Can you fail Cyber Essentials?
Yes - you can fail the Cyber Essentials self-assessment submission. Most certification bodies (including Fig Group) include three free re-submissions, so a first-attempt fail is typically a remediation window rather than the end of the assessment.
Can you fail Cyber Essentials?
Yes - you can fail a Cyber Essentials submission. Failure means the assessor has identified a control gap in the self-assessment and has not issued a certificate. Most IASME-licensed certification bodies include a small number of free re-submissions (Fig Group: three), so a first-attempt fail is typically a remediation window rather than a scheme-level rejection.
The most common reasons submissions fail
From the first two quarters of Cyber Essentials v3.3:
1. Unsupported operating systems in scope. Windows 10 Home without ESU, older Android phones past OEM support. See the Security Update Management pillar guide.
2. SMS MFA on admin accounts. v3.3 explicitly requires phishing-resistant MFA (authenticator or FIDO2) for admins. See the User Access Control pillar guide.
3. Default credentials on a boundary device. Any router or firewall still on factory admin/admin fails the Firewalls pillar.
4. Patching beyond the 14-day rule. High and critical severity patches not deployed within 14 days of vendor release.
5. No admin / user-account separation. One account used for both daily work and admin tasks.
6. Home-office router gap for remote workers under v3.3 scope. See Cyber Essentials for remote and hybrid workforces.
What happens when you fail
The certification body returns written feedback identifying the failed control and the specific evidence that missed the bar. With Fig Group, feedback is returned within the same 6-hour SLA as a pass, so remediation can begin the same working day.
You then have a defined number of free re-submissions (three with Fig Group) to correct the gap and resubmit. Once the re-submission passes assessor review, the certificate is issued on the date of the pass.
How to avoid failing
- Run a free readiness check before you pay. Scores your organisation against the five controls in under 10 minutes.
- Confirm every in-scope device is on a supported OS. Windows 11 build currency, macOS current or one-previous-major, iOS current or one-previous-major, Android on monthly OEM security patches.
- Audit Conditional Access. MFA enforced for every user on every cloud app and remote-access path, with no legacy-authentication exemptions.
- Check home-office routers for any remote worker - factory default passwords changed, firmware current.
Does failing appear on a public record?
No. Only issued certificates are published on the IASME directory. A failed submission does not appear anywhere buyers or clients can see.
Bottom line
Yes, you can fail Cyber Essentials - and it is easier to fail than many organisations realise, particularly on unsupported OS versions, home routers, and MFA coverage. The free readiness check catches these before you pay, and Fig Group's 6-hour feedback on any failed submission means remediation can start immediately.
Start Cyber Essentials from £299.99 + VAT | Free readiness check | Cyber Essentials Online
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo