Cyber Essentials Guide – An in-depth look at passing first time.

This Cyber Essentials guide, along with example answers, has been written by a Cyber Essentials Lead Assessor and is intended to help those companies wishing to certify with Indelible Data Limited. The purpose is to help clients get the submission right at the first attempt and save time. Though this document has not been issued by, or on behalf of, The National Cyber Security Centre (NCSC) or the NCSC’s sole Cyber Essentials Partner, IASME, it has been compiled by a Lead Assessor with extensive knowledge of the scheme. Information in this Cyber Essentials Guide is subject to change without prior notice.

For further details to help you prepare for Cyber Essentials Plus assessment, please familiarise yourself with this guide first, then go to our Cyber Essentials Plus checklist blog.

You may also find helpful information in our Cyber Essentials FAQs



Completing the Cyber Essentials question set can, at first, appear daunting. This guide helps take away the uncertainty, guide the applicant through the Cyber Essentials Basic Level submission process and is split into 3 sections:

      1. Describing the journey from initial enquiry through to final submission and subsequent assessor feedback
      2. Helping to scope the assessment
      3. Addressing the requirements of the Cyber Essentials questions and explaining areas where most applicants either misunderstand or simply do not respond to the questions as comprehensively as expected.

The aim is to ensure submissions are not made until the applicant is confident all the questions have been completed correctly – hence increasing the chances of passing the submission first time!

Note: It is tempting to just jump to section 3 and address the questions, however if you have not defined the scope correctly, then the questions cannot be assessed properly.

The question-sets that require completion on the portal each have an associated version name. Up to April 23rd 2023 this is called "Evendine" and from April 24th 2023 onward is called "Montpellier".

There is a 6 month change-over period for those accounts created on the portal before the 24th April 2023 (i.e. those using the Evendine question-set). Wherever possible we have included the Montpellier requirements alongside the Evendine requirements in this guide - but some sections have been added that related solely to Montpellier. Where this happens, we put the questionnaire name next to the section or question number e.g.

  • Cloud systems (Montpellier)

Many of the same questions are present with the same numbers on both questionnaire versions. Where they differ, the question will have the version it relates to in brackets  - for example:

  • A7.17 (Montpellier) followed by Montpellier requirements

Further helpful Cyber Essentials resources can be found at the NCSC's Website.

Full access to this guide is part of our Cyber Essentials Basic - SILVER and GOLD PACKAGES or can be purchased separately in our shop

Existing clients who (already had access) and Trusted Partners will have received login instructions by email.