How to Complete the Cyber Essentials Questionnaire

1. The VSA is accessed through a licensed Assured Service Provider, not directly through IASME or NCSC. Your ASP gives you portal access and may offer a readiness review.
2. Scope must be defined before you start. Changing scope mid-submission creates inconsistencies and may require restarting.
3. 14-day patch window: high and critical severity patches must be applied within 14 days of release. A 30-day cycle fails the security update management control.
4. MFA is an explicit CE v3 requirement for accounts accessing cloud services or internet-facing systems from outside the network perimeter.
5. Certificates are valid for 12 months. CE+ testing can begin once the base certificate is issued.
6. The IASME portal saves progress. You don't need to complete the questionnaire in a single session.

Three things need to be in place before you open the questionnaire.

1. An Assured Service Provider engaged. The VSA isn't completed directly with IASME; you access it through an ASP's portal. Your ASP provides credentials and may offer a readiness review before you start.
2. A defined scope. The questionnaire applies to all in-scope systems. Scope is something you set and agree with your ASP before submitting; changes mid-way can require restarting the submission.
3. Evidence prepared. Configuration exports, firewall rules, and access documentation all need to exist before you submit. Pulling them together mid-session creates errors.

The CE preparation checklist lists the specific evidence items required for each of the five controls.

Scope is one of the most consequential decisions in the process. The in-scope set broadly includes all end-user devices (laptops, desktops, mobiles, tablets), servers, and cloud services that could affect the security of your data or services if compromised. See the Cyber Essentials complete guide for full scheme context.

Since the CE v3 (Montpellier) update in 2021, cloud services and home-working devices are explicitly in scope where they connect to organisational systems or data. If you're unsure about a system's scope status, ask your ASP: scope decisions are reviewed during assessment, and a scope that doesn't reflect your actual estate will be queried.

Two common scope mistakes:

1. Scoping too narrowly to avoid failing. If a real-world compromise happened via an out-of-scope system, the certification provides no meaningful assurance.
2. Including systems that are genuinely isolated and not network-connected. A truly air-gapped legacy system with no connectivity may legitimately be out of scope, but the decision must be accurate, not convenient.

The IASME VSA is organised around the five Cyber Essentials control areas. For each, you confirm whether the control is in place, how it's implemented, and the specific configuration details that demonstrate it meets CE requirements. Questions require specific, confirmatory answers against defined criteria: each asks whether a particular technical state exists and how it's configured.

The full technical detail for each control is in the CE controls guide.

Section 1: Firewalls

For firewalls, the questionnaire asks you to confirm that a boundary firewall is in place, configured to block all inbound connections unless explicitly permitted, with personal firewalls active on any device operating outside the protected perimeter. For cloud environments, equivalent controls in the cloud platform serve the same purpose.

Evidence to prepare: firewall configuration export or documented rule set; confirmation that personal firewalls are enabled on out-of-network devices; for cloud, screenshots of network access control configuration.

Section 2: Secure Configuration

The secure configuration questions cover whether default passwords have been changed across all in-scope devices and software, whether unnecessary accounts, software, and services have been removed or disabled, and whether auto-run for removable media is off. This section catches organisations with vendor-default configurations and legacy accounts that have never been reviewed.

Evidence to prepare: documented build standards or configuration baseline; account audit output; confirmation that no default vendor credentials are in use.

Section 3: User Access Control

User access control covers three requirements: accounts created with minimum necessary access; privileged accounts kept separate from standard accounts and used only for administrative tasks; and MFA enabled for cloud services and internet-facing systems accessed from outside the network perimeter. Privileged account use must also be reviewed at least annually. MFA was added as an explicit requirement in the CE v3 update and is now one of the more common rejection points.

Evidence to prepare: documented access control policy; account list with privilege levels; confirmation of MFA configuration for applicable accounts; record of the most recent access review.

Section 4: Malware Protection

Malware protection accepts two approaches: traditional anti-malware software with up-to-date definitions, set to scan and update automatically without user intervention, or application allowlisting, which restricts execution to explicitly approved applications. Both are valid; the questionnaire asks which you use and how it's configured.

Evidence to prepare: anti-malware product name and version; confirmation of automatic update and scan configuration; or, for allowlisting, documentation of the approved application list.

Section 5: Security Update Management

The patching questions are specific: high and critical severity patches must be applied within 14 days of release, and any software no longer supported by its vendor must be removed from in-scope devices or isolated from the network. The 14-day requirement is a hard line; 30-day or ad-hoc approaches fail this control.

Evidence to prepare: patch management policy confirming the 14-day window; confirmation that no unsupported software is on in-scope devices; recent patch status report or scan output.

Common Failure Points by Control

Completion time varies by how well-documented your technical estate is. A small organisation with controls in place and evidence ready can get through the questionnaire in a few hours. A mid-market organisation with multiple sites, a diverse device estate, and limited documentation may need several days of IT staff time spread across sessions.

The IASME portal saves progress, so you don't need to complete it in one session. Running a pre-assessment, whether internally or via a readiness tool, before opening the formal submission significantly reduces errors and the total time spent.

If Your Submission Is Approved

The ASP reviews your responses against the CE requirements. Where all five controls are demonstrably in place across your defined scope, a certificate is issued. It's valid for 12 months and comes with a unique certification number verifiable on the NCSC or IASME certification lookup.

If Your Submission Is Queried or Rejected

Where responses don't satisfy the requirements, the ASP raises queries before issuing a formal rejection. How this is handled depends on your ASP's process: some work iteratively to clarify before rejecting; others issue a rejection and require a full resubmission.

Check reassessment terms before you engage an ASP, particularly if you're uncertain about any of the five controls. Some include a reassessment in the original fee; others charge separately.

Next Steps: Cyber Essentials Plus

CE+ is independent technical verification of the same five controls, conducted by an ASP after the base Cyber Essentials certificate has been issued. The VSA questionnaire is the gateway to CE+: testing can't proceed without it. Organisations required to hold CE+ (by contract, insurance, or regulatory expectation) should plan for both certifications from the start.