If you’re filling in the Cyber Essentials (CE) questionnaire, you’re probably not doing it for fun.
A customer has asked for it. Procurement has added it to a tender. An insurer wants reassurance. Or you’ve realised your “security basics” aren’t written down anywhere.
For owner-managed SMEs, the risk isn’t the form, it’s answering from assumption, and in 2025, 43% of UK businesses reported a cyber security breach or attack in the last 12 months.
This article is a practical, Microsoft 365-focused way to sanity-check what’s in place vs what you can evidence—without turning it into a months-long project.
Note: We’re talking about Cyber Essentials-style baseline alignment and evidence readiness. Not “guaranteed pass” claims, and not certification services.
Visit our Cyber Security & Cyber Essentials hub!
Read more on What a Cyber Essentials Aligned IT Environment Looks Like Day-to-Day!
Why the Cyber Essentials questionnaire creates risk for SMEs
The questionnaire is often treated as admin.
In reality, it’s a governance test.
It asks: Do you know what you run, who owns it, and whether the basics are consistently enforced?
Common triggers: customer procurement, insurer questions, supply chain pressure
A lot of 10–25 user firms only face this when someone else sets the bar.
Typical triggers:
A bigger customer treats you as a supply-chain risk.
A renewal asks for “baseline controls” evidence.
A tender requires Cyber Essentials (or equivalent).
A board-level question lands: “Are we covered?”
That’s why SMEs are often “stepping-stones”. You’re easier to reach than your bigger customers, and you still have access to them.
“Self-assessment” still requires accurate estate knowledge (and ownership)
Self-assessment doesn’t mean “best guess”.
It means you’re responsible for:
A clear scope.
A complete device and user picture.
Evidence you can stand behind.
Owners who keep it true after you submit.
If you can’t quickly answer “how many devices touch company data?”, your biggest risk is invisible drift.
Use the current question set (versions change)
Before you start, check the current documents.
Cyber Essentials updates over time, and outdated guidance is an easy way to create accidental non-compliance.
Which documents matter: Requirements vs Question Set vs (Plus) test spec
You’ll typically see three key documents:
Requirements for IT Infrastructure (the “standard” behind the scheme). NCSC
Question Set (the actual Cyber Essentials self-assessment questionnaire you answer). IASME - Home
Cyber Essentials Plus Test Specification (how independent testing is done for CE Plus). NCSC
IASME publishes downloads of the current Standard + Question Set + Plus Test Specification on one page. IASME - Home
NCSC also signposts the official resources. NCSC
Version awareness and what to check before you start
As of 7 January 2026:
The “Willow” question set applies to applications from 28 April 2025 (per IASME). IASME - Home
IASME notes the next question set “Danzell” is in development and scheduled to be available from 2 February 2026 (for use from 27 April 2026). IASME - Home
The next Requirements version v3.3 is stated as applying from 27 April 2026. IASME - Home; Upcoming Changes to the Cyber Essentials Scheme
Practical check before you begin:
Confirm which question set your assessment will use.
Download that exact version and work from it.
Don’t rely on blog posts that don’t name the version.
Read more on What a Cyber Essentials Aligned IT Environment Looks Like Day-to-Day!
Step 1 — Define scope and inventory what’s actually in your environment
Most Cyber Essentials pain comes from scope.
Not because you’re missing every control. But because you can’t confidently say what’s included.
Devices/users/locations: what typically trips up 10–25 seat SMEs
Common scope traps:
“We have 12 staff” (but 25 devices touching data).
A “temporary” laptop that became permanent.
Shared admin logins on the router or NAS.
Home working patterns that changed years ago.
Personal mobiles accessing company email.
A sensible SME scope baseline usually needs:
Every user account that accesses business data.
Every laptop/desktop used for work.
Mobiles/tablets that access email/files.
Any server/NAS you still rely on.
Network edge equipment if you run an office.
Cloud/SaaS list: “everything you use”, not just “what you remember”
If you’re Microsoft 365-centric, your scope is still wider than “what’s in 365”.
