Cyber Essentials Documents and Policies Required to Pass
Cyber Essentials is the UK government-backed certification run by IASME on behalf of the National Cyber Security Centre. It is a self-assessment against five technical controls, and it is increasingly a hard requirement: any business bidding for central government contracts that handle certain sensitive or personal information must hold it.
The scheme is a questionnaire rather than a document upload, which leads some applicants to assume no paperwork is needed. In practice you cannot answer the questions truthfully without the underlying policies and records in place. A patch management policy, an asset list and an access control process are what turn a hopeful answer into an honest one.
This guide explains the five controls, the documents and evidence assessors expect to sit behind your answers, and how Cyber Essentials Plus adds a hands-on technical audit on top.
The Five Cyber Essentials Controls
Cyber Essentials is built around five technical control themes set out in the IASME question set. Your certification covers your whole IT estate by default, including cloud services, home workers and any bring-your-own devices that access organisational data.
1. Firewalls
Every device must sit behind a correctly configured firewall, whether a corporate boundary firewall or the software firewall built into a laptop. Default administrative passwords must be changed, and inbound rules must be documented and justified.
2. Secure Configuration
Devices and software must be configured to reduce vulnerabilities: remove or disable unused accounts and software, change default passwords, and turn off auto-run features. A documented build standard makes this consistent across the estate.
3. Security Update Management
Operating systems and applications must be supported and kept up to date. High and critical security updates must be applied within 14 days of release, and unsupported software must be removed. This is the control most applications fail on, so a written patch management policy and an inventory of software and versions matter here.
4. User Access Control
Accounts must be assigned to named individuals, granted on a least-privilege basis, and removed when people leave. Administrator accounts must be used only for administrative tasks, and multi-factor authentication is required for cloud services. An access control policy and a joiners, movers and leavers process provide the evidence.
5. Malware Protection
You must protect devices against malware using anti-malware software, application allow-listing, or sandboxing. Whichever approach you take, it must be documented and kept current.
Documents and Evidence Assessors Expect
Cyber Essentials does not ask you to attach policies, but the honest completion of the self-assessment depends on having them. These are the documents that let you answer accurately and that you will need on hand if you progress to Cyber Essentials Plus.
| Document or record | Why it matters |
|---|---|
| Asset inventory of devices and software | Defines the scope and underpins patching and configuration answers |
| Patch and update management policy | Shows how the 14-day rule for critical updates is met |
| Secure configuration or device build standard | Evidences consistent hardening across the estate |
| Access control policy | Covers least privilege, admin separation and account removal |
| Password and authentication policy | Sets minimum length, complexity and multi-factor authentication |
| Bring-your-own-device (BYOD) policy | Brings personal devices that access data into scope correctly |
| Acceptable use policy | Defines what users may and may not do on company systems |
| Joiners, movers and leavers process | Demonstrates accounts are provisioned and revoked properly |
| Malware protection configuration records | Confirms anti-malware or allow-listing is in place and current |
Cyber Essentials Plus
Cyber Essentials Plus covers the same five controls but adds an independent technical audit. A qualified assessor tests a sample of your devices to confirm that what you declared in the self-assessment is true, including vulnerability scans, a check on malware protection and a review of multi-factor authentication on cloud services.
You must hold or be applying for the basic Cyber Essentials certificate first, and the Plus audit normally needs to follow within three months of that self-assessment. Because the assessor inspects live systems, gaps in patching or configuration that a questionnaire might hide will surface, so the documents above need to describe what is genuinely running.
Common Reasons Applications Fail
- Unsupported operating systems or software still in use, such as end-of-life Windows versions.
- Critical and high security updates not applied within 14 days.
- Multi-factor authentication missing on cloud services and administrator accounts.
- Default passwords left in place on firewalls, routers or other devices.
- Home workers and bring-your-own devices left out of scope by mistake.
- Shared or generic administrator accounts rather than named users.
How Policy Pros Can Help
We write the policies that sit behind an honest Cyber Essentials answer. Our Cyber Essentials policies service produces the patch management, access control, password and acceptable use documents the five controls depend on, written for how your business actually works.
For the wider picture, our IT security policies service covers the broader information security framework that clients and insurers increasingly ask for alongside the certificate.
If you are aiming higher, our ISO 27001 mandatory documents guide sets out the management-system documentation that builds on the Cyber Essentials controls, and our IASME Cyber Essentials checklist walks through the question set in detail.
Frequently Asked Questions
What documents do I need for Cyber Essentials?
Cyber Essentials is a self-assessment questionnaire, so you do not upload documents, but to answer it truthfully you need an asset inventory, a patch and update management policy, a secure configuration standard, an access control policy, a password and multi-factor authentication policy, and malware protection records. These also become essential if you progress to Cyber Essentials Plus, where an assessor inspects live systems.
What are the five Cyber Essentials controls?
The five technical controls are firewalls, secure configuration, security update management, user access control and malware protection. They are set out in the IASME question set and cover your whole IT estate, including cloud services, home workers and bring-your-own devices.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment against the five controls. Cyber Essentials Plus covers the same controls but adds an independent technical audit, where a qualified assessor tests a sample of your devices, runs vulnerability scans and checks multi-factor authentication. You normally need to hold or be applying for basic Cyber Essentials first, with the Plus audit following within three months.
How quickly do I need to apply security updates for Cyber Essentials?
High and critical security updates must be applied within 14 days of release, and any unsupported or end-of-life software must be removed. This is the control most applicants fail on, which is why a written patch management policy and a software inventory are worth having before you start the assessment.
