Cyber Essentials is one of the most recognised cyber security certifications for UK businesses. It helps organisations demonstrate that they have basic technical controls in place to protect against common online threats.
However, many businesses start the application without realising how much information they need to gather first. Cyber Essentials is not just a quick tick-box form. You need to understand your devices, users, cloud services, firewall settings, software updates, passwords and malware protection before submitting your answers.
This Cyber Essentials checklist is designed to help you prepare before starting your self-assessment.
What is a Cyber Essentials checklist?
A Cyber Essentials checklist is a preparation tool that helps you review the main areas covered by the assessment. It does not replace the official questionnaire, but it can help you collect the information you need, identify weak points and avoid delays during the certification process.
The main areas to check are:
- Your organisation and certificate details
- The scope of your assessment
- Firewalls and internet boundaries
- Secure configuration of devices and cloud services
- Security update management
- User access control
- Password-based authentication
- Malware protection
- Final approval and evidence
1. Confirm your organisation details
Before looking at the technical controls, make sure the business information is correct. This includes your legal organisation name, company type, registration number, registered address, operational addresses and employee count.
You should also confirm whether the assessment covers one legal entity or multiple entities. If other companies, subsidiaries or trading entities are included, they must be clearly recorded and must share the same IT infrastructure and management arrangements.
At this stage, it is also worth confirming whether this is a first-time application or a renewal, why you are applying and who inside the business will approve the final answers.
2. Define the scope of the assessment
Scope is one of the most important parts of Cyber Essentials. You need to be clear about what is included in the certification.
For many small businesses, the scope will be the whole organisation. For larger or more complex businesses, the scope may only cover part of the organisation. If you are certifying only part of the business, excluded networks must be properly separated, normally using a firewall or VLAN.
Your scope should include the devices and services that access your organisation’s data or services, including:
- Laptops and desktops
- Servers and virtual servers
- Mobile phones and tablets
- Firewalls and routers
- Cloud services
- Remote workers
- Business social media accounts
- BYOD devices used for work data
Cloud services are often missed. Services such as Microsoft 365, Google Workspace, Dropbox, Xero, CRM platforms, hosted servers and business social media accounts should all be considered if they store or process business data.
3. Check your firewalls
Cyber Essentials requires devices to be protected by correctly configured firewalls. This includes physical firewalls and routers at the office, as well as software firewalls on laptops, desktops and servers.
Your firewall checklist should include:
- Firewalls are in place between business networks and the internet
- Software firewalls are enabled on all laptops, desktops and servers
- Default router and firewall passwords have been changed
- Firewall administrator passwords are strong and properly managed
- Firewall rules are reviewed at least annually
- Inbound connections are blocked by default
- Any allowed inbound connections have a documented business reason
- External access to firewall administration is disabled unless there is a clear need
- Where external firewall administration is allowed, it is protected using MFA or trusted IP restrictions
A common issue is old firewall rules being left in place after they are no longer needed. These should be reviewed and removed.
4. Review secure configuration
Secure configuration means making sure your devices, services and cloud platforms are set up safely. Default settings are not always secure, and many systems include unnecessary services, accounts or features.
Your secure configuration checklist should include:
- Unused software is removed
- Unnecessary services are disabled
- Guest accounts and unused accounts are removed or disabled
- Default passwords are changed
- Users authenticate before accessing business data
- External services are protected against brute-force attacks
- Auto-run features are disabled where they allow files to execute without permission
- Devices lock when not in use
- Mobile devices use suitable unlock methods such as PIN, password or biometrics
This section is especially important for businesses using a mixture of company-owned and employee-owned devices.
5. Keep software and devices updated
Security update management is one of the areas where businesses often fail Cyber Essentials. You need to ensure that all in-scope software, operating systems and firmware are supported and receiving security updates.
Your update checklist should include:
- Operating systems are supported
- Router and firewall firmware is supported
- Software applications are licensed and supported
- Unsupported applications are removed
- Browsers are listed with versions
- Email applications are listed with versions
- Office applications are listed with versions
- Malware protection software is listed with versions
- High-risk or critical security updates are installed within 14 days
- Automatic updates are enabled where possible
- Where automatic updates are not used, there is a documented update process
If your business is still using unsupported software, it should either be removed or moved out of scope using a properly segregated network with no internet access.
6. Control user access
Cyber Essentials expects businesses to control who has access to systems and data. Users should have unique accounts, and permissions should be limited to what they need for their role.
