to 4 weeks so rollout and remediation work can finish before submission.
- Who reviews the self-assessment?
- A qualified assessor at an IASME-licensed certification body reviews the answers, and an authorised responsible person signs the declaration before submission.
- Can you fail a self-assessment?
- Yes. You usually get two working days to fix issues free. Failures that cannot be fixed in that window can mean reapplying and paying again.
- Where do I get the official questions?
- IASME publishes a free preview of the self-assessment questions. Use official IASME and NCSC sources alongside any preparation tool.
RightCyber
Prepare the evidence behind the answers.
RightCyber turns the question set into a guided route with evidence examples, auto-fail flags, and local-first evidence storage.
Last reviewed against official sources
Reviewed 18 June 2026 against current IASME, NCSC, or UK government sources. Official sources remain authoritative if requirements change.
RightCyber is an independent preparation tool and is not affiliated with or endorsed by IASME or the NCSC. This article is general guidance, not legal or professional advice.