Assess your readiness across all five technical controls.
Cyber Essentials certification requires your organisation to demonstrate effective implementation of five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. These controls are straightforward in principle, but the detail matters. Most assessment failures stem not from a lack of security awareness, but from gaps in implementation that nobody noticed until the assessor asked about them.
This checklist is designed to help you work through each control area methodically. For every item, we have included a description of what the assessor is looking for and why it matters. If you cannot confidently confirm an item, that is a gap that needs addressing before you submit for assessment. Be honest with yourself. A failed assessment costs time and money. Identifying gaps now costs nothing.
Use this alongside the NCSC’s official requirements documentation. This checklist is practical guidance based on hundreds of SME assessments, not a substitute for the formal specification.
Understanding the framework
The five controls work together as a layered defence. Firewalls establish the boundary. Secure configuration hardens what sits behind it. Access control limits who can do what. Malware protection catches what gets through. Patch management closes the vulnerabilities that attackers exploit. Weakness in any single layer undermines the others.
Scope everything first
Before working through the checklist, identify every device that accesses organisational data and every cloud service your team uses. Laptops, phones, tablets, servers, routers, printers, SaaS applications. If it touches company data, it is in scope. This inventory exercise is the foundation of your assessment.
Document as you go
The assessor needs evidence, not just assertions. As you work through each control area, record what you find, what you change, and how you verified it. Screenshots, configuration exports, policy documents, and audit logs all serve as evidence. Build the habit of documenting now and the assessment becomes straightforward.
Treat gaps as a priority list
Not every gap carries the same risk or requires the same effort to close. Some are five-minute fixes: enabling a setting, changing a password, removing unused software. Others are projects that need planning and budget. Categorise what you find so you can tackle quick wins immediately and schedule larger remediation work.
Test your own controls
After addressing each item, verify it yourself. Can you prove the firewall is configured correctly? Can you demonstrate that MFA is enforced on every account? Can you show patch compliance across all devices? If you cannot answer with evidence, the assessor will not accept the answer either.
Control 1: Firewalls
Firewalls form the first line of defence between your network and the internet. The scheme requires both boundary protection (hardware or cloud-based firewalls) and device-level protection (software firewalls on individual machines). For remote workers, where the corporate boundary offers no protection, device-level firewalls become the primary control. The assessor will check that rules are intentional, documented, and restrictive by default.
Boundary firewall or gateway is in place
Every connection between your internal network and the internet should pass through a firewall or gateway device. For organisations with a physical office, this is typically your router or UTM appliance. The assessor will check that this device is actively filtering traffic, not simply passing it through. If you rely entirely on cloud services with no office network, device-level firewalls become your primary boundary control.
Default admin credentials have been changed
Factory-default usernames and passwords on firewalls, routers, and gateway devices are publicly documented and trivially easy for attackers to exploit. Change them to unique, strong credentials. This applies to every network device in scope, including wireless access points, managed switches, and any appliance with a web interface. If you cannot confirm the default credentials were changed, assume they were not.
Firewall rules are documented and reviewed
You need to know what traffic is allowed through your firewall and why. Undocumented rules accumulate over time as staff request exceptions and nobody removes them. Review your ruleset at least quarterly. Every permitted port, protocol, and IP range should have a business justification. The assessor will ask you to explain your configuration, so if you cannot explain a rule, it should not be there.
Unnecessary services and ports are blocked
Only traffic required for business operations should be permitted. Common issues include leaving remote desktop protocol (RDP) open to the internet, allowing unrestricted outbound traffic, or running services on default ports that are well-known attack targets. Run a port scan against your public IP addresses to see what is actually exposed. The results often surprise organisations that thought they had locked things down.
Host-based firewalls are enabled on all devices
Every laptop, desktop, and server should have its built-in software firewall enabled and configured. On Windows, this means Windows Firewall is active. On macOS, the application firewall is turned on. This is particularly important for devices used by remote workers, where the corporate boundary firewall offers no protection. Check that users cannot disable the firewall themselves, and that Group Policy or MDM enforces the configuration.
Control 2: Secure configuration
Secure configuration is about reducing your attack surface. Every device and application ships with default settings optimised for ease of use, not security. The assessment checks that you have actively hardened your environment: removing what you do not need, changing what should not stay as default, and enforcing policies that prevent users from weakening their own security. This is where a device management platform like Intune proves its value, allowing you to enforce and verify baselines across your entire fleet.
Unnecessary software has been removed
Every installed application is a potential attack surface. Remove anything that is not needed for business operations. This includes pre-installed bloatware on new machines, trial software, browser toolbars, and applications that were installed once for a specific project and never uninstalled. Use your MDM platform or software inventory tool to audit what is installed across your fleet. If nobody uses it, remove it.
