The Cyber Essentials Checklist: What You Need Before You Apply
Before you book your assessment, walk through this Cyber Essentials checklist — five control areas, in plain English. You are probably closer than you think.
The short version
- Five control areas to prepare: A Cyber Essentials checklist covers firewalls, secure configuration, user access control, malware protection, and security update management — get each one tidy before you book your assessment.
- MFA is now mandatory: From the April 2026 update, multi-factor authentication on all cloud services is a requirement — missing it is an automatic fail, no matter how strong everything else is.
- Patch within 14 days: Critical and high-severity updates must be applied within 14 days of release. This catches more SMEs out than any other control, because it needs a named owner.
- You are closer than you think: Most SMEs already do much of this informally. Preparing means tidying and documenting what exists — not starting from zero.
So you have decided to go for Cyber Essentials. Maybe a contract demands it, a client keeps asking, or you simply want a credible baseline. Whatever the reason, the smartest first move is not to book the assessment. It is to work through a Cyber Essentials checklist first, so you know exactly where you stand before anyone is reviewing your answers.
This is that checklist. We will walk through all five control areas in plain English, flag the one change you cannot afford to miss, and help you tell the difference between “we basically do this” and “we can evidence this.” A quick reassurance before we start: most SMEs are closer than they feel. If you would like the full background on the scheme itself, our Cyber Essentials explained guide is the companion to this one.
Firewalls — what to check
Check that every device connecting to the internet sits behind a properly configured firewall, that default firewall passwords have been changed, and that you are not allowing inbound traffic you do not need.
A firewall is the barrier between your devices and the internet that decides what traffic gets through. You almost certainly already have one. Your office router has a boundary firewall, and Windows and macOS each ship with a software firewall built in. The job here is confirmation, not installation.
Run through this:
- Your boundary firewall (usually your internet router) is switched on, and its default administrator password has been changed to something strong and unique.
- The software firewall on each laptop and desktop is enabled. This matters for staff who work from home or coffee shops, where there is no office router protecting them.
- You are not opening up inbound access to your network unless there is a documented business reason for it.
None of this requires new kit for most small organisations. It is a tidy-up of what you have.
Secure configuration — what to check
Check that devices and accounts have been set up deliberately rather than left on factory defaults: no default passwords, no unnecessary software or accounts, and auto-run disabled.
Hardware and software arrive with default settings chosen for convenience, not security: default passwords, sample accounts, features switched on that you will never use. Secure configuration means you have gone through and closed what does not need to be open.
The practical checklist:
- Default passwords on devices and software have been changed.
- Unnecessary user accounts (test accounts, accounts for people who have left) are removed or disabled.
- Software you do not use has been uninstalled. Every extra application is another thing to keep patched.
- Auto-run and auto-play are disabled so a plugged-in USB stick cannot launch something automatically.
Where SMEs are pleasantly surprised
Tidying configuration is often closer to an afternoon's work than a project. Much of it is checking boxes that modern devices already tick by default. Your task is to confirm it, and to make a note that you did. The "make a note" part is what turns a quiet good habit into evidence you can show an assessor.
User access control + MFA — what to check (note the 2026 mandatory-MFA change)
Check that people only have the access they need, that leavers are removed promptly, that administrator accounts are used sparingly — and, crucially, that multi-factor authentication is switched on across all your cloud services.
This control area is about making sure the right people have the right access, and no more. It is also where the most important recent change to the scheme lives, so read this section carefully.
The 2026 change you must not miss. Following the April 2026 update to the scheme (which applies to assessment accounts created from late April 2026 onward), multi-factor authentication (a second login step beyond a password, such as a code from an app or a passkey) is mandatory on all cloud services where it is available. If a cloud service offers MFA and you have not turned it on, that is an automatic fail, regardless of how strong everything else is. The same update also makes clear that cloud services cannot be left out of your assessment scope. If you check one thing before you apply, check this.
The rest of the access control checklist:
- Every person has their own named account, with no shared logins.
- MFA is enabled on email and every cloud service that supports it (the new hard requirement above).
- Administrator accounts are reserved for genuine admin tasks; day-to-day work happens on standard accounts.
- A leaver’s access is removed promptly. This is a common gap, because offboarding often happens in a rush.
- You are using strong, unique passwords or, better still, passkeys where your services support them.
