Cyber Essentials Checklist
Not sure what you need to pass Cyber Essentials? This is a plain-English breakdown of the five controls your business needs to get certified — what they mean, what’s actually required, and where most companies get caught out. Whether you’re going for basic Cyber Essentials or Cyber Essentials Plus, this checklist covers both.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme run by the National Cyber Security Centre (NCSC). It's designed to help businesses protect themselves against the most common cyber attacks — the kind that account for the majority of breaches in the UK.
The certification focuses on five technical controls that every business should have in place. It's not about having a massive security budget — it's about getting the basics right. For many SMEs, it's also a requirement for winning government contracts and proving to clients that you take data security seriously.
There are two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independent audit). Both cover the same five controls, but Plus includes hands-on testing by a certified assessor.
Cyber Essentials Checklist for UK Business Certification
Firewall
Every device that connects to the internet needs to sit behind a properly configured firewall. This means setting up boundary firewalls and internet gateways, closing unnecessary ports, changing default admin passwords, and making sure only authorised traffic gets through. If your team works remotely, their devices need software firewalls too.
Secure Configuration
Devices and software should never run with default settings. You need to remove unnecessary accounts, rename or disable default admin accounts, and turn off features and services you don’t use. Every laptop, phone, server, and router in scope needs to be locked down before it connects to your network.
User Access Control
Only give people access to what they actually need. Admin accounts should be separate from day-to-day accounts and only used for admin tasks. You need a process for creating, approving, and removing user accounts — especially when someone leaves the company. Multi-factor authentication is required for all cloud services and remote access.
Malware Protection
You need active malware protection on every device in scope. This means antivirus or endpoint protection that’s kept up to date, configured to scan files automatically, and set to prevent connections to malicious websites. If you’re using application whitelisting instead of traditional antivirus, that’s also accepted.
Security Updates
All software and operating systems must be kept up to date. Critical and high-risk patches need to be applied within 14 days of release. Anything that’s no longer supported by the vendor — like old versions of Windows or outdated plugins — must be removed. No exceptions.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials
is a self-assessment. You fill in a questionnaire about your technical controls, an accredited body reviews your answers and runs an external vulnerability scan, and if everything checks out you get certified.
It’s quicker, cheaper, and enough for most businesses that need to demonstrate basic security compliance.
Cyber Essentials Plus
goes further. An independent assessor visits your site (or connects remotely) and runs hands-on tests — checking your devices, simulating phishing emails, verifying that patching is actually up to date, and testing whether your firewall rules work the way you say they do. It’s more thorough and carries more weight with clients and partners.
Most companies start with basic Cyber Essentials and move to Plus once they’re confident everything is in order. If you’re bidding for government contracts or handling sensitive client data, Plus is usually what’s expected.
Step-by-Step Guide to Cyber Essentials & Plus Certification
Readiness Assessment
Certification Support
Cyber Essentials Plus Audit
Frequently Asked Questions
The certification fee itself is relatively low — typically under £500 for basic Cyber Essentials. The real cost depends on how much remediation your systems need before you can pass. We’ll give you a clear picture after the readiness assessment.
If your systems are already in good shape, basic Cyber Essentials can be done in a couple of weeks. If there are gaps to fix, allow four to six weeks. Cyber Essentials Plus takes a bit longer because of the independent audit.
Yes. Cyber Essentials certification is valid for 12 months. You’ll need to reassess annually, but if you’re maintaining your controls properly, renewal is straightforward.
It’s not a legal requirement for private businesses, but it is mandatory for most UK government contracts involving sensitive data. Many larger companies also require it from their suppliers as part of due diligence.
Cyber Essentials covers five basic technical controls — it’s a starting point. ISO 27001 is a full information security management system covering policies, risk management, and processes. Many businesses start with Cyber Essentials and work towards ISO 27001 over time.
Get Cyber Essentials Certified Without the Stress
Not sure if you'd pass today? We'll assess your setup, tell you exactly what needs fixing, and guide you through the whole certification process. No jargon, no surprises.