Default and guest accounts are disabled
Built-in accounts such as the default Administrator account, Guest accounts, and any vendor-created service accounts should be disabled or renamed with unique passwords. These accounts are well-known targets. If a device or application ships with a default account that cannot be disabled, change its password to something strong and unique, and monitor it for unexpected activity.
Auto-run and auto-play are disabled
Software should not execute automatically when removable media is inserted or when files are downloaded. Auto-run was a common malware delivery mechanism for years. On modern Windows systems, auto-run is disabled by default for most media types, but verify this with Group Policy. Check that your browser settings do not automatically open downloaded files, and that macro execution in Office documents is restricted.
Password policies meet current requirements
Where multi-factor authentication is in place, passwords must be at least eight characters. Where MFA is not available, passwords must be at least twelve characters. Complexity rules (requiring special characters) are no longer emphasised. Instead, the focus is on length, uniqueness, and preventing the use of known compromised passwords. Implement a banned password list and check credentials against breach databases.
Screen lock and session timeout are configured
All devices should lock automatically after a period of inactivity, typically 15 minutes or less. Users should not be able to override this setting. For shared or public-facing systems, shorter timeouts are appropriate. This prevents opportunistic access when someone walks away from their desk, and it is one of the simplest controls to implement through Group Policy, Intune, or MDM configuration profiles.
“Most organisations that fail Cyber Essentials do not fail because they lack security tools. They fail because they cannot prove those tools are consistently applied to every device, every account, and every service in scope.”
Control 3: User access control
The principle of least privilege underpins this entire control area. People should have access only to the systems, data, and functions they need for their role. In practice, this means separating admin accounts from daily-use accounts, enforcing multi-factor authentication across every service, and having reliable processes for granting and revoking access as people join, move within, or leave the organisation. Privilege creep, where staff accumulate permissions over time without review, is the single most common finding in this area.
Each user has a unique individual account
Shared accounts make it impossible to trace activity back to an individual. Every person who accesses your systems should have their own named account. This includes temporary staff, contractors, and anyone with remote access. If you discover shared accounts, such as a generic reception login or a shared admin account, plan to replace them with individual credentials. Accountability starts with identity.
Admin privileges are separated from daily accounts
Users who need administrative access should have a separate admin account used only for administrative tasks. Their daily work, including email, browsing, and document editing, should use a standard account without elevated privileges. This limits the blast radius if an account is compromised. If the finance director is a global admin on Microsoft 365 with the same account they use for email, that is a significant risk.
Multi-factor authentication is enforced everywhere
MFA must be enabled on every account where it is technically possible. This includes cloud services, VPN connections, remote desktop access, and any internet-facing login. The most common failure point is partial implementation: MFA on user accounts but not on admin accounts, or on Microsoft 365 but not on the accounting platform. Audit every application and service. If it supports MFA, enable it. If it does not support MFA, document it and apply compensating controls.
Leavers are removed within one business day
When someone leaves the organisation, their access should be revoked promptly. This means disabling their account, revoking active sessions, and recovering any company devices. The risk is not just malicious ex-employees. Dormant accounts are targets for attackers because nobody is monitoring them. Have a documented offboarding process that IT is involved in from the moment notice is given, not weeks after someone has already left.
Access levels are reviewed at least quarterly
Privilege creep is one of the most common findings in security assessments. People accumulate permissions over time as they change roles, join projects, or receive temporary access that nobody revokes. A quarterly review of who has access to what will nearly always surface accounts with more permissions than they need. Check admin roles, shared mailbox access, SharePoint site permissions, and any line-of-business application access.
Control 4: Malware protection
Active protection against malicious software is required on every device in scope. The scheme accepts three approaches: anti-malware software, application allow-listing, or sandboxing. Most SMEs will use a managed endpoint protection platform. The critical distinction is between consumer-grade software installed on individual machines with no central visibility, and enterprise-grade solutions where you can see, manage, and report on the protection status of every device from a single dashboard. The assessor expects the latter.
Endpoint protection is installed on every device
Every device in scope must have active malware protection. This typically means an endpoint detection and response (EDR) solution or, at minimum, a centrally managed antivirus product. Built-in protection like Windows Defender is acceptable if it is centrally managed and reporting to a dashboard. The key requirement is that you can demonstrate coverage across your entire fleet, not just some devices.
Definitions and signatures update automatically
Malware protection is only effective if it is current. Signature updates should be configured to download and install automatically without user intervention. Verify that updates are actually happening by checking the last update timestamp across your devices. If a device has been offline for an extended period, its definitions may be weeks or months out of date when it reconnects. Your management console should flag this.
