Passing Cyber Essentials isn’t about buying expensive new hardware; it is about rigorous configuration. 80% of failures we see are due to simple oversight, not lack of technology. Use this checklist to audit your business before you pay for the assessment.
What is Cyber Essentials and why does it matter?
Cyber Essentials is a UK government-backed certification scheme that sets the minimum standard of cybersecurity every business should reach. It assesses five technical controls – firewalls, secure configuration, user access control, malware protection, and patch management – and certifies that your organisation has those foundations correctly in place.
There are two tiers:
Basic: the level most SMEs pursue. Certification is based on a self-assessment questionnaire, which makes it quicker and more affordable to achieve.
Plus: builds on Basic by adding an independent technical audit of your environment. It provides stronger assurance for larger businesses and for clients or partners who require an externally verified standard.
The government’s own Cyber Essentials website cites 7.7 million cyber crimes over the past year. The scheme exists because the vast majority of those incidents are preventable. If your business handles data, serves customers who handle data, or operates any kind of digital infrastructure, Cyber Essentials is not optional — it is the floor.
Do You Need a Cyber Essentials Audit?
If you use data, if your customers use data, or if a cyber attack could in any way disrupt or damage your business – yes.
Beyond the security benefits, the practical pressure is growing. Cyber Essentials is increasingly required to bid for government contracts, and more commercial clients are beginning to specify it too. Some cyber insurance policies require it as a condition of cover. And if your organisation has under £20m annual turnover, achieving Basic certification automatically includes free cyber liability insurance up to £25,000 – covering data recovery, business interruption, and legal costs at no extra cost.
If you are unsure where your business currently stands, a gap analysis is the right starting point. It tells you exactly what needs to change before you can certify – so you are not paying for an assessment you are not yet ready to pass.
How to Use This Checklist
This list covers the five technical controls required for Cyber Essentials, plus the 2026 Cloud Scoping requirements that are catching businesses out right now. Work through each section as an honest self-audit.
If you tick “No” to any box, you will fail the official assessment. There are no partial passes.
1.Firewalls & Internet Gateways (The Boundary)
Your firewall is your first line of defence – but only if it is correctly configured. Having one installed is not enough.
| Check | Status |
| Is a firewall in place at every point where your network connects to the internet? | ☐ Yes / 🚩 No |
| ✅ Have you changed all default passwords on your routers and firewalls — every default credential, not just the admin password? | ☐ Yes / 🚩 No |
| ✅ Are firewall rules restricted to only the traffic your business actually needs? | ☐ Yes / 🚩 No |
| ✅ Is all remote access secured with a VPN and MFA? | ☐ Yes / 🚩 No |
| ✅ Have you disabled “Universal Plug and Play” (UPnP) on all routers? | ☐ Yes / 🚩 No |
| ✅ Are firewall logs enabled and reviewed periodically? | ☐ Yes / 🚩 No |
💡 Pro Tip – Home Routers Count If your staff work from home, their router is in scope. The password printed on the sticker on the back of the router does not count as a changed password. Every home worker must have changed their router’s default admin credentials. This is one of the most common oversights we see.
2.Secure Configuration (The Setup)
Every device in scope – laptops, desktops, servers, mobiles – must be configured to a secure baseline. The settings a device ships with are almost never compliant.
| Check | Status |
| ✅ Have all default usernames and passwords been removed or changed on every device? | ☐ Yes / 🚩 No |
| ✅ Has unnecessary software been uninstalled from all devices in scope? | ☐ Yes / 🚩 No |
| ✅ Have unused or dormant user accounts been disabled or deleted? | ☐ Yes / 🚩 No |
| ✅ Are all devices configured to a documented secure baseline? | ☐ Yes / 🚩 No |
| ✅ Is auto-update enabled on all devices where possible? | ☐ Yes / 🚩 No |
| ✅ Are lock screens and inactivity timeouts enforced across all devices? | ☐ Yes / 🚩 No |
💡 The Unsupported Software Rule If software is installed on a device in scope, it must be actively supported by its vendor. If it is old, unsupported, or abandoned – it must be removed entirely, not simply left unused. “We never use it” is not an acceptable answer. If it is installed, it is in scope.
3.User Access Control (The #1 Fail Point)
🚩 This is the section that fails more businesses than any other.
