Where possible, Cyber Essentials assessments should not involve risk management decisions.