A useful Cyber Essentials checklist should do more than repeat the five control names. It should help you identify which devices, services and people are inside the assessment scope, then turn each requirement into evidence that can be checked.
Cyber Essentials is a UK Government-backed scheme built around five technical control areas: firewalls, secure configuration, security update management, user access control and malware protection. The assessment is a snapshot, so preparation must reflect the way the business actually operates.
This guide is designed for small businesses preparing for certification. It complements our existing explanation of what Cyber Essentials is and why it is needed.
1. Confirm the assessment scope
Start by listing the organisation, locations, networks, cloud services and devices that will be included. Scope errors create confusion later, especially when employees work from home or use mobile devices.
Your list should consider:
- business-owned laptops, desktops, servers, phones and tablets;
- home and office working arrangements;
- cloud services such as Microsoft 365;
- firewalls and internet-facing services;
- personally owned devices used for business access;
- subsidiaries, brands or locations included in the certificate.
Do not invent a narrow scope simply to make assessment easier. The certificate wording and exclusions need to be accurate and meaningful to customers.
2. Build an asset and software record
You cannot confirm support status or patching if you do not know what is in use. Record operating systems, device types, key applications, network equipment and cloud services.
Pay attention to equipment that is easy to overlook: reception computers, spare laptops, warehouse terminals, home-working devices and old servers kept for one application. Remove equipment that is no longer required rather than leaving it connected and unmanaged.
The record does not need to become a huge database. It needs to be accurate enough to support the answers you give.
3. Check firewalls and internet boundaries
Every in-scope device needs protection from untrusted networks. For an office, this usually involves a properly configured boundary firewall. Remote devices also need suitable host controls when they connect away from the office.
Review:
- default administrative passwords;
- internet-exposed services and port-forwarding rules;
- remote administration settings;
- unsupported firewall or router firmware;
- rules that no longer have a business purpose.
Do not remove a rule simply because nobody recognises it. Trace the owner and purpose first, then make a controlled change.
4. Apply secure configuration
New devices and applications often include features that the business does not need. Secure configuration means removing or disabling unnecessary accounts, services, software and privileges.
Check that devices use screen locks, supported operating systems and sensible authentication settings. Remove unused administrator accounts and software. Prevent staff from installing arbitrary applications where that is not required for their role.
Standard builds and device management make this easier. If every laptop is configured differently, proving and maintaining a baseline becomes difficult.
5. Review security updates
All in-scope software must be supported and receive security updates. That includes operating systems, browsers, office applications, servers, network devices and other software exposed to risk.
Identify products that have reached end of support. An application can still open and appear to work while no longer receiving fixes. Agree an upgrade, replacement or removal plan before assessment.
Confirm how critical or high-risk updates are identified and applied within the required timeframe for the current scheme version. Requirements can change, so use the latest official question set rather than an old checklist found online.
6. Tighten user access control
Every user should have an individual account and only the access needed for their job. Shared accounts make activity difficult to trace and often remain active long after staff change.
Review joiners, movers and leavers. Remove dormant accounts, check group memberships and separate everyday work from administrative access. People who administer Microsoft 365 or devices should not use a privileged account for routine email and browsing.
Multi-factor authentication is an important control for cloud services and administrative access. Check coverage and exceptions rather than relying on a headline percentage.
7. Confirm malware protection
Depending on the device and platform, protection may involve anti-malware software, application allow-listing or restrictions on installing untrusted applications. The chosen approach must cover the devices in scope and be actively managed.
Check that protection is enabled, updates automatically and reports problems. Investigate devices that have stopped checking in. An agent installed two years ago is not evidence that the device remains protected.
8. Address home and mobile working
Home routers are not managed like office firewalls, so device-level controls become especially important. Company laptops should remain patched and protected away from the corporate network.
Decide whether personally owned devices are allowed. If they access organisational services and are in scope, you need a way to meet the relevant requirements. A written ban that is not enforced will not reflect reality.
9. Gather evidence before answering
Assign an owner for each section of the assessment. Collect screenshots, reports or configuration records that support the answers, even if the self-assessment form does not request every item directly.
Evidence makes internal review more reliable and helps resolve questions quickly. It also creates a useful baseline for future renewal.
10. Fix gaps rather than wording around them
If a device is unsupported or an administrative account lacks multi-factor authentication, treat that as a technical task. Changing the wording of an answer does not reduce the risk.
Prioritise issues that affect many systems or expose the organisation to the internet. Allow time for upgrades, supplier involvement and user communication.
11. Plan to maintain the controls
Certification is not a finish line. New starters arrive, applications change and devices miss updates. Add recurring checks to normal Business IT Support rather than rebuilding the evidence once a year.
Useful ongoing activities include monthly access reviews, update monitoring, asset reconciliation and checks for unsupported software.
Get practical Cyber Essentials support
Skynet ICT can help businesses understand scope, review technical controls and prepare for assessment through our Cyber Essentials certification support. We do not promise automatic certification; the aim is to identify real gaps and help you address them accurately.
We provide remote support across the UK and onsite assistance through our IT Support in Kent, Essex and South East London coverage. To discuss preparation, contact Skynet ICT.