Real-time and on-access scanning is enabled
Files should be scanned as they are accessed, downloaded, or executed, not only during scheduled scans. Real-time scanning provides immediate protection against known threats. Check that your endpoint protection configuration has on-access scanning enabled and that it covers all file types, not just executables. Some organisations disable real-time scanning to improve performance, which defeats the purpose entirely.
Users cannot disable or bypass protection
Standard user accounts should not have the ability to turn off, pause, or uninstall endpoint protection software. This is typically enforced through the management console by requiring admin credentials for any changes. Test this by attempting to disable protection from a standard user account. If you can, the configuration needs tightening. Tamper protection features in modern EDR tools provide an additional layer of defence.
Centralized reporting confirms coverage
You should be able to produce a report showing every device, its protection status, definition version, and last scan date. If you cannot generate this report, you cannot demonstrate compliance. Centralized management is what separates enterprise-grade protection from consumer-grade installs. The assessor will want to see evidence that you have visibility across your estate, not just assurances that you believe everything is covered.
Maximum time allowed to apply critical and high-severity security patches
of common cyber attacks are prevented by implementing these five controls
covering firewalls, configuration, access, malware, and patching
Control 5: Patch management
Keeping software up to date is one of the most effective defences against cyber attack, and one of the most commonly failed controls in Cyber Essentials assessments. The requirement is clear: all software must be licensed and supported, and security patches rated high or critical must be applied within 14 days of release. Unsupported software that no longer receives security updates must be removed or fully isolated from the network. This applies to operating systems, applications, firmware, and browser plugins alike.
All operating systems are supported versions
Every device in scope must run an operating system that still receives security updates from the vendor. Windows 10 reached end of support in October 2025. Older versions of macOS, Linux distributions past their end-of-life dates, and mobile operating systems that no longer receive patches are all grounds for failure. Audit every device. If it runs something unsupported, it must be upgraded, replaced, or removed from scope before assessment.
Critical patches are applied within 14 days
High-severity and critical security patches must be applied within 14 days of release. This is one of the most commonly failed requirements. It demands a functioning patch management process, not just automatic updates enabled and hoped for. You need to verify that patches have actually installed, not just downloaded. Check for devices that have been offline, failed updates, or machines where users keep deferring restarts.
All application software is current and supported
This extends beyond the operating system to every installed application: web browsers, PDF readers, Office suites, Java, .NET runtimes, browser plugins, and any line-of-business software. Each must be a version that still receives security updates. That old copy of Office 2016, the legacy version of Adobe Reader, or the Java 8 runtime required by a vendor application are all potential failures. Inventory everything and check vendor support status.
Firmware on network devices is updated
Routers, firewalls, managed switches, wireless access points, printers, and any other network-connected device with firmware must be kept updated. This is frequently overlooked. Many organisations apply OS and application patches diligently but never check whether their router firmware is current. Log into every network device and check the firmware version against the manufacturer's latest release. Update where needed.
Unsupported software is removed or isolated
If an application or system cannot be updated because it has reached end of life and no supported replacement exists, it must be removed from the network or isolated so it cannot communicate with other systems or the internet. Simply accepting the risk is not sufficient for certification. Document any legacy systems, the business case for keeping them, and the specific isolation measures applied. The assessor will scrutinise these carefully.
Preparing for assessment day
Once you have worked through every item in this checklist, you are close to ready. But ‘close’ is not the same as ‘ready.’ The assessment is not just about having the right controls in place. It is about being able to demonstrate them clearly and confidently.
Gather your evidence before you apply. Configuration screenshots, policy documents, compliance reports from your MDM or endpoint protection dashboard, user account lists showing MFA status, patch compliance summaries. The assessment questionnaire will ask specific questions, and having evidence at hand makes the process faster and reduces the risk of second-guessing your own answers.
Consider running a mock assessment internally. Have someone who was not involved in the remediation work go through each control area and try to verify it independently. Fresh eyes catch things that the people who set it up overlook. If your internal review surfaces gaps, better to find them now than during the real assessment.
Allow enough time. Most organisations need between four and twelve weeks from initial gap analysis to being assessment-ready, depending on the size of their estate and the number of gaps found. Rushing the process leads to failed assessments, which means paying for reassessment and losing time.
“The checklist is the starting point, not the finish line. Cyber Essentials is a baseline. The real value is building the discipline of knowing your environment, maintaining it, and being able to prove it at any point in the year, not just on assessment day.”
Need help preparing for Cyber Essentials?
We help UK businesses prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification. That includes scoping your environment, running a detailed gap analysis, supporting remediation work, and guiding you through the assessment process so there are no surprises.
If you have worked through this checklist and identified gaps you are not sure how to address, or if you want a professional assessment of your readiness before you apply, a readiness review takes around an hour and will tell you exactly where you stand.