“MFA is the lock that closes the door most attackers try first. The 2026 change simply makes explicit what good practice already expected — so treat it as the headline item on your checklist, not a footnote.”
If you would like the full picture of where this control sits and how it differs from the audited version of the scheme, our guide to Cyber Essentials versus Cyber Essentials Plus covers it.
Malware protection — what to check
Check that every device has active, up-to-date malware protection, and that you know which approach you are relying on for each type of device.
Malware (malicious software, the umbrella term covering viruses, ransomware and spyware) needs active defence on every device in scope. The good news is that most modern devices come with capable protection built in; you mainly need to confirm it is switched on and current.
Work through this:
- Anti-malware protection is active on every laptop and desktop. For many SMEs this is the protection built into Windows or macOS, which is perfectly acceptable, kept switched on and updating automatically.
- On phones and tablets, you are relying on the device’s app store model and keeping the operating system current (the scheme recognises that mobile devices are protected differently from laptops).
- Nobody is in the habit of installing software from unknown sources or disabling protection “just to get something working.”
The aim is not a particular product. It is that something credible is running everywhere, and that it stays up to date on its own.
Security update management (patching) — what to check
Check that all your software and devices receive security updates, that critical and high-severity updates are applied within 14 days, and that someone is actually responsible for making sure this happens.
This is the control that catches the most SMEs off guard. It is not hard to understand. The problem is that keeping every device and application current across a whole team is genuinely ongoing work. Under the scheme, critical and high-severity updates must be installed within 14 days of release. (“Critical or high” broadly means a vulnerability scored 7 or above on the standard severity scale, or flagged as such by the vendor.)
Your checklist:
- Operating systems on all devices are set to update automatically, or someone applies updates promptly and on a schedule.
- Applications (browsers, office software, anything internet-facing) are updated within the 14-day window for critical and high-severity fixes.
- You are not running software that the vendor no longer supports with security updates; if you are, it needs replacing or removing from scope.
- Updates are applied across every device in scope, not just the ones you happen to think of. Assessors have flagged organisations applying fixes selectively, so consistency matters.
The single most useful thing you can do here is name an owner. “Everyone keeps their own laptop updated” tends to mean no one does. A named person, even part-time, turns patching from a hope into a process — and a missing process is never a single click.
How to use this checklist before you apply
Use the checklist as a dry run: go area by area, mark each item as confident, partly there, or a genuine gap, then close the quick wins and assign owners to the rest before you book your assessment.
The self-assessment questionnaire that an IASME-licensed assessor reviews follows these same five control areas. So the most valuable thing you can do is treat this checklist as a rehearsal. Answer it honestly to yourself first, with no one watching.
A simple way to work through it:
- Go area by area and mark each item one of three ways: confident (true and evidenced), partly there (true in practice but not consistent or documented), or genuine gap (not currently done).
- Close the quick wins now. Switching on MFA, changing a default password, enabling automatic updates: many of these are short tasks you can complete in an afternoon. Build the firewall posture, tidy the configuration.
- Assign owners to the rest. Patching and access reviews are not one-off fixes; they are ongoing responsibilities that need a named person. Be honest about target dates rather than pretending the work is done.
- Write down what you find. Cyber Essentials is as much about being able to evidence your controls as having them. A short record of what you checked and when is exactly what makes the assessment straightforward.
There is an honesty point worth holding onto here, the same one that runs through every good security questionnaire: saying you are secure and actually being secure are not the same thing. Marking a gap honestly and giving it an owner protects your business far better than ticking a box you cannot stand behind. It also means the certificate, when it comes, reflects something real. If you want a sense of the time and money involved in the assessment itself, our Cyber Essentials cost guide breaks it down.
Work through these five areas and you will know, before you spend a penny on assessment, whether you are a few days away or a few weeks away. Either answer is useful. Vague dread is not.
SecurSentry is launching soon to help UK SMEs work through Cyber Essentials: mapping the five control areas to exactly what your business needs, guiding you as you close the gaps, and carrying that effort forward to every questionnaire and certification that follows. Join the waitlist to be among the first to know when we open, and to get the downloadable version of this checklist first.
This article is general information, not legal or compliance advice. Requirements vary by organisation and context, and the scheme is updated periodically; always check the current requirements with IASME or an approved assessor, and seek qualified professional guidance where in doubt.