Free Download of Self-Assessment Questions

Below please find information about recent Updates to Cyber Essentials, download the Question Set and Requirements for Infrastructure. The questions are available in English and Welsh. Also on this page is a Pricing Table and a list of FAQs about the January 2022 update.

Updates to Cyber Essentials Scheme

On 24th January 2022 the NCSC and IASME implemented an updated set of requirements for Cyber Essentials. This update was the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and came in response to the cyber security challenges organisations now regularly face.

The scheme operates in an environment that has changed dramatically in the last seven years and to reflect these changes, the pricing of Cyber Essentials has adopted a new tiered structure.

Micro businesses and organisations will continue to pay the previous £300 assessment charge, but small, medium and large organisations will be charged on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations.

Scroll down to browse our FAQs about the changes.

Download Question Set and Requirements Document

Before 24th January 2022 (Beacon)

Download the Cyber Essentials question set and requirements document used on all assessment accounts created before January 24th 2022.

After 24th January 2022 (Evendine)

Download the Cyber Essentials question set and requirements document used on all assessment accounts created on or after January 24th 2022.

lawrlwytho cwestiynau yn Gymraeg

Lawrlwythwch Llyfryn Paratoi ar gyfer Hunanasesiad a Dogfen Gofynion am ddim Cyber Essentials.

These questions are for information only. If you want to be assessed you cannot submit these questions sets to us. You must apply online for an assessment.

Once you have paid we will send you the login details for a secure online assessment platform. The questions will be the same as those you can download here but you need to complete the assessment on this portal for it to be assessed.

Pricing Table

All assessment accounts created before January 24th 2022 will be priced at £300 + VAT.

All assessment accounts created on or after January 24th 2022 will be priced as follows:

Pricing Structure

Micro Organisations

0-9 Employees

£300 +VAT

Small Organisations

10-49 Employees

£400 +VAT

Medium Organisations

50-249 Employees

£450 +VAT

Large Organisations

250+ Employees

£500 +VAT

January 2022 Update FAQs

When do the changes come into effect?

The new version of the Cyber Essentials technical requirements will be released on 24th January 2022. Any assessments that begin on or after this date will be certifying to the new standard.

When will more technical details of the changes be available?

The new NCSC Requirements for Infrastructure document can be found here.

The new question set can be found here .

A blog outlining more detail about the specific changes and the reasons behind them can be found here

What happens if I start the process before 24th January?
Any assessments that begin before 24th January will be certifying to the current technical standard (v2.2 requirements doc). These assessments will have 6 months from 24th January to complete.
I’m currently in the process of completing my assessment, will the questions now change?

No, if you started your assessment before 24th January then the question set and requirements will not change. You will have up to 6 months to complete that assessment.

Can I choose which question set or requirements to be assessed against?

No, if you begin your assessment before 24th January then you will be assessed against the current questions and requirements. Any assessments that begin on or after 24th January will use the new questions and requirements.

Will cyber insurance still be included in the cost of certification for small organisations?

Yes, insurance will still be offered to small organisations. Learn more here.

What happens if I gain CE certification using the current question set and requirements but subsequently need to gain CE+ after 24th January?

If you begin the CE process before 24th January, then your CE+ audit will be carried out against the same question set and requirements and must be completed within 3 months of the CE assessment.

Are there any circumstances under which the current requirements will still apply beyond the expiry date of 24th July 2022?

Yes, as your CE+ audit must be carried out within 3 months of beginning the CE process, if you begin the CE process before 24th January this may mean that the CE+ audit is completed beyond the expiry date for the current requirements which is 24th July 2022.

Who was involved in the update of the technical standard?

The updated technical standard has been drawn up by the NCSC and IASME. Many of the changes are based on feedback from assessors and applicants. Technical experts from the NCSC have been involved alongside engagement with the Cloud Industry Forum.

These are significant changes, will there be any allowances made for organisations who may not be able to meet the new standard yet?

We appreciate that some of the changes will be challenging for some organisations. We feel that most of them are achievable immediately but there will be a 12-month grace period for some of the more complex updates. These will be signposted on the new question set.

My organisation has other technical controls in place that don’t meet the new Cyber Essentials requirements, am I able to use these to achieve certification?

Cyber Essentials is a prescriptive standard and other mitigations are not currently permitted. However, we are in the process of looking into how we may be able to assist organisations in these situations. This project is still in the development phase and further information will be available when appropriate.

How long are the certificates valid for?

All new certificates issued by IASME will have a 12-month expiry date.

Find Out More

Have a look at our Frequently Asked Questions or speak to our team