The cyber essentials checklist is a five-point set of practical controls that helps UK small and medium organisations prepare for Cyber Essentials or Cyber Essentials Plus certification, and they are required for IASME certification under the National Cyber Security Centre (NCSC)-backed scheme. The checklist maps to the IASME Consortium questionnaire and NCSC guidance, and the ENISA threat environment 2025 and the GOV.UK Cyber Security Breaches Survey 2025 both highlight inventory, patching and user controls as frequent gaps for UK organisations. Cyber essentials checklist is a key part of that picture.
- Key: A five-point cyber essentials checklist mapped to IASME and National Cyber Security Centre (NCSC) guidance to help UK SMEs prepare for Cyber Essentials or Cyber Essentials Plus.
- Top priority: Close open management ports, improve patching and enforce multi-factor authentication for remote access, as highlighted by the NCSC Annual Review 2025.
- Audit traps: Default firewall rules, shared admin accounts and missing patch records commonly lead to assessment failures, consistent with NCSC guidance and the ENISA threat environment 2025.
- Effort: Plan work around asset complexity and backlog; the GOV.UK Cyber Security Breaches Survey 2025 highlights inventory and patching as frequent gaps.
- Support: In our experience, targeted CyPro checks and concise evidence packs reduce rework and speed certification.
Table of Contents
🔎 Why this Cyber Essentials checklist, who it is for and how we picked items
This Cyber Essentials checklist targets UK small and medium organisations preparing for Cyber Essentials or Cyber Essentials Plus certification, procurement asks, or basic cyber hygiene reviews. We picked items from the IASME Consortium scheme requirements, National Cyber Security Centre (NCSC) guidance and recurring audit failures we see in client engagements.
Key Takeaway
A tight Cyber Essentials checklist focuses on five implementable controls aligned to IASME and NCSC guidance, which covers most audit failures we see in UK organisations.
Selection criteria
We selected checklist items that directly map to the IASME Consortium questionnaire and the NCSC Cyber Essentials guidance, emphasising controls that auditors test in Cyber Essentials Plus. The IASME Consortium defines the certification requirements, and the National Cyber Security Centre supplies practical implementation guidance and testable controls (NCSC, 2025).
Why these items matter
ENISA and the ENISA threat environment 2025 highlight phishing, credential theft and unpatched software as top threats, so our checklist prioritises email defences, patching and endpoint controls. The Cyber Security Breaches Survey 2025 also shows many UK firms still lack basic patching and access controls, which auditors commonly flag.
Scope: What we include and exclude
This checklist covers the baseline technical and policy items needed to pass Cyber Essentials and prepares organisations for Cyber Essentials Plus remote tests. We exclude advanced controls such as full Security Operations Centre (SOC) monitoring, Extended Detection and Response (XDR) deployments and third-party penetration testing, because those sit beyond the scheme scope and are covered by separate CyPro services.
How we validated the list
We cross-checked our checklist against CyPro audit logs from recent client assessments and against NCSC and IASME guidance to ensure each item is both testable and practical for SMBs. In our experience, focusing on the five IASME-tested areas reduces common failures and lowers rework during certification.
🔒 1. Firewalls and boundary protection
Firewalls and boundary protection are the basic network controls that stop unauthorised traffic at site edges and between trust zones, and they are a required part of the cyber essentials checklist for IASME and National Cyber Security Centre (NCSC) assessments.
What the control is
A firewall is hardware or software that filters network traffic according to rules you set, and boundary protection covers segmentation, gateway controls and secure routing. The NCSC expects demonstrable controls on inbound and outbound traffic plus an asset inventory showing what each rule protects. The NCSC Annual Review 2025 highlights boundary controls as a foundational defence for small and medium organisations (NCSC, 2025).
Common configuration failings and simple checks
Common failings we see in pre-certification audits are default permit rules left active, management interfaces exposed to the internet, and overly permissive outbound rules. Practical checks to include on your cyber essentials checklist are: Confirm no management ports (for example RDP or SSH) are open to the internet, ensure only required application ports are allowed, and map each rule to an owner and business justification. The ICO data security incident datasets are a useful cross-check when prioritising internet-exposed services for mitigation (ICO data, 2025).
Hardware versus software firewalls and recommended ports
Use hardware or virtual perimeter firewalls at site or cloud boundaries and host-based software firewalls on endpoints; both layers are expected for a pass on IASME or Cyber Essentials Plus. Block inbound RDP (TCP 3389) and SMB (TCP 445) from the internet, restrict SSH (TCP 22) to specific management IPs, and prefer NAT plus stateful inspection for remote access. For small offices a single UTM or next-generation firewall usually meets requirements, while mid-market sites commonly need segmentation between user, server and admin zones.
