top of page

Common Cyber Essentials pitfalls

(and How to Avoid Them)


Getting your Cyber Essentials certification is a vital first step for businesses that want to improve their cyber security, bid for government contracts, or win new work and partners by demonstrating their commitment to cyber security best practices.


Even though the assessment is designed to be simple, many organisations still find parts of it difficult to navigate. At Delta, we know the process isn’t always straightforward. On average, companies submit their application three times before passing, taking more time and creating added pressure.


In this blog, we’ll walk through the most common mistakes we encounter, helping to smooth the journey by breaking them down into the three categories which matter most: Automatic Failures, Major Non-Conformities (MNCs), and More Information Required (MIRs).


1. Automatic Failure Questions


These are critical questions where an application cannot pass unless the requirements are met. If issues are identified, you are allowed time to remediate them and resubmit your assessment.


Unsupported software in use – Running outdated or end-of-life systems, such as Windows 7 or Windows 11 21H2, will prevent an application from passing. All devices in scope must be supported with security updates.

Multi-Factor Authentication (MFA) – Not enabling MFA on cloud services that support it will result in a non-pass outcome until remediated. If native MFA is not available but Single Sign-On (SSO) integration is, SSO must be utilised.


Delta Tips:


  • Audit your systems before submission. https://endoflife.date/ is a great resource to help identify non-compliant operating systems and versions.

  • Confirm that all cloud services which support MFA or SSO have these features enabled.


2. Major Non-Conformities (MNCs)


These don’t cause an instant failure, but too many will result in one because they represent significant weaknesses which must be corrected before you can pass.


No boundary firewall or lack of management – Firewalls are your first line of defence against internet-borne threats. Not having one in place, or not demonstrating its configuration is managed, will trigger an MNC.

Unpatched critical vulnerabilities – Missing application security patches can be a deal-breaker. Even a single device without timely updates can cause multiple MNCs.

Administrator accounts used for day-to-day tasks – Admin rights must be tightly controlled. Organisations should have a documented process for provisioning and managing these accounts, with strict controls over how they are used.


Delta Tips:


  • If you work remotely or from a shared office space and do not have control or admin rights to the firewall, your host-based firewall, for example, the one pre-installed with your operating system or a purchased third-party application, becomes your boundary firewall.

  • Audit your Office applications and ensure they are all running the latest version. Many companies rely on automatic updates, but these often still require some user intervention to complete.

  • Review account permissions and device policies — small fixes here can make a big difference.


3. More Information Required (MIRs)


This category doesn’t constitute a failure; it simply means the assessor requires clarification before moving forward. However, too many MIRs can delay your certification unnecessarily.


Scope – Networks that don’t clearly define the scope, or omit cloud services, often result in MIR requests.

Vague policy and process answers – Responses such as “we use strong passwords” without supporting evidence (e.g., your policy wording or technical controls) will lead the assessor to request more information. The auditor is looking to understand how you implement the required controls.

Unclear device inventory – It is vital that you know what devices are in scope. Assessors must know the quantity, manufacturer, and operating system, e.g. 3 × Dell laptops running Windows 11 Pro 24H2.

Incomplete answers – Throughout the questionnaire there are multiple two-stage questions. For example: “A4.6 Have you reviewed your firewall rules in the last 12 months? Please describe your review process.” Many applicants simply answer “Yes” without describing the process.


Delta Tips:


  • Cyber Essentials scope is based on networks and infrastructure. Clearly state the networks used in your organisation, including their name, location, and purpose. Example: “Main network at head office in Bristol for administrative use, and warehouse network in Cheltenham for ERP use.”

  • For questions that require more than a Yes/No answer, be specific. Provide as much detail and evidence as possible, this helps the auditor move your assessment forward quickly.

  • For the device inventory question, read the requirement carefully and provide the make, operating system, edition, and version.

  • Read all questions in full. Many process and procedure questions require more than a simple Yes or No.


4. Final Thoughts


Cyber Essentials is designed to be achievable, but only if you prepare properly. At Delta, we see the same mistakes time and time again, which is why we guide our clients to avoid them.

Remember:

  1. Aim to pass on your first submission by checking for automatic fail conditions.

  2. Address common MNCs such as admin rights and firewall settings.

  3. Provide clear, detailed information to avoid additional information requests and delays.

  4. Read all questions in full, the requirement is often stated within the question itself.


By tackling these issues head-on, you’ll save time, reduce frustration, and demonstrate your commitment to keeping your business secure.

 
 
bottom of page