Cyber Essentials checklist — 7 checks to pass certification
Most small and mid-sized firms assume Cyber Essentials is a long slog. It needn’t be. The scheme tests basic controls that stop common attacks. Below are the real trade-offs you’ll face when preparing, followed by a short, practical checklist to run through before you hit submit.
Speed versus thoroughness
Do you want the certificate quickly, or do you want every gap closed first? The faster route is to answer the assessment honestly, remediate the obvious failures, then retest. That wins you the badge and reduces immediate exposure.
The thorough route is to treat the assessment as a mini project: audit every device, update software, standardise admin rights and document policies. That costs more time up front but lowers the chance of failing a future external audit or suffering an incident that negates the certification’s value.
Business impact: quick certification protects reputation and tender eligibility now; thorough work reduces the likelihood of a breach that costs far more than the extra time.
Cost versus protection level
There is a trade-off between spending on tools and getting the necessary protection. You can achieve Cyber Essentials with low-cost or built-in controls: patching, basic malware defences, and admin restrictions. Those measures prevent most opportunistic attacks.
Spending on commercial management tools, endpoint detection, or a patch-management service raises protection and reduces manual work. For many firms the extra spend is justified if the cost of downtime, lost contracts or regulatory trouble exceeds the subscription price.
Business impact: if a single day of downtime costs you a significant sum, investing in management tooling looks cheap. If margins are tight, prioritise the essential controls first and add tooling later.
In-house control versus outsourced support
Who should own the work? Doing it yourself keeps control and keeps costs down, but it demands someone with enough time and competence to implement controls consistently.
Outsourcing to an IT supplier speeds implementation and reduces risk of misconfiguration, especially for busy leadership teams who cannot supervise every change. The downside is ongoing cost and handing a supplier privileged access.
Business impact: tight internal teams that can commit to disciplined maintenance will save money; otherwise, a competent external partner buys time and reduces operational risk.
The checklist (7 checks)
Run through these in order. Each one impacts business continuity and credibility more than technical pride does.
1. Patch and update
Ensure operating systems and widely used applications are up to date on every business device. Apply critical patches within days, not months.
2. Secure configuration
Remove or disable unnecessary services, ensure strong passwords or passphrases, and lock down guest accounts. Default settings are often too permissive.
3. Admin accounts and least privilege
Limit admin rights to those who need them. Use separate admin accounts and reduce the number of people who can install software or change security settings.
4. Malware protection
Install and maintain reputable antivirus or endpoint protection on all devices, and ensure it receives regular updates and scans.
5. Multi-factor authentication (MFA)
Enable MFA for all remote access and for business-critical accounts like email and admin consoles. SMS-based MFA is better than nothing; authenticator apps or hardware tokens are stronger.
6. Backups and restore testing
Keep regular backups of critical data, store them separately from the main network, and test a restore at least once a quarter so you know it works.
7. Supplier and remote access controls
Record who has remote access and why. Limit remote access to necessary sessions and ensure external suppliers follow your controls when they connect.
For a compact checklist you can run in an afternoon, use this detailed Cyber Essentials checklist against your estate and log the minor fixes that can be completed in a single sprint.
If you want a short reference to official guidance while you work, consult the NCSC’s guidance index for the basics.
Decision and next step
If speed matters more, then prioritise patching, MFA and admin restriction now and get certified quickly. If reducing residual risk matters more, then plan a short project to harden configuration, test backups and document controls before certification.
Next step: pick one of the two routes above and schedule a single half-day to run the seven checks listed here. Do that, and you’ll buy time, reduce risk and keep customer trust. If you need a simple plan to turn those checks into action, arrange a short review focused on outcomes: time saved, cost avoided and calmer leadership.