Quick comparison table: Firewall choices for Cyber Essentials
| Option | Best for | Pros and limitations |
|---|---|---|
| Cloud virtual firewall | Cloud workloads and SaaS-first setups | Easy to manage through provider console, requires cloud network knowledge for correct rules |
| On-premise UTM / NGFW | Single-site offices and small data centres | Consolidated features and good for perimeter control, needs firmware updates and monitoring |
| Host-based software firewall | Individual servers and laptops | Protects devices irrespective of network, relies on endpoint management for consistency |
| Managed firewall service | Organisations without in-house firewall expertise | Outsourced monitoring and rule hygiene, budgeted as OPEX rather than CAPEX |
Cost, effort and how we help
Expect a basic cloud-rule review to be low cost, and an on-premise appliance plus management to incur mid-range costs and ongoing maintenance. Typical effort for a mid-market site is a half-day to two-day review and rule clean-up. At CyPro, we offer a firewall configuration review that maps rules to IASME and NCSC expectations and produces the artefacts assessors expect, which speeds certification readiness. See our Cyber Essentials Plus service and our Cyber Security Audit for scoped engagements that include rule reviews and documentation preparation.
🔒 2. Secure configuration for devices and software
Secure configuration means removing insecure defaults, hardening administrative access and disabling unnecessary services so systems meet Cyber Essentials requirements from the start.
Change default passwords, apply vendor hardening guides, enable safe automatic updates, and restrict admin accounts to least privilege. The National Cyber Security Centre (NCSC) provides configuration guidance and checklists that map to the IASME questionnaire and Cyber Essentials controls, so use those as your baseline NCSC Annual Review 2025.
Specific checks to run
Remove default accounts and passwords, disable unused services and protocols, enforce strong administrative passwords and multi-factor authentication (MFA) for admin logins, and ensure secure remote access such as a VPN with up-to-date TLS. The IBM 2025 analysis shows organisations that automate basic controls and detection see lower breach costs and faster containment, which supports investing effort in correct configuration IBM Report: UK Sees Drop in Breach Costs as AI Speeds Detection.
Low-effort, high-impact steps
Start with an asset inventory and classification, then apply vendor hardening guides for Windows, Linux and common network kit. Enable OS and firmware patching, close unused ports, remove local admin rights from standard users, and turn on logging for key services. The Verizon 2025 Data Breach Investigations Report ranks poor patching and asset hygiene among the most common causes of successful intrusions, which makes these simple steps high return on effort 2025 Data Breach Investigations Report – Verizon.
Docs and evidence for the assessor
Assessors expect artefacts: An asset list, screenshots of hardened settings, update logs, and a record of removed services. The Information Commissioner’s Office (ICO) incident trends show many UK breaches stem from basic misconfiguration, so keeping clear evidence reduces assessor queries and supports UK GDPR obligations when personal data is involved ICO Annual Report 2025.
At CyPro, we map each secure configuration check to the Cyber Essentials assessment and the IASME questionnaire so you produce the exact artefacts assessors expect. Our configuration reviews often flag five to ten low-effort fixes that satisfy assessors and materially shrink retest timeframes.
🔐 3. Access control and privileged account management
Access control means limiting who can do what, and privileged account management means protecting high‑risk accounts such as domain admins and service accounts. Implement least privilege, unique accounts and no shared admin logins to meet Cyber Essentials requirements.
What access control means for Cyber Essentials, and for IASME assessors, is explicit: Only necessary accounts have admin rights, accounts are unique and credentials meet complexity and rotation rules. The National Cyber Security Centre (NCSC) emphasises least privilege as a core control in its guidance, which aligns to the Cyber Essentials scheme.
Common audit failures
Shared admin accounts, missing account inventories and weak credentials are the frequent failures we see in assessments. The NCSC Annual Review 2025 highlights governance and account hygiene as recurring assessor findings, and the ICO’s incident trends show that credential compromise remains a established cause of reported data incidents (NCSC, 2025 and ICO data security incident trends).
When to use MFA and role-based access control
Multi-factor authentication (MFA) should be applied to all remote access and all privileged accounts, and role-based access control (RBAC) should map privileges to business roles. ENISA and Verizon both recommend MFA and RBAC as high‑value defences against phishing and lateral movement, so these controls are sensible both for certification and for reducing real-world risk (ENISA, 2025 and Verizon DBIR, 2025).
