12 min read ย ยทย Self-audit checklist ย ยทย Updated May 2026
Passing Cyber Essentials isn’t about expensive new hardware โ it’s about rigorous configuration. 80% of failures we see are simple oversight, not lack of technology. Use this checklist to audit your business before you pay for the assessment.
On this page
| 01 | What is Cyber Essentials? |
| 02 | Do you need an audit? |
| 03 | How to use this checklist |
| 04 | The 32-point self-audit |
| 05 | 2026 Cloud Scoping update |
| 06 | Scope & evidence |
| 07 | How ERGOS helps |
| 08 | FAQs |
What is Cyber Essentials, and why does it matter?
Cyber Essentials is a UK government-backed certification that sets the minimum standard of cybersecurity every business should reach. It assesses five technical controls โ firewalls, secure configuration, user access control, malware protection, and patch management โ and certifies that your organisation has those foundations correctly in place.
There are two tiers:
- Basic: the level most SMEs pursue. Certification is based on a self-assessment questionnaire, which makes it quicker and more affordable to achieve.
- Plus: builds on Basic by adding an independent technical audit of your environment. It provides stronger assurance for larger businesses and for clients who require an externally verified standard.
The government’s own Cyber Essentials website cites 7.7 million cyber crimes over the past year. The scheme exists because the vast majority of those incidents are preventable. If your business handles data, serves customers who handle data, or operates any kind of digital infrastructure, Cyber Essentials is not optional โ it is the floor.
Do you need a Cyber Essentials audit?
If you use data, if your customers use data, or if a cyber attack could in any way disrupt or damage your business โ yes.
Beyond the security benefits, the practical pressure is growing. Cyber Essentials is increasingly required to bid for government contracts, and more commercial clients are beginning to specify it too. Some cyber insurance policies require it as a condition of cover. And if your organisation has under ยฃ20m annual turnover, achieving Basic certification automatically includes free cyber liability insurance up to ยฃ25,000 โ covering data recovery, business interruption, and legal costs at no extra cost.
If you are unsure where your business currently stands, a gap analysis is the right starting point. It tells you exactly what needs to change before you can certify โ so you are not paying for an assessment you are not yet ready to pass.
How to use this checklist
This checklist covers the five technical controls required for Cyber Essentials, plus the 2026 Cloud Scoping requirements that are catching businesses out right now. Work through each section as an honest self-audit.
If you tick “No” to any box, you will fail the official assessment. There are no partial passes.
The 32-point self-audit
Tick each control you can confidently confirm. Anything left unticked is a gap you need to close before you apply. Ticks are for working through on screen โ they won’t save if you refresh the page.
| 01 | Firewalls & Internet Gateways |
๐ก Pro Tip โ Home routers count
If your staff work from home, their router is in scope. The password printed on the sticker on the back of the router does not count as a changed password. Every home worker must have changed their router’s default admin credentials. This is one of the most common oversights we see.
| 02 | Secure Configuration |
๐ก The Unsupported Software Rule
If software is installed on a device in scope, it must be actively supported by its vendor. If it is old, unsupported, or abandoned โ it must be removed entirely, not simply left unused. “We never use it” is not an acceptable answer. If it is installed, it is in scope.
| 03 | User Access Control #1 fail point |
“The single most annoying reason people fail is MFA. We still see businesses making exceptions for ‘difficult’ users. If you don’t have MFA on every cloud account, you will fail. Literally all of the compromises I’ve seen recently could have been slowed or mitigated with good MFA.”
โ Martin Lake, Cybersecurity Lead, ERGOS
| 04 | Malware Protection |
๐ก Why EDR, not antivirus?
Cyber Essentials now requires anti-malware to include network control and web monitoring. Most businesses need to upgrade from traditional antivirus to Endpoint Detection and Response (EDR). If you are still running a basic antivirus product, flag this before you apply.
| 05 | Patch Management |
๐ก Out-of-date = automatic fail
If you are running an out-of-date version of Windows, older servers that have not been updated, or any end-of-life (EOL) systems, you will fail. There is no exception for systems that are “mostly” supported. If the vendor has stopped releasing security patches, the system is out of scope or must be removed.
| 06 | Scope & Asset Identification |
Ticked “No” more than three times?
That’s a fail. Don’t pay the assessment fee yet โ let us close the gaps first.
2026 Update
The Cloud Scoping update: the Shadow IT problem
In 2026, patching scope is no longer limited to your servers and laptops. It now includes all cloud services your staff use โ whether IT procured them or not. If a member of staff is using a free online PDF editor, a personal Dropbox account, or any SaaS tool that hasn’t been formally assessed, MFA’d, and documented โ that is a fail.
