The Cyber Essentials Self Assessment Questionnaire (SAQ) is a key tool for UK owner-managed SMEs in Sussex & Kent, particularly those using Microsoft 365, to check cybersecurity controls. Accurate answers are essential as they determine if the right cyber security protections are actually operational in your business. This guide will help you tackle the questionnaire confidently and correctly.

What is the Cyber Essentials Self Assessment Questionnaire (SAQ)?

The Cyber Essentials SAQ is part of the Cyber Essentials certification process. Cyber Essentials+ builds on the same controls and adds technical testing, so weak answers at this stage can make later validation harder. that’s reviewed externally.

Your answers need to reflect what is actually in place, and an assessor may ask for more detail if something is unclear.

Can you see the Self Assessment Questionnaire before you buy?

Yes, you can preview or download the questionnaire and current requirements document before purchasing. The materials evolve, so it’s important to ensure you’re working from the latest version.

What the Self Assessment Questionnaire actually covers

The questionnaire covers your business's users, devices, services, and how these are accessed. It focuses on five control areas: firewalls, secure configuration, user access control, malware protection, and patch management. These are the five control areas the scheme is built around.

What to prepare before you start answering

As a Microsoft 365 SME, preparation involves practical checks: know which users and devices, like laptops, mobiles, and shared units, are in scope. Confirm whether all devices are properly managed. Check if MFA is enforced for everyone who needs it. Understand who has admin rights and why. Document the actual remote access methods used and identify unsupported software. Ensure that policy, settings, and daily practices align, as gaps in these areas commonly trip up businesses.

The most common ways SMEs answer badly

SMEs often respond based on assumptions instead of actual practice. For instance, MFA may be set up for some but not enforced for all users. Some devices may be managed, while others slip through the net. Admin access can become too broad, and the scope for mobile and shared devices can be unclear. Unsupported software might still be running. Responses that don't align with these realities lead to inconsistencies and issues down the line.

How the Self Assessment Questionnaire fits into the wider certification path

The SAQ is the first step in achieving Cyber Essentials certification, paving the way for Cyber Essentials Plus. Inaccurate answers here can make further verification difficult, so it’s crucial to establish secure practices now.

When to use an evidence checklist, and when to get outside help

If you’re clear on the scope and need evidence examples, use our Cyber Essentials evidence checklist for Microsoft 365. If you're unsure about the scope, ownership, or if your answers can be defended, then a Security Triage Call can clarify these gaps. Remember, the call is not a free audit or shortcut to certification.

If you want a broader view of how Cyber Essentials fits into a maintained IT security baseline, see our Cyber Security & Cyber Essentials page.

FAQs

Can I preview the questionnaire before buying?
Yes, this allows you to understand its scope and requirements before purchasing.

Is the questionnaire the same as Cyber Essentials Plus?
No, Cyber Essentials Plus involves additional verification beyond self-assessment.

Do I need evidence before I answer?
While this guide helps with answering the questionnaire, our evidence checklist details what to gather.

What usually causes problems for SMEs?
Problems often arise from unclear scope, relying on assumptions, and inconsistent application throughout the organisation.

Does the questionnaire change over time?
Yes. The question set and requirements document can change, so make sure you are always working from the current version.

Conclusion

Use the current question set and requirements document, define the scope properly and answer from what is actually enforced in the environment, not what should be true on paper. If you need examples of the information that should be gathered, use our Cyber Essentials evidence checklist for Microsoft 365. If scope, ownership or control reality is still unclear, booking a free Security Triage Call with us is the next best step!