Cyber Essentials5 min read

The Self-Assessment Questionnaire: Completing Cyber Essentials Basic

The Cyber Essentials self-assessment questionnaire (SAQ) is how you demonstrate compliance with the five technical controls. Understanding what's asked—and preparing properly—can make the difference between a smooth certification process and frustration.

Key Takeaways

Point Summary
~90 questions Covers organisation details, scope, and all 5 technical controls
Accuracy is critical Assessors will query inconsistencies; false answers invalidate certification
Scope definition Define what's included: networks, devices, locations, cloud services, home workers
Common issues Unsupported software, missing MFA on cloud services, default passwords, outdated patches
Prepare evidence Have device inventory, software list, and configuration details ready

Quick Answer: The SAQ has approximately 90 questions covering the 5 controls. Accuracy matters—assessors will query inconsistencies. Common issues include unsupported software, missing MFA, default passwords, and unpatched systems. Prepare your device inventory and software list before starting.

Understanding the SAQ

The questionnaire evaluates your implementation of the five Cyber Essentials controls through approximately 90 questions.

SAQ structure

Section 1: Organisation details

  • Company information
  • Scope definition
  • Contact details

Section 2: Scope information

  • What's included in certification
  • Networks and locations
  • Cloud services
  • Home workers

Section 3: Firewalls

  • Boundary firewall configuration
  • Device firewalls
  • Default passwords
  • Rule documentation

Section 4: Secure configuration

  • Software management
  • Account configuration
  • Password settings
  • Feature configuration

Section 5: Security update management

  • Software support status
  • Patch management
  • Update timelines

Section 6: User access control

  • Account management
  • Privilege controls
  • Authentication methods

Section 7: Malware protection

  • Anti-malware coverage
  • Update frequency
  • Scan configuration

Before you start

Gather your information

Having this information ready will make the process smoother:

Device inventory:

  • List of all computers, servers, mobile devices
  • Operating system and version for each
  • Count by device type

Software inventory:

  • All installed applications
  • Version numbers
  • Support status

Network information:

  • Public IP addresses
  • Firewall details
  • Cloud services used

User information:

  • Account types (standard, admin)
  • MFA status
  • Password policy details

Assess your readiness

Before starting, honestly evaluate:

Question Implication
Is all software supported? EOL software = fail
Are critical patches applied? >14 days old = fail
Are default passwords changed? Defaults = fail
Does everyone have unique accounts? Shared accounts = fail
Is MFA enabled on cloud services? Often required
Is anti-malware on all devices? Missing = fail

Completing the questionnaire

Section by section

Organisation and scope sections:

  • Be precise about what's included
  • Document any exclusions clearly
  • Include all relevant locations
  • Don't forget cloud services and home workers

Firewall questions:

  • Describe boundary firewall configuration
  • Confirm host firewalls are enabled
  • Confirm default passwords changed
  • Explain any rules that allow inbound connections

Secure configuration questions:

  • List operating systems and versions
  • Describe how unnecessary software is removed
  • Explain password policy
  • Confirm auto-run is disabled
  • Describe screen lock configuration

Update management questions:

  • Confirm all software is supported
  • Describe your patch timeline
  • Explain how updates are verified
  • List any exceptions and justification

Access control questions:

  • Confirm unique accounts for all users
  • Describe admin account management
  • Explain authentication methods
  • Describe joiner/leaver process

Malware protection questions:

  • List anti-malware solution(s)
  • Confirm update frequency
  • Describe scan configuration
  • Confirm coverage of all devices

Tips for accurate completion

Be honest: Your certification body will query inconsistencies. False statements can invalidate your certification.

Be precise: Vague answers prompt clarification requests. Specific answers move things along.

Be consistent: Information should align across sections. Device counts, software lists, and control descriptions should match.

Read carefully: Some questions are nuanced. Answering "yes" when you should answer "no" causes problems.

Common issues that cause delays

Technical issues

Issue Impact Solution
Unsupported software Fail Remove or replace
Patches older than 14 days Fail Apply updates
Default passwords Fail Change them
Missing MFA on cloud Often fail Enable MFA
No anti-malware Fail Install on all devices
Shared accounts Fail Create individual accounts
Admin for daily use Issue Separate accounts

Process issues

Issue Impact Solution
Inaccurate answers Delays, rejection Verify before submitting
Vague responses Clarification requests Be specific
Missing information Incomplete submission Prepare thoroughly
Inconsistent information Credibility questions Review for consistency

Clarification requests

After you submit, the certification body may request clarifications:

Common clarification areas:

  • Unclear scope definition
  • Ambiguous answers
  • Apparent inconsistencies
  • Missing details

How to respond:

  • Answer promptly
  • Be specific and clear
  • Provide evidence if requested
  • Don't change your scope without discussion

Timeline impact:

  • Quick, clear responses speed certification
  • Delays in responding slow everything down

After submission

Successful certification

  • Certificate issued
  • Listed in NCSC directory
  • Valid for 12 months
  • Can use Cyber Essentials logo

If issues arise

  • Certification body identifies problems
  • You may need to remediate
  • Re-submit updated answers
  • May need to re-pay if significant changes

SAQ completion checklist

Before starting:

  • Device inventory complete
  • Software inventory complete
  • Network details documented
  • User account list prepared
  • Current configurations verified
  • Controls actually implemented

During completion:

  • Scope clearly defined
  • All questions answered
  • Answers are accurate
  • Answers are consistent
  • Evidence available if needed

Before submitting:

  • Review all answers
  • Check for inconsistencies
  • Verify technical details
  • Confirm you can stand behind every answer

How Bastion can help

The SAQ is straightforward if you're prepared, but preparation is where many organisations struggle.

Challenge How We Help
Readiness assessment We evaluate your current state against requirements
Gap identification We find issues before they cause certification problems
Control implementation Our team helps implement what's needed, done right the first time
SAQ guidance We help you complete the questionnaire accurately
Clarification support We assist with any follow-up questions

Working with a managed service partner means you're not learning the questionnaire through trial and error. We know what certification bodies look for and can help ensure your answers are accurate, complete, and consistent.

Need help preparing for your self-assessment? Talk to our team

← PreviousCyber Essentials vs Cyber Essentials Plus: Which Do You Need?Next →Cyber Essentials Plus Technical Audit: What to Expect
Back to Cyber Essentials guides