Cyber Essentials Checklist & Requirements

12.03.2025

The threat of cyberattacks is escalating, with 53% of businesses experiencing attacks at least once a month, 32% facing them weekly, and 74% of large organisations encountering at least one incident in the past year

 

Protecting sensitive information, maintaining customer confidence, and sustaining stability require effective security measures. This is where Cyber Essentials becomes invaluable.

 

This article serves as a checklist to assess your compliance with Cyber Essentials, outlines the steps to achieve it, and highlights its importance in protecting against cyber threats.

FREE EBOOK The Essential Guide to Small Business IT Support Get your copy now to find out how your small business could benefit from top-class IT support.  

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme that helps businesses protect themselves from common cyber threats. Launched in 2014, the framework focuses on implementing basic security measures that significantly reduce the risks of cyberattacks.

 

By following Cyber Essentials' guidelines, organisations can:

 

  • Strengthen their defenses against phishing, malware, hacking, and other attacks.
  • Boost customer confidence with a visible commitment to cybersecurity.
  • Demonstrate compliance with essential security regulations.

Cyber Essentials Requirements

To comply with the Cyber Essentials framework, organisations must address five key areas, or ‘controls’, of cybersecurity: firewalls, secure configuration, security updates, user access control, and malware protection.

 

Below, we’ve summarised the requirements and objectives for the five key controls:

1. Firewalls

Overview

 

Firewalls act as the first line of defence, blocking unauthorised access to your systems.

 

Goal

 

Properly configured firewalls must secure all devices within the assessment scope.

 

What You Need To Do

 

  • Configure firewalls securely, avoiding default passwords.
  • Use strong credentials and restrict administrative interface access.
  • Remove unnecessary firewall rules to reduce attack surfaces.
  • Enable firewalls on all devices.

2. Secure Configuration

Overview

 

Proper configuration ensures systems and software are optimised for security while meeting your business needs.

 

Goal

 

Configure computers and devices correctly to minimise vulnerabilities and restrict functionality to essential operations only. 

 

What You Need To Do

 

  • Remove unnecessary software and user accounts.
  • Change default passwords to strong passphrases.
  • Disable auto-run features to prevent unauthorised code from executing.
  • Protect devices using PINs, passwords, or biometrics.
  • Implement lockouts after a limited number of failed login attempts.
  • Ideally invest in zero trust software such as Threatlocker

3. User Access Control (Access Management)

Overview

 

Access control ensures that only authorised personnel have access to your systems.

 

Goal

 

Assign user accounts exclusively to authorised individuals and restrict access to the resources necessary for their roles.

 

What You Need To Do

 

  • Implement processes for user account approval and management.
  • Use multi-factor authentication (MFA) where possible.
  • Disable inactive accounts.
  • Set passwords to a minimum of eight characters with checks for complexity.
  • Educate employees about secure password practices, including avoiding weak or guessable passwords and promoting the use of passphrases.

4. Malware Protection

Overview

 

Malware can cripple your business. Cyber Essentials emphasises proactive detection and neutralisation.

 

Goal

 

Prevent the execution of malware and untrusted software by using anti-malware solutions or application whitelisting.

 

What You Need To Do

 

  • Install and update antivirus/anti-malware solutions.
  • Use allow listing to prevent unauthorised programs from running.
  • Review software inventories to ensure they’re valid and authorised.
  • Implement web filtering to block malicious websites.

5. Security Update Management (Patch Management)

Overview

 

Keeping software up-to-date is key to preventing vulnerability exploitation.

 

Goal

 

Mitigate the risk of known security issues by applying updates promptly.

 

What You Need to Do

 

  • Enable automatic updates for critical software and systems.
  • Use only licensed, supported software.
  • Remove unsupported software immediately.
  • Apply high-priority updates within 14 days of release to avoid delays.

 

By implementing these five foundational controls, businesses can significantly improve their resilience to cyberattacks and help towards compliance with Cyber Essentials standards. 

 

A complete list of requirements is available via the National Cyber Security Centre’s, ‘Cyber Essentials: Requirements for IT infrastructure vs.3.1’.

Cyber Essentials Certification Checklist: Preparing For Your Self-Assessment

Before applying for Cyber Essentials certification, you’ll need to review and document your current security practices. 

 

This is often best achieved through an experienced IT support partner if you don’t have a dedicated IT department.

 

Here’s a checklist for self-assessment:

1. Hardware Or Devices

  • Maintain an inventory of all devices, from desktops to IoT equipment.
  • Confirm compliance with Cyber Essentials controls.

2. Software And Firmware

  • Document all installed applications and operating systems.
  • Remove or disable software not critical to business operations.

3. Firewalls And Boundary Devices

  • Check that gateways, routers, and firewalls have secure configurations.
  • Document firewall settings, including any deny-all configurations.

4. Cloud Services

  • Ensure cloud platform security settings meet Cyber Essentials requirements.
  • Implement comprehensive access control for all cloud services.

5. Password Policies

  • Mandate passwords that are at least eight characters long and hard to guess.
  • Deploy password management systems for secure storage.

6. Malware Protection

  • Confirm antivirus tools are active and updated.
  • Set up scans for detecting suspicious activity.

7. User Account

  • Have a formal account management process.
  • Restrict administrative access to essential personnel.

 

By organising this information ahead of time, you’ll streamline your certification process and be well on your way to compliance.

Additional Considerations Beyond The 5 Controls

Cybersecurity is an ongoing initiative. Beyond Cyber Essentials' fundamental controls, consider the following:

Employee Training

Your employees are your first line of defense. Training can help prevent human errors that lead to breaches.

 

  • Educate staff about phishing, social engineering, and safe online practices.
  • Conduct scenario-based drills to improve awareness.

Incident Response Plan

Plan for the worst to minimise damage when incidents occur.

 

  • Develop a detailed step-by-step action framework.
  • Assign clear roles and responsibilities.
  • Create a communication plan for informing internal teams, stakeholders, and customers.

Business Continuity Plan

Ensure your business can recover quickly from disruptions.

 

  • Establish regular backups stored securely on- and off-site.
  • Test disaster recovery scenarios to validate resilience.
  • Set recovery time objectives (RTO) and review them periodically.

 

By going above and beyond the basic Cyber Essentials framework, you position your business for long-term success and security.

Why Wait? Take The First Step Today

Cyber Essentials offers businesses a practical and manageable way to protect themselves in an era of rising cyber threats. 

 

By adhering to its principles, you strengthen your defenses, build customer trust, and align with regulatory compliance.

 

If you have any questions or require further guidance, get in touch today to find out how we can help.