How accounts and permissions are managed is where assessors look hardest – and where we see the most avoidable failures. The standard is non-negotiable.
| Check | Status |
| ✅ Are user accounts only created when there is a legitimate, documented need? | ☐ Yes / 🚩 No |
| ✅ Are accounts removed or disabled promptly when a member of staff leaves? | ☐ Yes / 🚩 No |
| ✅ Are administrator accounts kept completely separate from standard user accounts? | ☐ Yes / 🚩 No |
| ✅ Is MFA enabled on every cloud service account – with no exceptions? | ☐ Yes / 🚩 No |
| ✅ Are permissions granted on a least-privilege basis (staff access only what they need to do their job)? | ☐ Yes / 🚩 No |
| ✅ Are shared accounts avoided, or where unavoidable, tightly documented and controlled? | ☐ Yes / 🚩 No |
Martin Lake, ERGOS: “The single most annoying reason people fail is MFA. We still see businesses making exceptions for ‘difficult’ users. If you don’t have MFA on every cloud account, you will fail. Literally all of the compromises I’ve seen recently could have been slowed or mitigated with good MFA.”
There is no workaround. There is no grace period. If one account is missing MFA, the assessment fails.
A note on local admin rights: for many small businesses it makes sense to give each user local admin on their own device – it makes installing software quicker. Cyber Essentials does not allow this. The reason is simple: if an attacker compromises that account, they inherit those same admin rights. Standard users should not have the ability to install software or change system settings without IT authorisation.
4.Malware & Patch Management (The Maintenance)
These two controls sit together because the logic is the same: current and maintained, or it is a liability.
Malware Protection
Basic antivirus is no longer sufficient. Cyber Essentials requires your anti-malware to include network control and web monitoring. In practice, this means most businesses need to upgrade from traditional antivirus to Endpoint Detection and Response (EDR). If you are still running a basic antivirus product, flag this before you apply.
| Check | Status |
| ✅ Is anti-malware (EDR-level) software installed on every supported device in scope? | ☐ Yes / 🚩 No |
| ✅ Is real-time protection enabled — not just scheduled scans? | ☐ Yes / 🚩 No |
| ✅ Are users prevented from installing unauthorised software themselves? | ☐ Yes / 🚩 No |
| ✅ Are email and web filtering controls in place? | ☐ Yes / 🚩 No |
Patch Management
| Check | Status |
| ✅ Are all operating systems currently supported by their vendor? | ☐ Yes / 🚩 No |
| ✅ Are security updates applied within 14 days of release? | ☐ Yes / 🚩 No |
| ✅ Is any unsupported software either removed or formally isolated? | ☐ Yes / 🚩 No |
| ✅ Is firmware on networking devices and servers updated regularly? | ☐ Yes / 🚩 No |
| ✅ Is there a documented process to track and verify that patching is completed? | ☐ Yes / 🚩 No |
If you are running an out-of-date version of Windows, older servers that have not been updated, or any end-of-life (EOL) systems, you will fail. There is no exception for systems that are “mostly” supported. If the vendor has stopped releasing security patches, the system is out of scope or must be removed.
The 2026 Cloud Scoping Update: The Shadow IT Problem
In 2026, patching scope is no longer limited to your servers and laptops. It now includes all cloud services your staff use – whether IT procured them or not. If a member of staff is using a free online PDF editor, a personal Dropbox account, or any SaaS tool that has not been formally assessed, MFA’d, and documented – that is a fail.
This is the Shadow IT trap. You are not being assessed on what IT knows about. You are being assessed on everything in use. Conduct a Shadow IT audit before you apply: ask your staff what tools they actually use day-to-day, not what they are supposed to use.
5.The “Silent” Killers: Scope & Evidence
You can have every technical control in perfect order and still fail – if you cannot prove it, or if you have missed a single device from your asset list.
Scope & Asset Identification
| Check | Status |
| ✅ Have all users included in the assessment been formally identified and listed? | ☐ Yes / 🚩 No |
| ✅ Are all laptops, desktops, mobiles, and tablets documented in an asset inventory? | ☐ Yes / 🚩 No |
| ✅ Are all servers – on-premises or cloud-hosted – identified? | ☐ Yes / 🚩 No |
| ✅ Are all cloud services (Microsoft 365, Google Workspace, and every other SaaS tool in use) formally documented? | ☐ Yes / 🚩 No |
| ✅ Are home workers, remote staff, and all office locations included in scope? | ☐ Yes / 🚩 No |
| ✅ Are any legacy systems or exceptions formally documented with a clear rationale? | ☐ Yes / 🚩 No |
The Device Scoping Consequence
The most common conversation we have after a failed or stalled assessment is about device scoping — specifically mobiles and tablets. If your staff access company email or any cloud service on a personal mobile, that device is in scope. If you cannot demonstrate that it is managed, secured, and held to the same controls as your desktops, you cannot be certified. If you can’t prove you manage every device that touches your business data, the certificate is invalid – even if everything else passes.
