How to Pass the Cyber Essentials Self-Assessment Questionnaire (SAQ)

Photo by ODISSEI on Unsplash

Cyber Essentials is a government-backed cybersecurity certification that helps UK-based businesses protect themselves against the most common online threats. It’s simple in concept, but if you’re the person responsible for completing the self-assessment questionnaire (SAQ), you know it can quickly turn into a time-consuming process , especially without a clear plan.

This guide walks through exactly what the SAQ is, what it includes, and how to complete it efficiently, without second-guessing or overcomplicating things.

What is the Cyber Essentials SAQ?

The SAQ is a self-assessment document made up of structured questions designed to help you determine whether your organization meets Cyber Essentials standards. It’s a required step in both the basic Cyber Essentials certification and the more in-depth Cyber Essentials Plus.

Unlike other frameworks that are paywalled or overly technical (like ISO 27001), the Cyber Essentials SAQ is free and available on the IASME website. It helps organizations assess their cyber hygiene based on five core control areas, each focused on reducing risk from common attack vectors. These are:

• Firewalls and boundary protection
• Secure configuration of devices and software
• Access control and user permissions
• Patch management
• Malware protection

The questionnaire is designed for organizations of all sizes. While small businesses can often get through it quickly, larger or more complex IT environments may need a more structured, phased approach.

Two versions of the SAQ exist — one for certifications processed before April 2025 and another for submissions after that date. Each version is aligned with supporting documentation, such as the NCSC’s Infrastructure Requirements and Cyber Essentials Plus Test Specification. Make sure you’re using the right one for your timeline.

What’s Inside the SAQ?

The questionnaire is divided into four main sections:

1. Company Information

Basic details like your company name, address, business type, and why you’re seeking certification. You’ll also indicate whether your organization has cyber liability insurance or is eligible for it (based on size and location).

2. Scope of Assessment

You define which parts of your IT infrastructure are covered in the certification. You can choose to assess your entire digital estate or limit the scope to key systems. But keep in mind: broader scope = fewer blind spots.

3. Insurance Eligibility

For UK-based organizations that meet certain criteria, Cyber Essentials certification comes with complimentary cyber insurance. This section asks questions about your annual turnover and whether your organization is based in the UK.

4. Control Requirements

This section is the heart of the SAQ. It covers dozens of controls across the five key Cyber Essentials categories. You’ll confirm whether the required policies and configurations are in place and functioning correctly.

Step-by-Step: How to Pass the Cyber Essentials SAQ

Step 1: Define Your Scope Clearly

Start by determining what parts of your IT setup will be included in the assessment. Ideally, the scope should cover everything — endpoints, servers, cloud services, mobile devices, and users.

While a full-scope assessment gives the strongest security posture and insurance eligibility, the framework does allow some exclusions. These commonly include:

• Devices used only for multi-factor authentication
• Isolated wireless networks
• Third-party systems not managed by your company
• Home routers you don’t control

If you decide to limit the scope, you must explain what’s excluded and why. You’ll also need a clear asset inventory. This should include device types, operating systems, applications, locations, users, and ownership.

A spreadsheet is fine if you’re small, but larger teams should use an asset management system or a compliance platform with inventory tracking.

Step 2: Conduct a Security Review

Once the scope is set, start your internal review. Go through each of the five control areas and evaluate whether current systems meet the requirements.

This part of the process may involve:

• Reviewing security policies (e.g., password strength, MFA enforcement)
• Checking firewall settings
• Reviewing admin privileges
• Running vulnerability scans
• Inspecting software update settings
• Reviewing antivirus and anti-malware coverage

Don’t wait until you’re filling out the SAQ to discover you’re missing patch management for a set of devices or that half your users are still local admins.

If your environment is distributed or uses a hybrid setup (e.g., mix of cloud and on-premise), be especially thorough. Pay attention to any unmanaged systems — devices outside corporate control are often overlooked, but still fall within scope if they connect to your network.

How Cyber Essentials Controls Stop 80% of Cyber Attacks
Build Your Foundation for Strong Cybersecurity secureslate.medium.com

Step 3: Gather and Centralize Your Evidence

You’re not just answering yes or no. You’ll need to provide documentation supporting your responses.