Your user access checklist should include:
- New user accounts are approved before creation
- Accounts are not shared
- Leaver accounts are disabled or deleted promptly
- Permissions are reviewed when people change roles
- Users only have access to what they need
- Administrator access is formally approved
- Administrator accounts are tracked
- Administrator access is reviewed regularly
Administrator accounts should not be used for everyday work such as browsing the web or accessing email. Admin accounts should be separate and used only when administrative tasks are required.
7. Check passwords and MFA
Where passwords are used, they need to be protected from guessing attacks and managed using suitable technical controls.
Your password checklist should include:
- Multi-factor authentication is used where possible
- Passwords are protected against brute-force attacks
- Systems use account lockout, throttling or MFA
- Password length rules meet Cyber Essentials expectations
- Common passwords are blocked where applicable
- Staff are encouraged to use unique passwords
- Password managers are encouraged where suitable
- Passwords are changed quickly if compromise is suspected
For cloud services such as Microsoft 365, MFA is one of the most important controls to review.
8. Confirm malware protection
All in-scope devices need an active malware protection mechanism. For most organisations, this will include anti-malware software on laptops and desktops, plus app-store or application control on mobile devices.
Your malware protection checklist should include:
- Anti-malware software is installed where required
- Anti-malware updates automatically
- Malware is prevented from running when detected
- Malicious code execution is blocked
- Web protection warns users about malicious websites
- Users cannot install unsigned applications where app control is used
- There is a maintained list of approved applications
- Employee-owned devices used for work are also covered
Microsoft Defender may be suitable for many Windows environments, but the important point is that it must be active, updated and correctly configured.
9. Complete a final review before submission
Before submitting the official assessment, review everything again. Make sure your answers are accurate, your scope is clear and any known gaps have been fixed.
Final checks should include:
- All devices and cloud services are included
- Remote workers are accounted for
- Firewall rules have been reviewed
- Unsupported software has been removed or properly segregated
- Security updates are applied within the required timeframe
- Administrator accounts are tracked and reviewed
- MFA and password controls are in place
- Malware protection is active
- Evidence and notes are ready
- A Board level representative, business owner or equivalent is ready to approve the answers
Download our Cyber Essentials checklist
To make the process easier, we have created a downloadable Cyber Essentials checklist that you can use before starting your self-assessment.
Use it to record devices, cloud services, firewall rules, software versions, update processes, user access controls and remediation actions.
Cyber Essentials is not just a one-off checklist
A Cyber Essentials checklist is a useful starting point, but certification should not be treated as a once-a-year tick-box exercise. To stay compliant, your business should have repeatable processes that are followed throughout the year.
For example, it is not enough to say that new user accounts are approved before they are created. You should also be able to show who approves new accounts, how access levels are decided, when the user gains access, and how that approval is recorded.
The same applies to leavers, administrator access, software updates, firewall changes and cloud services. Each area should have a simple process, an owner and evidence that the process is being followed.
This does not mean every small business needs complex paperwork. However, you should be able to demonstrate that your security controls are maintained on an ongoing basis, not only checked just before the Cyber Essentials assessment is submitted.
What applications or services do I need for Cyber Essentials?
Cyber Essentials does not require you to buy one specific security product or use a particular brand of software. Instead, it looks at whether your organisation has the right security controls in place across your devices, accounts, networks and cloud services.
That means the applications and services you need will depend on how your business works. A small business using Microsoft 365, laptops and a business router may need a very different setup to a company with servers, remote workers, multiple offices and specialist software.
As a starting point, we always recommend companies have a reliable solution for patch management, device protection and password management at the minimum. For more complete coverage, we recommend Email Threat Protection, and IT security training for your employees.
Need help preparing for Cyber Essentials?
Preparing for Cyber Essentials can be time-consuming, especially if you are unsure whether your devices, Microsoft 365 setup, firewall rules, remote working arrangements or security policies meet the requirements.
Globe2 can help you review your current setup, identify gaps and put practical controls in place before you submit your application. We can support with Microsoft 365 security, MFA, endpoint protection, firewall reviews, patching processes, user access controls and wider IT security improvements.
As an Cyber Essentials certified business and the winner of the HSBC & FSB East Midlands Micro Business Award 2026, we are in the perfect position to help get your business ready for Cyber Essentials. Speak to Globe2 or visit our IT Support & Security page.