Evidence Collection
The assessor does not take your word for it. Before you apply, ensure you have ready:
- Screenshots of MFA settings, antivirus status, firewall rules, and update configurations
- Asset inventory – a complete list of all devices and users in scope
- Policies and procedures – password policy, acceptable use policy, and any exceptions documentation
- Patch logs or update reports – evidence that updates were applied within the 14-day window
- Admin account list – demonstrating clear separation from standard user accounts
- Cloud service and Shadow IT documentation relevant to your 2026 scoping audit
If you cannot produce this evidence quickly, you are not ready to sit the assessment.
Free Download: The Printable Gap Analysis Sheet
Want to work through this offline with your team? Download the PDF version of this checklist – formatted for print, with space to annotate each control and assign owners. CE 2026_Question Set.pdf
[Download the Cyber Essentials Gap Analysis PDF ]
How ERGOS Helps You Get Certified Faster (and With Less Stress)
We are strong supporters of the Cyber Essentials scheme – both because certification makes our clients demonstrably safer, and because the process itself tends to surface issues that would otherwise go unnoticed for years.
We also understand that most businesses cannot navigate this alone, and that is entirely normal. Our process is designed so that you do not go into the assessment blind.
We start with a gap analysis to identify every area of your environment that is not yet aligned with the framework. We then work with you to remediate those gaps and put any additional security measures in place that your specific environment requires. Finally, we work alongside an auditor to review everything before submission – so there are no surprises on assessment day.
If you found gaps in this checklist – particularly around 2026 Cloud Scoping, MFA, or Device Management – do not apply for certification yet. You will lose your application fee. Book a Gap Analysis with ERGOS first. We will fix the “No’s” so you pass first time.
[Book Your Gap Analysis →] Contact – ERGOS Technology Partners
FAQs About Cyber Essentials
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
The core technical requirements are identical for both. The difference is in how they are assessed. Basic is self-assessed via an online questionnaire. Plus requires you to hold Basic certification first, then undergo an independent technical audit of your environment. That external verification carries more weight with clients, partners, and in procurement situations where a higher level of assurance is expected.
Can I get Cyber Essentials certified without an IT team?
You do not need an internal IT team, but you will almost certainly need IT support of some kind. Cyber Essentials is fundamentally about correctly configuring and managing your IT estate – that requires a level of technical expertise. If you do not have that in-house, working with a partner like ERGOS means the technical requirements are handled for you.
What happens if I fail the assessment?
If you submit independently to IASME and fail, you have one opportunity to re-submit. If you fail a second time, you forfeit the assessment fee entirely. If you work with ERGOS, our process is designed to make sure that does not happen. We appraise your environment, remediate the gaps, and review your submission before it goes in.
How long does it take to get certified?
It depends entirely on what the gap analysis surfaces. If your environment is already close to compliant and only minor changes are needed, certification within two weeks is realistic. If significant remediation is required, the timeline will be longer – but you will know that upfront, before you pay for anything.
Does Cyber Essentials help with cyber insurance?
Yes, in two ways. Some cyber insurance policies require Cyber Essentials as a condition of cover, so certification may be a prerequisite. Additionally, all organisations with under £20m annual turnover that achieve Basic certification automatically receive free cyber liability insurance up to £25,000 – covering expenses such as data recovery, business interruption, and legal costs. This is included as standard with no extra cost.
Do I need Cyber Essentials to bid for contracts?
Not universally – yet. But the direction of travel is clear. Government contracts already specify it, and more commercial clients are beginning to require it as a standard condition of supply. Achieving certification now puts you ahead of that curve rather than scrambling to meet it when a contract depends on it.
How often do I need to renew?
Certification lasts 12 months. The standard is reviewed and updated annually, so your renewal assessment will reflect any changes to the scheme – including updates like the 2026 Cloud Scoping requirements covered in this checklist.
Can ERGOS help if we have failed before?
Yes. A previous failed assessment does not disqualify you. We will run a fresh gap analysis, identify what caused the failure, remediate it, and support you through reapplication.
This checklist reflects the current Cyber Essentials technical requirements and the 2026 scoping updates. Requirements are reviewed annually by the NCSC. For the most current certification criteria, refer to the official Cyber Essentials documentation at the IASME website.