Build a quick list of:
Core business apps (accounts, CRM, project tools).
File sharing beyond SharePoint/OneDrive.
Password managers and shared vaults.
Any remote access tools.
Marketing platforms holding customer data.
If you can’t list it, you can’t claim it’s controlled.
Visit our Modern Workplace hub!
The five control areas — what “good” looks like for a Microsoft 365 SME
Cyber Essentials focuses on five technical control themes:
Firewalls and routers
Secure configuration
Security update management
User access control
Malware protection
Below is what “good” tends to look like in a Microsoft 365 SME—plus the kind of evidence you can usually capture.
Firewalls and routers: boundary basics and remote access assumptions
What the questionnaire is really asking:
Do you have a defined boundary?
Is remote access controlled?
Are default settings and risky services removed?
What “good” looks like for a small office setup:
A business-grade router/firewall with a named owner.
No exposed admin interfaces to the internet.
Remote access only via controlled methods (not random port forwards).
Strong admin credentials and MFA where supported.
Firmware kept supported and updated.
Evidence you can usually capture:
Screenshot of remote management disabled (or restricted).
Screenshot/export showing current firmware version.
Screenshot of admin users and access method.
A short note: who owns the device and who approves changes.
Secure configuration: baseline device settings and hardened defaults
“Secure configuration” is where SMEs often think they’re fine.
Then you discover:
Local admin everywhere.
No enforced disk encryption.
No consistent lock-screen policy.
Devices not enrolled anywhere.
What “good” looks like for Microsoft 365 SMEs:
Devices enrolled into management (e.g., Intune) with a standard build.
Disk encryption enforced (where supported).
Auto lock and password/PIN policy enforced.
No day-to-day local admin for standard users.
A clear stance on BYOD (either blocked or controlled).
Evidence you can usually capture:
Screenshots of device compliance policies and encryption settings.
Export or screenshot showing enrolled devices list.
A written statement of your BYOD policy (even if it’s “not allowed”).
Security update management: supported software and patching expectations
Cyber Essentials doesn’t want perfect patching.
It wants:
Supported software.
Updates applied within expected timelines.
A way to prove it’s happening.
What “good” looks like:
Supported Windows/macOS versions on all in-scope devices.
Automatic OS updates enforced where practical.
Third-party app patching addressed (not ignored).
A simple exception process for line-of-business apps.
Evidence you can usually capture:
Device compliance report showing OS versions.
Screenshots of update rings / patch policies (if managed).
A list of any exceptions and why they exist.
User access control: MFA coverage, admin separation, least privilege
This is where Microsoft 365 can either help you—or quietly hurt you if it’s messy.
What “good” looks like:
MFA enforced for all users (not “most”).
Admin accounts separated from day-to-day user accounts.
Privileged access limited to named individuals.
Leaver process that actually removes access promptly.
Shared accounts removed or tightly controlled.
Evidence you can usually capture:
Screenshot showing MFA status / enforced method.
Screenshot of admin roles and who holds them.
Written joiner/leaver ownership (who approves, who executes).
Read more on how to Align Microsoft 365 with CE-style controls!
Malware protection: endpoint coverage and monitoring expectations
For CE-style alignment, the big question is consistency:
Is every device covered?
Is it centrally managed?
Do you have a response expectation?
What “good” looks like:
Managed endpoint protection on all in-scope devices.
A standard policy set (not per-device tweaking).
Clear monitoring responsibility (internally or via a SOC-backed service).
A documented “what happens if we get an alert?” owner.
Evidence you can usually capture:
Device list showing protection status.
Policy screenshots (high-level).
A short incident responsibility statement (names/roles, not a playbook).
Evidence pack checklist — what to capture, export, and retain
If you only take one thing from this article, take this:
“We do this” is not evidence.
Evidence is what lets you answer consistently now, and still answer in six months.
Typical evidence types: screenshots, configuration exports, policy and role ownership
A practical evidence pack for SMEs usually includes:
Scope statement (devices, users, locations, services).