Examples of acceptable evidence:

• Configuration screenshots
• Update history or patch logs
• User access reviews
• Policy documents (PDF or internal wiki)
• Antivirus reports or EDR logs

Evidence requirements vary by control, but expected to provide proof for the majority of questions, especially if you’re going for Cyber Essentials Plus.

Tip: Don’t spread your evidence across multiple folders, systems, or inboxes. Store it all in one location. Better yet, use a compliance platform that automates evidence collection from your existing tools, like your endpoint management system, identity provider, or patching solution.

Step 4: Complete the Questionnaire Accurately

Now that you’ve scoped your environment and validated your controls, it’s time to fill out the SAQ.

• Be precise. Avoid vague answers or estimates.
• Stick to facts. Don’t assume something is “probably configured” — check it.
• Collaborate with your technical teams. The person responsible for network settings isn’t always the one filling out the form, so loop in your security and IT staff as needed.
• Track who answered what. If the certification body comes back with follow-ups, you’ll want to know who owns each response.

Once it’s complete, submit the SAQ through your chosen certification body’s platform and pay the certification fee. Basic certification requires board-level sign-off, while Cyber Essentials Plus includes an independent audit.

Step 5: Remediate Gaps (If Needed)

If you come across missing controls or weak configurations during the process, you’ve got two choices:

1. Submit the SAQ as-is and prepare to handle feedback from the certifying body.
2. Pause submission, fix the issues, then submit once you’re fully ready.

In most cases, it’s better to fix the gaps first. Certification bodies can reject your submission or return it with requirements for further evidence. And for Cyber Essentials Plus, passing the audit means those issues will be found anyway, so it’s smarter to address them early.

What Happens After Submission?

Once certified, your Cyber Essentials badge is valid for 12 months. You’ll need to renew annually. That means re-submitting an updated SAQ each year and potentially undergoing another Plus audit if you’re pursuing or maintaining that level.

To make renewals easier:

• Maintain documentation as you go. Don’t wait until the next SAQ cycle.
• Monitor compliance continuously, not just once a year.
• Automate wherever possible — manual compliance tracking rarely scales.

Should You Use Software to Manage Cyber Essentials?

For small teams with a simple IT setup, spreadsheets and email might get the job done. But if you’re managing dozens (or hundreds) of assets, multiple environments, or planning to scale, a compliance tool can save significant time.

Look for tools that:

• Integrate with your existing stack (e.g., Microsoft 365, AWS, GSuite)
• Pull audit-ready evidence automatically
• Track remediation workflows
• Centralize documentation and controls

Cyber Essentials compliance doesn’t have to be painful — but only if you prepare properly and take advantage of automation where it makes sense.

How SecureSlate Simplifies the SAQ Process

SecureSlate makes the Cyber Essentials SAQ process faster, clearer, and far less manual. It starts with helping you define the exact scope of your assessment — mapping out users, devices, and systems that fall within the certification boundary.

From there, you get a real-time view of your security posture, showing which requirements are already met, what needs attention, and what evidence is in place.

When it comes to completing the SAQ, SecureSlate adds clarity to every question. You’ll know exactly what’s being asked and how your current setup stacks up. The platform automates evidence collection where possible and gives you a single place to store policies, screenshots, and documents.

If any gaps are found, you can assign and track remediation tasks directly. And if you’re going for Cyber Essentials Plus, SecureSlate keeps you audit-ready with up-to-date controls and clean reporting.

Conclusion

Completing the Cyber Essentials SAQ isn’t just a checkbox activity — it’s a chance to get a clearer view of your cybersecurity posture. When done right, it sets the foundation for stronger policies, better tooling, and smarter risk management.

It’s not about chasing a badge. It’s about proving, to yourself and others, that your business takes cyber risk seriously.

Ready to Streamline Compliance?

Building a secure foundation for your startup is crucial, but navigating the complexities of achieving compliance can be a hassle, especially for small teams.

SecureSlate offers a simpler solution:

• Affordable: Expensive compliance software shouldn’t be the barrier. Our affordable plans start at just $99/month.
• Focus on Your Business, Not Paperwork: Automate tedious tasks and free up your team to focus on innovation and growth.
• Gain Confidence and Credibility: Our platform guides you through the process, ensuring you meet all essential requirements, and giving you peace of mind.

Get Started in Just 3 Minutes

It only takes 3 minutes to sign up and see how our platform can streamline your compliance journey.