Skip to content
360 Cyber Compliance

Cyber Essentials · 1 July 2026

Common reasons Cyber Essentials applications fail

Cyber Essentials is designed to be achievable, but a self-assessment can still be marked as non-compliant when answers do not stand up to scrutiny. The good news is that the reasons applications fall short are well known and largely avoidable. This guide walks through the most common ones so you can address them before you submit.

Getting the scope wrong

Scope is where many applications go astray. Your scope defines which devices, users, networks and cloud services the assessment covers, and it must be described accurately.

Frequent issues include:

  • Leaving out home or remote workers’ devices that access organisational data.
  • Forgetting mobile phones and tablets that handle work email or files.
  • Trying to carve out part of the organisation without a clean technical boundary.

If you want the included cyber insurance that comes with certification, the whole organisation usually needs to be in scope and you must be under the relevant turnover threshold. A vague or incomplete scope undermines everything that follows, so it is worth getting right first. Our guide to the five controls explains what each control applies to.

Unsupported operating systems and software

Any software still in use must be supported by its vendor and still receiving security updates. Old versions of Windows, unsupported phones, or an out-of-date server will cause a fail.

Before you apply, check that every operating system and application in scope is within its support lifecycle. Where something is no longer supported, you need to replace it, remove it, or take it out of scope with a proper technical boundary.

Missing or slow security updates

Even supported software fails the assessment if updates are not applied. The benchmark is that high-risk and critical security updates are installed within 14 days of release.

Common slip-ups are switching off automatic updates, ignoring app updates on mobile devices, or forgetting firmware on routers and firewalls. Our patch management guide sets out how to keep this reliable.

Default and weak passwords

Default credentials on routers, firewalls and other devices are a classic finding. Any default password must be changed to something strong and unique.

You also need a sensible approach to passwords and account protection across the board — including throttling or locking accounts after repeated failed attempts, and moving away from short, guessable passwords.

Missing multi-factor authentication

Cyber Essentials requires MFA on cloud services. A surprising number of applications fail simply because MFA has not been enabled for administrators or for all users of a service such as Microsoft 365 or Google Workspace.

Enabling MFA everywhere it applies — particularly on administrator accounts — is one of the highest-impact fixes you can make. See our dedicated MFA requirements guide.

Too many administrator accounts

Handing out administrator rights too freely is both a security risk and a compliance problem. Administrator accounts should be limited to those who need them, used only for administrative tasks, and never for day-to-day email and web browsing.

A quick review of who holds admin rights, and why, often reveals accounts that can be downgraded to standard users straight away.

Insecure configuration

Devices delivered with default settings frequently retain features and accounts that should be removed. Auto-run left enabled, sample accounts still present, or unnecessary software installed will all count against you.

Working through a secure build for each device type prevents this. Our secure configuration guide covers what to tighten.

Firewall gaps

Firewall-related failures usually stem from devices without an enabled firewall, open inbound ports with no business justification, or an internet router still using its factory password. Every internet-connected device needs firewall protection, and remote workers’ software firewalls must be switched on.

Answers that do not match reality

Finally, applications can fail because the answers describe an intended state rather than the actual one. The self-assessment is verified by IASME, and where you progress to Cyber Essentials Plus an independent technical audit — vulnerability scans and device sampling — will quickly expose any gap between what was claimed and what is in place.

Evidence that does not match the answers

Even where controls are in place, applications can stall when the supporting evidence is thin or inconsistent. If your self-assessment says automatic updates are enabled but a device shows deferred patches, or claims MFA is universal while an administrator account is exempt, the discrepancy will surface. Keeping simple records — an inventory of devices and software, a note of your secure build, and a record of who holds administrator rights — makes your answers defensible and speeds up any query from IASME.

Rushing the self-assessment

A final, avoidable reason for failure is treating the questionnaire as a form to complete quickly rather than an accurate description of your organisation. The questions are precise and interlinked: an answer about cloud services must line up with your MFA answer, and your scope must match the devices you describe elsewhere. Reading each question carefully, and answering for the reality across your whole scope, prevents the small contradictions that lead to a non-compliant result.

A short pre-submission checklist

  • Scope is complete and accurately described, including remote and mobile devices.
  • Every operating system and application is supported and up to date.
  • Default passwords are changed everywhere.
  • MFA is enabled on all cloud services.
  • Administrator rights are limited and separated from everyday accounts.
  • Firewalls are enabled and inbound access is justified.
  • Your answers reflect what is genuinely in place.

If any term here is unfamiliar, our glossary explains the key concepts, and organisations building towards a wider framework may find IASME Cyber Assurance or ISO 27001 a natural next step.

How we can help

We support organisations through Cyber Essentials with a clear, transparent delivery process, helping you find and close these common gaps before you submit rather than after. If you would like practical support in getting your self-assessment right first time, see our Cyber Essentials service or get in touch.

Need help in practice? See our Cyber Essentials service.

Need a hand with this?

Book a free, no-obligation readiness check.