Free Risk Register
Contact Us Free Risk Register

What Happens If You Fail a Cyber Essentials Audit

Failed a Cyber Essentials assessment or worried you might? Here's exactly what happens, what it costs you, and how to make sure it doesn't happen again.

Cyber Essentials is often described as a straightforward certification — and for well-prepared organisations it is. But failure rates are higher than most people expect, and the consequences of failing go beyond simply having to reapply. Here is what actually happens if you fail, and how to make sure you're not in that position.

What failing actually means

Cyber Essentials is assessed against five technical controls: firewalls, secure configuration, security update management, user access control, and malware protection. You submit a self-assessment questionnaire, and a certifying body reviews your answers. If your answers reveal gaps against the standard, your application is rejected.

Unlike some certifications, there is no partial pass. You either meet all five controls or you don't certify.

The immediate consequences

The most obvious consequence is cost. Depending on your certifying body, a Cyber Essentials assessment costs between £300 and £500 for the basic certification. If you fail and need to reapply, you pay again. For Cyber Essentials Plus, which involves a hands-on technical audit, costs can reach £2,000 or more — and a failure at that level means retesting, which adds further cost.

Beyond the financial impact, failing creates a timing problem. If you need the certification to win a contract or meet a tender requirement, a failure can push your timeline back by weeks. In competitive procurement situations, that can cost you the deal entirely.

The reputational dimension

Cyber Essentials is increasingly being required by larger organisations as a condition of doing business with their supply chain. If you fail and the client finds out, it raises questions about your overall security posture — even if the failure was on a technicality. It is worth treating the assessment seriously rather than assuming it is a formality.

The most common reasons businesses fail

Having worked with businesses going through Cyber Essentials, the same issues come up repeatedly. Unsupported software still running on the network. Default passwords not changed on routers or network devices. Multi-factor authentication not enabled on cloud services. Admin accounts being used for day-to-day tasks. Patch management that is inconsistent across devices.

None of these are difficult to fix — but they need to be identified and remediated before submission, not after.

How to make sure you pass first time

The most reliable way to pass Cyber Essentials first time is to do a honest readiness assessment before you submit. Go through each of the five themes systematically, identify gaps, fix them, and only then submit your application.

A structured checklist makes this significantly easier. Rather than trying to interpret the standard from scratch, a pre-built checklist maps every requirement and lets you track your readiness in real time. We offer a free Cyber Essentials readiness checklist that covers all five themes — download it and work through it before you spend money on an assessment.

Related Articles

Knowledge Base Image
Cyber Essentials vs. Cyber Essentials Plus: Which Certification Is Right for Your Business?

In today's digital landscape, a robust cybersecurity posture isn't just a technical concern—it's a …

Read More
Knowledge Base Image
A Comprehensive Guide to Scoping Your Cyber Essentials Certification

Navigating the process of scoping your Cyber Essentials certification can feel overwhelming, especi…

Read More

Copyright © 2025 SnapGRC