Cyber Essentials – Question Set April 2026

Planning to achieve or renew Cyber Essentials in 2026? Start here.

The Cyber Essentials Self-Assessment Preparation Booklet (Version 16 – April 2026) outlines the full question set you will be required to complete through IASME’s online assessment platform.

This document helps you understand exactly what information you’ll need before submission — from organisational scope and asset listings to firewall configuration, MFA enforcement, patch management, and administrator controls.

Whether you're applying for the first time or renewing, this booklet enables you to prepare structured, accurate responses aligned with IASME’s 2026 standards.

What’s inside:

• Full April 2026 Cyber Essentials question set
• Detailed scoping guidance (including partial scope and sub-set rules)
• Device inventory requirements (end-user devices cannot be excluded)
• Cloud services inclusion requirements
• MFA expectations for users and administrators
• 14-day patching requirements (including CVSS 7+ thresholds)
• Windows 10 Extended Security Update clarification
• Firewall governance and approval expectations
• Malware protection and application allow-listing guidance

Why this matters

The April 2026 update introduces clearer expectations around:

• Cloud services being mandatory in scope
• Multi-Factor Authentication enforcement
• Strict 14-day patching timelines
• Administrative account governance
• BYOD and remote working controls

Preparing early reduces remediation delays and helps ensure smoother certification.

This document is published by IASME and made available under the appropriate Creative Commons licence. Secarma shares this resource to help organisations prepare confidently and efficiently for certification.