This is the Shadow IT trap. You are not being assessed on what IT knows about. You are being assessed on everything in use. Conduct a Shadow IT audit before you apply: ask your staff what tools they actually use day-to-day, not what they are supposed to use.
Scope & evidence โ the silent killers
You can have every technical control in perfect order and still fail โ if you cannot prove it, or if you have missed a single device from your asset list.
The device scoping consequence
The most common conversation we have after a failed or stalled assessment is about device scoping โ specifically mobiles and tablets. If your staff access company email or any cloud service on a personal mobile, that device is in scope. If you cannot demonstrate that it is managed, secured, and held to the same controls as your desktops, you cannot be certified. If you can’t prove you manage every device that touches your business data, the certificate is invalid โ even if everything else passes.
Evidence the assessor will want
The assessor doesn’t take your word for it. Before you apply, have these ready:
- Screenshots of MFA settings, antivirus status, firewall rules, and update configurations
- Asset inventory โ a complete list of all devices and users in scope
- Policies and procedures โ password policy, acceptable use policy, and any exceptions documentation
- Patch logs or update reports โ evidence that updates were applied within the 14-day window
- Admin account list โ demonstrating clear separation from standard user accounts
- Cloud service and Shadow IT documentation relevant to your 2026 scoping audit
If you cannot produce this evidence quickly, you are not ready to sit the assessment.
| The printable gap analysis sheet ย โ Work through this offline with your team. Formatted for print. |
How ERGOS gets you certified faster โ and with less stress
We start with a gap analysis to identify every area of your environment that isn’t yet aligned with the framework. We then work with you to remediate those gaps and put any additional security measures in place that your specific environment requires. Finally, we work alongside an auditor to review everything before submission โ so there are no surprises on assessment day.
If you found gaps in this checklist โ particularly around 2026 Cloud Scoping, MFA, or device management โ don’t apply for certification yet. You’ll lose your application fee. Book a gap analysis first. We’ll fix the “No’s” so you pass first time.
Frequently asked questions
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
The core technical requirements are identical for both. The difference is in how they are assessed. Basic is self-assessed via an online questionnaire. Plus requires you to hold Basic certification first, then undergo an independent technical audit of your environment. That external verification carries more weight with clients, partners, and in procurement situations where a higher level of assurance is expected.
Can I get Cyber Essentials certified without an IT team?
You don’t need an internal IT team, but you’ll almost certainly need IT support of some kind. Cyber Essentials is fundamentally about correctly configuring and managing your IT estate โ that requires technical expertise. If you don’t have that in-house, working with a partner like ERGOS means the technical requirements are handled for you.
What happens if I fail the assessment?
If you submit independently to IASME and fail, you have one opportunity to re-submit. If you fail a second time, you forfeit the assessment fee entirely. If you work with ERGOS, our process is designed to make sure that doesn’t happen. We appraise your environment, remediate the gaps, and review your submission before it goes in.
How long does it take to get certified?
It depends entirely on what the gap analysis surfaces. If your environment is already close to compliant and only minor changes are needed, certification within two weeks is realistic. If significant remediation is required, the timeline will be longer โ but you’ll know that upfront, before you pay for anything.
Does Cyber Essentials help with cyber insurance?
Yes, in two ways. Some cyber insurance policies require Cyber Essentials as a condition of cover, so certification may be a prerequisite. Additionally, all organisations with under ยฃ20m annual turnover that achieve Basic certification automatically receive free cyber liability insurance up to ยฃ25,000 โ covering expenses such as data recovery, business interruption, and legal costs. This is included as standard with no extra cost.
Do I need Cyber Essentials to bid for contracts?
Not universally โ yet. But the direction of travel is clear. Government contracts already specify it, and more commercial clients are beginning to require it as a standard condition of supply. Achieving certification now puts you ahead of that curve rather than scrambling to meet it when a contract depends on it.
How often do I need to renew?
Certification lasts 12 months. The standard is reviewed and updated annually, so your renewal assessment will reflect any changes to the scheme โ including updates like the 2026 Cloud Scoping requirements covered in this checklist.
Can ERGOS help if we’ve failed before?
Yes. A previous failed assessment doesn’t disqualify you. We’ll run a fresh gap analysis, identify what caused the failure, remediate it, and support you through reapplication.
This checklist reflects the current Cyber Essentials technical requirements and the 2026 scoping updates. Requirements are reviewed annually by the NCSC. For the most current certification criteria, refer to the official Cyber Essentials documentation at the IASME website.