Asset list (even a simple export + notes).
Screenshots of key settings (MFA, device enrolment, encryption).
Router/firewall screenshots or config summary.
Patch posture evidence (OS version and update policy).
Endpoint protection coverage report.
Short written owner statements (who maintains what).
Keep it simple:
Date-stamp each item.
Store it in a controlled folder.
Name an owner for keeping it current.
Evidence ownership: who signs off and who maintains it over time
Decide two roles:
Accountable owner (usually the MD/ops lead): signs off that answers are true.
Technical owner (internal or external): maintains the evidence and updates.
That one step prevents “it was true when we submitted” headaches later.
Tools vs operating baseline (governance + ownership + evidence)
Many SMEs have plenty of tools.
They just don’t have a baseline that stays enforced.
The gap: configuration drift, unmanaged devices, and “unknown unknowns”
This is the usual pattern:
You set MFA, then new users bypass it.
You buy security software, then two laptops never get enrolled.
You intend to patch, then one line-of-business app pins you to old versions.
You think you don’t have BYOD, then you check sign-in logs.
The form doesn’t catch this. Evidence does.
The fix: standardisation, named owners, and recurring evidence capture
The lowest-drama way to reduce risk is boring:
Standardise devices and identities.
Enforce a CE-style baseline by default.
Capture evidence on a schedule.
Assign owners so it doesn’t rot.
This is why we push an opinionated model for Microsoft 365 SMEs: standardisation is what makes controls enforceable.
Read more on What a Cyber Essentials Aligned IT Environment Looks Like Day-to-Day!
Common questionnaire sticking points (and how to de-risk them)
These are predictable. And fixable.
Misreading questions and answering from assumptions
Common pitfalls:
Answering “yes” because it’s policy, not reality.
Confusing “available” with “enforced”.
Assuming scope is “office devices only”.
Forgetting about mobiles and shared mailboxes.
De-risk it:
Tie every “yes” to a screenshot/export or named owner.
If you can’t evidence it quickly, treat it as “not yet”.
Unsupported software, patch gaps, and “shadow IT” SaaS
Unsupported software is a silent killer for baseline controls.
So is SaaS sprawl.
De-risk it:
Build a “supported software” list (OS + key apps).
Identify the two or three apps that always lag patches.
List every SaaS used for business data—even if it’s “just for one team”.
Scope creep: BYOD, home routers, and “temporary” exceptions
The biggest risk is not saying “no”.
It’s saying “just this once” forever.
De-risk it:
Decide your BYOD stance.
Document exceptions with an owner and review date.
Remove “temporary” access paths (especially remote access shortcuts).
The right next step: Security Triage Call vs paid Security Baseline Review
If you’re here because a customer or insurer has put you under time pressure, don’t jump straight into tool changes.
Get clarity first.
Security Triage Call: clarify fit, scope, and headline gaps (decision gate)
If you want a quick, sensible view:
We run a free short Security Triage Call.
We clarify your likely scope, and what’s missing at headline level.
You leave knowing whether you’re close to a baseline, or not.
Book a free Security Triage Call
Security Baseline Review (paid): structured evidence collection + written baseline report + prioritised path
If you need something you can stand behind with leadership, customers, or insurers:
The next step is a paid Security Baseline Review.
We collect and validate evidence (screenshots/exports/walkthroughs).
You get a written baseline report and a prioritised remediation path—mapped to CE-style controls.
9 Jan 2026
Cyber Security
Ransomware response plan for UK SMEs: prevent, contain and recover with a Cyber Essentials–style baseline
8 Jan 2026
Cyber Security
Cyber Essentials Questionnaire: Evidence Checklist for Microsoft 365 SMEs
31 Dec 2025
Modern Workplace
Align Microsoft 365 to Cyber Essentials Controls
30 Dec 2025
Backup & Disaster Recovery
How often should you test backups?
30 Dec 2025
Backup & Disaster Recovery
