checklist
Cyber Essentials Preparation Checklist
Prepare for Cyber Essentials certification with this checklist covering the five technical controls assessed under the IASME-run scheme for UK organisations.
Related service: Cyber Essentials
Cyber Essentials is the UK government-backed scheme, delivered by IASME, that checks you have five core technical controls in place. Use this checklist to prepare your self-assessment before you submit. For a fuller explanation, see our guide to the five Cyber Essentials controls.
Before you start
- Defined the scope: which devices, networks and cloud services are included
- Confirmed whether home workers and BYOD devices are in scope
- Listed all internet-connected devices, servers and cloud services
- Identified who will answer the assessment questions
Control 1: Firewalls
- Boundary firewalls and/or software firewalls enabled on all in-scope devices
- Default administrative passwords on firewalls and routers changed
- Inbound connections blocked by default, with any exceptions documented and justified
- Firewall administration not accessible from the internet without additional protection
Control 2: Secure configuration
- Unnecessary user accounts, software and services removed or disabled
- Default passwords changed on all devices and applications
- Auto-run / auto-play disabled to prevent unwanted code executing
- Devices lock after a period of inactivity and require authentication to unlock
Control 3: Security update management (patching)
- All operating systems and software still supported by the vendor (nothing unsupported in scope)
- Automatic updates enabled where available
- High-risk and critical security updates applied within 14 days of release
- Unsupported software removed from scope or from the device entirely
Control 4: User access control
- Unique user accounts for each person; no shared accounts
- Administrator accounts used only for administrative tasks, not day-to-day work
- Process to approve, review and remove user access (including leavers)
- Multi-factor authentication enabled on all cloud services where available
- Strong, unique passwords enforced in line with the scheme’s requirements
Control 5: Malware protection
- Anti-malware software installed, active and kept up to date on in-scope devices, or
- Application allow-listing so only approved software can run
- Protection applied to all relevant devices, including laptops and mobiles
Final checks
- Answers reflect reality, not intentions — controls are actually in place today
- Evidence available to support each answer if queried
- Decided whether you also need Cyber Essentials Plus (an independent technical audit)
Preparing your first application, or recovering after a failed assessment? We can help you get the five controls right and complete the IASME self-assessment as part of a fixed-fee engagement — see our Cyber Essentials support service.