Effort and cost signals for small and mid-market organisations
Inventorying accounts and removing shared logins is low effort and often fixes multiple assessor checks at once. Enforcing MFA and RBAC can be done with existing Identity and Access Management tooling or cloud provider features; expect days to a few weeks of work for most mid-market firms. For organisations that need external help, our Cyber Awareness Training and Cyber Security Risk Assessment services map directly to Cyber Essentials artefacts and assessor expectations, speeding certification while improving real security (Cyber Awareness Training and Cyber Risk Assessment).
🛡 4. Malware protection and endpoint defences
Adequate malware protection for Cyber Essentials is either up-to-date anti-malware on endpoints or an Endpoint Detection and Response (EDR) product where required, plus patching and proven update processes.
Cyber Essentials assessors expect evidence that anti-malware definitions update automatically, endpoints are scanned regularly, and there is a process to respond to detections.
What counts as adequate protection?
Adequate protection for Cyber Essentials is defined by the National Cyber Security Centre’s guidance and the scheme rules, which require anti-malware on all user devices and servers that are in scope, automatic updates, and centrally managed controls where possible. The GOV.UK visual summary 2025 and the NIST 2025 annual report both underline why endpoint protections and quick detection matter for reducing breach impact.
Evidence assessors look for
Assessors will ask for logs showing update cadence, scan results, and an incident response or remediation process. Practical artefacts are: Scheduled patch reports, anti-malware console screenshots with timestamps, and a written procedure describing how detections are triaged and remediated. The NCSC Annual Review 2025 highlights board-level expectations around demonstrable controls and response plans.
When to choose simple anti-malware vs EDR
Choose simple anti-malware for small organisations with standard managed devices and no high-risk data. Choose Endpoint Detection and Response where you host sensitive data, run essential services, or have a hybrid remote workforce. EDR adds detection, telemetry and containment but costs more to operate and needs a response process.
At CyPro, we map the required artefacts to the Cyber Essentials assessment and help teams collect update logs, scan outputs and response playbooks so the evidence is assessor-ready. For most mid-market firms, upgrading to EDR is only necessary when risk or regulatory requirements demand deeper visibility.
🔧 5. Patch management and timely software updates
Patch management requires that operating system and application updates are applied within a sensible window, verified and logged so assessors can see evidence.
Unpatched systems are a frequent cause of breaches, so the Cyber Essentials checklist expects a clear asset inventory, scheduled update windows, and proof that patches were applied and tested.
What the requirement looks like
The Cyber Essentials checklist expects organisations to track all devices, install vendor updates for OS and applications, and keep logs showing successful installation and any mitigations for exceptions. The National Cyber Security Centre (NCSC) recommends prioritising high-severity fixes and using automated patching where possible. NCSC, 2025
Common failings we see
Organisations commonly fail this area because of unmanaged legacy systems, incomplete inventories, and manual update processes that rely on end users. The Verizon 2025 Data Breach Investigations Report highlights that exploits of known, unpatched vulnerabilities remain a top intrusion method. Verizon DBIR, 2025
Practical checklist steps
Start with an asset inventory tied to an owner, then group systems by risk and apply a patch window: Urgent security patches within 48 to 72 hours, routine updates on a weekly or monthly cadence depending on risk. Record test results, rollbacks and compensating controls for unsupported software. The ICO’s incident data dashboard shows many reported breaches involve outdated software, so auditors expect logs and a clear exception process. ICO data
When to escalate
Escalate to a formal vulnerability or risk assessment when you find unmanaged legacy systems, evidence of repeated patch failures, or crown-jewel systems without vendor support. At that point a Cyber Security Risk Assessment or a targeted patch remediation project is appropriate; our Cyber Security Risk Assessment service maps directly to the artefacts auditors request. Cyber Security Risk Assessment
🔎 6. Evidence you must provide for Cyber Essentials and Cyber Essentials Plus
The minimum evidence for Cyber Essentials and Cyber Essentials Plus is a set of configuration screenshots, user and device lists, patch and update records, vulnerability scan outputs and basic log extracts that prove controls are in place and functioning.
Key Takeaway
Gather screenshots, user/device inventories, patch logs and scan reports before the assessor arrives; Cyber Essentials Plus requires live verification of those artefacts.
Core artefacts assessors expect
Assessors from Cyber Essentials schemes will ask for: Administrative account lists, Active Directory or user directory screenshots, firewall and router configuration screenshots, antivirus/endpoint protection console views, and automated patching logs. For guidance on controls, the National Cyber Security Centre is the primary UK reference: NCSC guidance provides practical examples for each control.
Difference between self-assessment and Plus practical tests
Cyber Essentials self-assessment relies on submitted documentation and screenshots, while Cyber Essentials Plus requires hands-on tests and live verification of endpoints and perimeter devices. The assessor will run internal scans and may attempt simple exploit checks to confirm configurations actually block common threats; see the NCSC annual review for how proof of controls is validated in practice: NCSC Annual Review 2025.
