Methodology

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme owned by the National Cyber Security Centre (NCSC) - a part of GCHQ - and administered by IASME (the Information Assurance for Small and Medium Enterprises consortium). IASME accredits the certification bodies and maintains the question set; only an IASME-accredited body can issue an actual Cyber Essentials certificate.

Cyber Essentials covers five technical controls - firewalls, secure configuration, user access control, security update management, and malware protection - and is the baseline cyber assurance standard referenced by central-government procurement (PPN 014/21) and many enterprise supplier-due-diligence programmes.

The five technical controls

1. Firewalls (Q1-Q4) - boundary firewalls or equivalents on every internet-facing device, default-deny inbound, no public-internet admin access (or MFA + IP allow-list), default passwords changed.
2. Secure configuration (Q5-Q8) - default user accounts removed or locked down, unused services disabled, auto-run off for removable media, screen-lock policy enforced.
3. User access control (Q9-Q12) - MFA mandatory on every cloud admin (Q9 - Danzell auto-fail), least-privilege for daily-use accounts, separate admin accounts for privileged work, no SMS-only MFA as primary factor.
4. Security update management (Q13-Q16) - supported software only, automatic updates enabled, critical patching within 14 days (Q15 - Danzell auto-fail), monthly patch-status review.
5. Malware protection (Q17-Q20) - anti-malware (or platform-native equivalent) on every endpoint, definitions auto-updated, application allow-listing centrally managed where used, tamper-resistance enforced.

Scoring methodology

Each question is scored 0, 50, or 100:

Yes      = 100 points
Partial  =  50 points
No       =   0 points

control_score   = mean(question_scores in that control)   // 0..100
overall_score   = mean(control_scores)                    // 0..100

readiness band:
  ≥ 90  → ready
  70-89 → minor_gaps
  50-69 → major_gaps
  < 50  → non_compliant

Danzell auto-fail (overrides band when triggered):
  Q9  answer in {no, partial}  → MFA on cloud admin failure
  Q15 answer in {no, partial}  → 14-day critical patching failure

The auto-fail logic is the critical detail. An IASME assessor under v3.3 (Danzell) will fail the submission if Q9 or Q15 is answered 'no' or 'partial' - regardless of how high the numeric score otherwise climbs. This tool surfaces that fact in a top-level red banner so you do not get a false sense of security from a high overall percentage.

The five controls are weighted equally because the IASME assessor model treats them as a flat checklist - passing four out of five does not certify you.

References

• NCSC - Cyber Essentials scheme owner (ncsc.gov.uk/cyberessentials/overview).
• IASME - scheme administrator and accreditor of certification bodies (iasme.co.uk/cyber-essentials).
• Procurement Policy Note 014/21 (PPN 014/21) - UK central government suppliers must hold Cyber Essentials where the contract handles personal data or government information.
• v3.3 (Danzell) question set - IASME, in force 28 April 2026. Mandates MFA on cloud admin accounts and 14-day critical patching.

Methodology FAQs

Who owns the Cyber Essentials scheme?

Cyber Essentials is owned by the National Cyber Security Centre (NCSC), a part of GCHQ. Day-to-day administration - including accrediting certification bodies, maintaining the question set, and issuing certificates - is delegated to IASME (the Information Assurance for Small and Medium Enterprises consortium). Only IASME-accredited bodies can issue an actual Cyber Essentials certificate.

What changed in v3.3 (Danzell)?

The v3.3 update - codenamed 'Danzell' - comes into force on 28 April 2026. The headline changes are: (1) MFA mandatory on every cloud administrator account; (2) critical and high-severity patches must be applied within 14 days; (3) passkeys are explicitly accepted; (4) SMS-only MFA is deprecated as the primary factor; (5) clarifications around home-worker scope and BYOD. Submissions on or after 28 April 2026 are assessed against v3.3.

How is the readiness score calculated?

Each of the five controls is scored on a 0-100 scale based on the four questions covering it. A 'Yes' answer is worth 100 points, 'Partial' is worth 50 points, 'No' is 0. The control score is the average across its four questions. The overall readiness score is the unweighted mean of the five control scores. Critically, an auto-fail on Q9 (MFA on cloud admin) or Q15 (14-day patching) overrides the numeric score - an IASME assessor will fail the submission regardless of how high the rest scores.

What is the difference between this tool and an IASME assessment?

This tool is a free, anonymous self-assessment. We mirror the v3.3 question set and apply the documented auto-fail rules so you can find gaps and remediate them before paying for a real assessment. An IASME assessment, by contrast, is conducted by an IASME-accredited certification body, includes evidence review, and produces a Cyber Essentials certificate valid for 12 months. CrowAgent is NOT an IASME-accredited body.

Where does PPN 014/21 fit in?

Procurement Policy Note 014/21 (PPN 014/21, replacing PPN 09/14) requires central government suppliers to hold valid Cyber Essentials certification where the contract handles personal data or government information. If you bid for central government contracts, your readiness here gives you a fast indicator of whether you would survive an IASME assessment under the same Danzell question set the assessor will use.