SecurSentry
← All notes
Cyber Essentials

The Cyber Essentials Checklist: What You Need Before You Apply

Before you book your assessment, walk through this Cyber Essentials checklist — five control areas, in plain English. You are probably closer than you think.

The short version

So you have decided to go for Cyber Essentials. Maybe a contract demands it, a client keeps asking, or you simply want a credible baseline. Whatever the reason, the smartest first move is not to book the assessment. It is to work through a Cyber Essentials checklist first, so you know exactly where you stand before anyone is reviewing your answers.

This is that checklist. We will walk through all five control areas in plain English, flag the one change you cannot afford to miss, and help you tell the difference between “we basically do this” and “we can evidence this.” A quick reassurance before we start: most SMEs are closer than they feel. If you would like the full background on the scheme itself, our Cyber Essentials explained guide is the companion to this one.

Firewalls — what to check

Check that every device connecting to the internet sits behind a properly configured firewall, that default firewall passwords have been changed, and that you are not allowing inbound traffic you do not need.

A firewall is the barrier between your devices and the internet that decides what traffic gets through. You almost certainly already have one. Your office router has a boundary firewall, and Windows and macOS each ship with a software firewall built in. The job here is confirmation, not installation.

Run through this:

None of this requires new kit for most small organisations. It is a tidy-up of what you have.

Secure configuration — what to check

Check that devices and accounts have been set up deliberately rather than left on factory defaults: no default passwords, no unnecessary software or accounts, and auto-run disabled.

Hardware and software arrive with default settings chosen for convenience, not security: default passwords, sample accounts, features switched on that you will never use. Secure configuration means you have gone through and closed what does not need to be open.

The practical checklist:

Where SMEs are pleasantly surprised

Tidying configuration is often closer to an afternoon's work than a project. Much of it is checking boxes that modern devices already tick by default. Your task is to confirm it, and to make a note that you did. The "make a note" part is what turns a quiet good habit into evidence you can show an assessor.

User access control + MFA — what to check (note the 2026 mandatory-MFA change)

Check that people only have the access they need, that leavers are removed promptly, that administrator accounts are used sparingly — and, crucially, that multi-factor authentication is switched on across all your cloud services.

This control area is about making sure the right people have the right access, and no more. It is also where the most important recent change to the scheme lives, so read this section carefully.

The 2026 change you must not miss. Following the April 2026 update to the scheme (which applies to assessment accounts created from late April 2026 onward), multi-factor authentication (a second login step beyond a password, such as a code from an app or a passkey) is mandatory on all cloud services where it is available. If a cloud service offers MFA and you have not turned it on, that is an automatic fail, regardless of how strong everything else is. The same update also makes clear that cloud services cannot be left out of your assessment scope. If you check one thing before you apply, check this.

The rest of the access control checklist:

“MFA is the lock that closes the door most attackers try first. The 2026 change simply makes explicit what good practice already expected — so treat it as the headline item on your checklist, not a footnote.”

If you would like the full picture of where this control sits and how it differs from the audited version of the scheme, our guide to Cyber Essentials versus Cyber Essentials Plus covers it.

Malware protection — what to check

Check that every device has active, up-to-date malware protection, and that you know which approach you are relying on for each type of device.

Malware (malicious software, the umbrella term covering viruses, ransomware and spyware) needs active defence on every device in scope. The good news is that most modern devices come with capable protection built in; you mainly need to confirm it is switched on and current.

Work through this:

The aim is not a particular product. It is that something credible is running everywhere, and that it stays up to date on its own.

Security update management (patching) — what to check

Check that all your software and devices receive security updates, that critical and high-severity updates are applied within 14 days, and that someone is actually responsible for making sure this happens.

This is the control that catches the most SMEs off guard. It is not hard to understand. The problem is that keeping every device and application current across a whole team is genuinely ongoing work. Under the scheme, critical and high-severity updates must be installed within 14 days of release. (“Critical or high” broadly means a vulnerability scored 7 or above on the standard severity scale, or flagged as such by the vendor.)

Your checklist:

The single most useful thing you can do here is name an owner. “Everyone keeps their own laptop updated” tends to mean no one does. A named person, even part-time, turns patching from a hope into a process — and a missing process is never a single click.

How to use this checklist before you apply

Use the checklist as a dry run: go area by area, mark each item as confident, partly there, or a genuine gap, then close the quick wins and assign owners to the rest before you book your assessment.

The self-assessment questionnaire that an IASME-licensed assessor reviews follows these same five control areas. So the most valuable thing you can do is treat this checklist as a rehearsal. Answer it honestly to yourself first, with no one watching.

A simple way to work through it:

  1. Go area by area and mark each item one of three ways: confident (true and evidenced), partly there (true in practice but not consistent or documented), or genuine gap (not currently done).
  2. Close the quick wins now. Switching on MFA, changing a default password, enabling automatic updates: many of these are short tasks you can complete in an afternoon. Build the firewall posture, tidy the configuration.
  3. Assign owners to the rest. Patching and access reviews are not one-off fixes; they are ongoing responsibilities that need a named person. Be honest about target dates rather than pretending the work is done.
  4. Write down what you find. Cyber Essentials is as much about being able to evidence your controls as having them. A short record of what you checked and when is exactly what makes the assessment straightforward.

There is an honesty point worth holding onto here, the same one that runs through every good security questionnaire: saying you are secure and actually being secure are not the same thing. Marking a gap honestly and giving it an owner protects your business far better than ticking a box you cannot stand behind. It also means the certificate, when it comes, reflects something real. If you want a sense of the time and money involved in the assessment itself, our Cyber Essentials cost guide breaks it down.

Work through these five areas and you will know, before you spend a penny on assessment, whether you are a few days away or a few weeks away. Either answer is useful. Vague dread is not.


SecurSentry is launching soon to help UK SMEs work through Cyber Essentials: mapping the five control areas to exactly what your business needs, guiding you as you close the gaps, and carrying that effort forward to every questionnaire and certification that follows. Join the waitlist to be among the first to know when we open, and to get the downloadable version of this checklist first.

This article is general information, not legal or compliance advice. Requirements vary by organisation and context, and the scheme is updated periodically; always check the current requirements with IASME or an approved assessor, and seek qualified professional guidance where in doubt.

Frequently asked questions

What do I need before applying for Cyber Essentials?

Before you apply for Cyber Essentials, you need the five control areas in place and ready to evidence: firewalls, secure configuration, user access control (including multi-factor authentication on cloud services), malware protection, and security update management. You also need a clear picture of your scope — which devices, people and cloud services are covered. Working through a Cyber Essentials checklist beforehand means the self-assessment questions hold no surprises.

Is MFA mandatory for Cyber Essentials in 2026?

Yes. From the April 2026 update to the scheme, multi-factor authentication (a second login step beyond a password) is mandatory on all cloud services where it is available. Not having it is an automatic fail — it does not matter how well you score on the other controls. This is the single most important item to check before you apply.

How quickly does Cyber Essentials require me to install updates?

Critical and high-severity updates — broadly, those rated 7 or above on the standard vulnerability scoring scale, or flagged as critical or high risk by the vendor — must be installed within 14 days of release. This applies across every device in your scope, not just a sample, so it needs someone whose job it is to keep on top of it.

How long does it take to prepare for Cyber Essentials?

It depends on how much is already in place. Many SMEs find most controls exist informally and just need tidying and documenting, which can take a few days to a couple of weeks. Others discover genuine gaps — usually around patching or access control — that take longer and need a named owner. Working through a checklist first tells you which camp you are in.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.