Common evidence mistakes and how to avoid them
The most frequent failures are out-of-date screenshots, missing patch timestamps, and incomplete device inventories. To avoid this, export CSVs from your patching tool, capture timestamps on screenshots, and include a short annotated readme that maps each artefact to the specific Cyber Essentials control. If you need external validation or a gap audit before submitting, our Cyber Security Risk Assessment service can produce the exact artefact pack assessors expect: Cyber Security Risk Assessment.
What we excluded from this checklist
This checklist excludes advanced SIEM and XDR evidence that assessors do not require for Cyber Essentials. For organisations with regulatory requirements under NIS2 or UK GDPR, collect additional incident response playbooks and extended logging as separate artefacts.
🔧 7. How to use this Cyber Essentials checklist and practical next steps
Use the checklist to scope, implement quick wins, collect evidence and decide whether to pursue Cyber Essentials Plus or a wider audit. Start with scoping, then deliver low-effort fixes, capture artefacts, and plan an audit readiness timeline.
Scope and quick wins
Begin by defining what is in and out of scope: Internet-facing devices, corporate laptops, and company email systems. Prioritise simple technical controls such as applying available patches, enabling multi factor authentication (MFA) for remote access, and restricting administrative rights. The UK National Cyber Security Centre (NCSC) guidance shows these basic controls stop most commodity attacks, so treat them as non-negotiable. NCSC Annual Review 2025 highlights the value of these measures in reducing common compromise methods.
Evidence collection and artefacts
Capture screenshots, export CSVs, and annotate each artefact to the specific Cyber Essentials control it proves. Include patch timestamps, MFA enrolment logs and firewall rule snapshots. The Information Commissioner’s Office (ICO) Data Security Incident Trends dashboard is useful when mapping controls to regulatory expectations. ICO Data Security Incident Trends illustrates common failings assessors expect evidence for.
Decide between Cyber Essentials Plus and an audit
Choose Cyber Essentials Plus when your environment is small and controls are already in place; it proves controls work in practice. Choose a Cyber Security Audit when you have complex estates, cloud-only services, or third party dependencies. A Cyber Security Audit will produce the deeper artefacts auditors and the board typically request.
Case Study, UK legal firm reduced assessor rework and passed first attemptA mid-sized UK legal firm, ~170 staff, lacked consistent patch evidence and had mixed MFA adoption across offices. They needed a clear path to Cyber Essentials Plus to meet a client contract requirement.
We ran a targeted evidence drive and gap remediation sprint using our Cyber Security Risk Assessment and Cyber Essentials Plus support pages, consolidating screenshots, CSV exports and an annotated artefact pack for the certifier. Cyber Security Risk Assessment and Cyber Essentials Plus services were central to the work.
The firm passed Cyber Essentials Plus on the first attempt, reduced certifier queries by 85% and completed the programme in eight weeks.
❓ Frequently asked questions
How long does it take to get Cyber Essentials certified?
A simple organisation can complete the Cyber Essentials self-assessment in 1 to 2 weeks, with Cyber Essentials Plus adding time for technical testing. Delays usually come from incomplete asset inventories, legacy systems or missing evidence. Assessors expect accurate device lists, patch records and configuration screenshots before a certification window is agreed.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment, while Cyber Essentials Plus includes independent technical verification. Plus testing covers internal and external vulnerability scans, malware checks and either remote or on-site verification. Choose Plus when UK public procurement, supply chain requirements or higher assurance needs demand independent proof of controls.
Which common misconfigurations cause Cyber Essentials failures?
Common failures include default passwords, open administrative ports, missing firewall rules and out-of-date anti-malware. Quick checks include password audits, port scans, firewall rule exports and anti-malware update reports. Assessors flag these as evidence gaps because they show controls are not applied consistently across the estate.
Do small businesses in the UK need Cyber Essentials?
Cyber Essentials is not mandatory across the UK but is frequently required for public sector contracts and by larger customers in supply chains. For small businesses bidding for government work or supplying regulated sectors, the certification is often a de facto requirement. Consider the modest cost and focused effort as insurance for winning contracts.
What evidence should I prepare for Cyber Essentials Plus testing?
Prepare screenshots of firewall rules, patch management reports, anti-malware logs, a user account inventory and configuration baselines. Package evidence with timestamps, device identifiers and concise notes. Assessors commonly ask for patch dates and sample device screenshots, so include exportable reports to speed verification and reduce follow-up queries.
Contact Us
