FAILED ASSESSMENTS
We failed our Cyber Essentials assessment. What happens now?
A failed assessment is frustrating — but it is not the end of the process. Here is what typically causes failures, what happens next, and how to get back on track without repeating the same mistakes.
Why assessments fail
The most common causes of failed Cyber Essentials assessments are scope issues (systems were included that should not have been, or excluded that should not have been), patch management failures (devices running unsupported software or with critical patches not applied within the required 14-day window), access control weaknesses (admin accounts not properly controlled, MFA not implemented where required), and questionnaire inaccuracies (answers that do not reflect the actual state of the environment).
In most cases, failure is not because the organisation is fundamentally insecure. It is because the assessment was attempted before the environment was ready, or because the scope was not properly defined at the outset.
What happens after a failed assessment
When an assessment fails, your Certification Body will provide feedback identifying the areas that did not meet the requirements. You will have an opportunity to address these issues and resubmit — but the process and timeline for resubmission varies by Certification Body.
Some Certification Bodies allow a straightforward resubmission once issues are resolved. Others require a full reassessment. Check with your CB what their specific process is before you begin remediation work.
How to recover
Start by understanding exactly why the assessment failed. Review the feedback carefully and identify the root cause of each failure point. If the feedback is unclear, ask your Certification Body to clarify.
Then address the issues systematically. Do not rush to resubmit without being confident that the underlying problems have been resolved. A second failed assessment is worse than a delayed resubmission — it costs more, takes longer, and damages confidence in your organisation's ability to meet the standard.
Avoiding repeat failures
Before you resubmit, conduct a thorough internal review — or engage someone independent to do it for you. Verify that every device in scope is compliant, that your questionnaire answers accurately reflect your current environment, and that any scope changes since the original assessment have been properly accounted for.
If the failure was due to scope issues, revisit your scope definition entirely. A scope that is too broad creates unnecessary compliance burden. A scope that is too narrow may not satisfy your client's requirements. Get the scope right before you resubmit.
DO NOT RUSH TO RESUBMIT
A second failed assessment costs more than taking time to get it right. Before you resubmit, be confident that every issue identified in the failure feedback has been properly addressed — and that no new issues have been introduced in the process.
Related guides
FAILED AN ASSESSMENT?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.