Back to blog
Cyber SecurityCompliance

Cyber Essentials Checklist: What Your Business Needs to Pass

26 March 2026Zenith Systems6 min read

Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber threats. It is increasingly required for government contracts and is a strong signal to clients and partners that your business takes security seriously.

The good news: Cyber Essentials is achievable for businesses of any size. It focuses on five technical controls that, when implemented correctly, defend against the vast majority of common attacks. This checklist covers what you need to have in place before you apply.

What is Cyber Essentials?

Cyber Essentials is a self-assessment certification. You complete a questionnaire describing how your organisation meets five technical controls, and an accredited certification body reviews your answers. There is also Cyber Essentials Plus, which includes a hands-on technical audit of your systems.

The scheme is managed by the National Cyber Security Centre (NCSC) and administered by IASME. Certification is valid for 12 months and must be renewed annually.

The five technical controls

Every question on the Cyber Essentials assessment maps to one of these five areas. Here is what each control requires and what you need to check.

1. Firewalls

Firewalls create a barrier between your internal network and external threats. Every device that connects to the internet must be protected by a correctly configured firewall.

Your checklist:

  • [ ] A boundary firewall or router is in place between your network and the internet.
  • [ ] Default admin passwords on firewalls and routers have been changed.
  • [ ] Firewall rules only permit traffic that is needed for business purposes.
  • [ ] Any inbound services that are not required have been disabled or blocked.
  • [ ] Remote devices (laptops used outside the office) have a software firewall enabled.
  • [ ] Firewall rules are documented and reviewed regularly.

Common pitfall: Many businesses have a firewall in place but have never reviewed the rules since it was installed. Assessors look for evidence that rules are actively managed, not just present.

2. Secure configuration

Devices and software should be configured to reduce vulnerabilities. Default settings are often insecure, and unused features create unnecessary attack surface.

Your checklist:

  • [ ] Default passwords have been changed on all devices and software.
  • [ ] Unnecessary user accounts (including guest accounts) have been removed or disabled.
  • [ ] Auto-run and auto-play features are disabled.
  • [ ] Screen lock activates after a short period of inactivity (15 minutes or less is recommended).
  • [ ] Only necessary software is installed on each device.
  • [ ] A standard build or configuration baseline exists for company devices.

Common pitfall: Forgotten accounts. Old employee accounts, test accounts, and vendor accounts that are still active are a frequent finding. Review your user list before applying.

3. Security update management

Known vulnerabilities in software are one of the most common ways attackers gain access. Keeping software up to date is one of the simplest and most effective defences.

Your checklist:

  • [ ] Operating systems on all devices receive security updates within 14 days of release.
  • [ ] Applications (browsers, email clients, office software) are updated within 14 days.
  • [ ] Firmware on routers, firewalls, and other network devices is kept up to date.
  • [ ] Software that is no longer supported by the vendor (end of life) has been removed or isolated.
  • [ ] Automatic updates are enabled where possible.
  • [ ] A process exists for tracking and applying updates that cannot be automated.

Common pitfall: End-of-life software. Running Windows 10 past its support date or using an old version of a business application that no longer receives patches will fail the assessment. Plan upgrades in advance.

4. User access control

Not everyone in your organisation needs access to everything. Access control ensures that people only have the permissions they need to do their job, and that admin accounts are properly protected.

Your checklist:

  • [ ] Each user has their own individual account. No shared accounts for day-to-day work.
  • [ ] Admin accounts are only used for administrative tasks, not for email or web browsing.
  • [ ] Admin account passwords are strong and unique.
  • [ ] User accounts only have the permissions needed for their role (least privilege).
  • [ ] A process exists for removing or disabling accounts when staff leave.
  • [ ] Multi-factor authentication (MFA) is enabled on admin accounts and cloud services.
  • [ ] Password policies enforce a minimum length (at least 8 characters, 12 or more is recommended).
  • [ ] Accounts lock or throttle after a set number of failed login attempts.

Common pitfall: Everyone being an admin. It is common in small businesses for all users to have local admin rights on their machines. This makes it much easier for malware to install itself and spread. Remove admin rights from day-to-day accounts wherever possible.

5. Malware protection

Your systems need protection against malware, whether through dedicated antivirus software, application control, or sandboxing.

Your checklist:

  • [ ] Antivirus or anti-malware software is installed on all devices in scope.
  • [ ] Antivirus definitions are set to update automatically (at least daily).
  • [ ] Real-time scanning is enabled, checking files as they are opened or downloaded.
  • [ ] Regular scans of the file system are scheduled.
  • [ ] Users are prevented from running unapproved applications (if using an application allow-listing approach instead of antivirus).
  • [ ] Email filtering is in place to block malicious attachments and links.

Common pitfall: Relying solely on Windows Defender without checking that it is actually active and updating. Verify that your antivirus is running, reporting, and receiving updates on every device.

Scope: what is included in your assessment?

One of the most important decisions in your Cyber Essentials application is defining the scope. The scope includes all devices and software that can access the internet or handle business data. This typically covers:

  • Desktops, laptops, and tablets
  • Smartphones used for business email or data
  • Servers (on-premises and cloud)
  • Firewalls and routers
  • Cloud services (Microsoft 365, Google Workspace, CRM systems, etc.)

You cannot exclude devices or services to make the assessment easier. If a device handles business data or connects to the internet, it is in scope.

Preparing for Cyber Essentials Plus

If you are going for Cyber Essentials Plus rather than the standard self-assessment, an assessor will physically or remotely test your systems. They will typically:

  • Scan your external IP addresses for vulnerabilities.
  • Check a sample of devices for patching, configuration, and antivirus status.
  • Verify MFA is working on cloud accounts.
  • Test that malware protection blocks known threats.
  • Confirm that user accounts follow least-privilege principles.

Everything on the checklist above applies, but you also need to be confident that your controls are actually working, not just documented.

How long does certification take?

For a well-prepared business, the self-assessment questionnaire takes a few hours to complete. The certification body typically reviews and responds within a few working days.

The preparation work is where the real time investment lies. If your IT is already well-managed, you may only need minor adjustments. If you are starting from scratch, allow several weeks to implement the required controls, particularly around patching, access control, and firewall configuration.

Getting started

Cyber Essentials is one of the most practical things a UK business can do to improve its security posture. The five controls are not theoretical. They directly address the attack methods used in the majority of breaches.

If you are unsure whether your business is ready for certification, or you need help implementing the technical controls, get in touch. We help businesses across the UK prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification as part of our compliance readiness solution.