Skip to content
360 Cyber Compliance

checklist

Cyber Essentials Preparation Checklist

Prepare for Cyber Essentials certification with this checklist covering the five technical controls assessed under the IASME-run scheme for UK organisations.

Related service: Cyber Essentials

Cyber Essentials is the UK government-backed scheme, delivered by IASME, that checks you have five core technical controls in place. Use this checklist to prepare your self-assessment before you submit. For a fuller explanation, see our guide to the five Cyber Essentials controls.

Before you start

  • Defined the scope: which devices, networks and cloud services are included
  • Confirmed whether home workers and BYOD devices are in scope
  • Listed all internet-connected devices, servers and cloud services
  • Identified who will answer the assessment questions

Control 1: Firewalls

  • Boundary firewalls and/or software firewalls enabled on all in-scope devices
  • Default administrative passwords on firewalls and routers changed
  • Inbound connections blocked by default, with any exceptions documented and justified
  • Firewall administration not accessible from the internet without additional protection

Control 2: Secure configuration

  • Unnecessary user accounts, software and services removed or disabled
  • Default passwords changed on all devices and applications
  • Auto-run / auto-play disabled to prevent unwanted code executing
  • Devices lock after a period of inactivity and require authentication to unlock

Control 3: Security update management (patching)

  • All operating systems and software still supported by the vendor (nothing unsupported in scope)
  • Automatic updates enabled where available
  • High-risk and critical security updates applied within 14 days of release
  • Unsupported software removed from scope or from the device entirely

Control 4: User access control

  • Unique user accounts for each person; no shared accounts
  • Administrator accounts used only for administrative tasks, not day-to-day work
  • Process to approve, review and remove user access (including leavers)
  • Multi-factor authentication enabled on all cloud services where available
  • Strong, unique passwords enforced in line with the scheme’s requirements

Control 5: Malware protection

  • Anti-malware software installed, active and kept up to date on in-scope devices, or
  • Application allow-listing so only approved software can run
  • Protection applied to all relevant devices, including laptops and mobiles

Final checks

  • Answers reflect reality, not intentions — controls are actually in place today
  • Evidence available to support each answer if queried
  • Decided whether you also need Cyber Essentials Plus (an independent technical audit)

Preparing your first application, or recovering after a failed assessment? We can help you get the five controls right and complete the IASME self-assessment as part of a fixed-fee engagement — see our Cyber Essentials support service.

Want this as a ready-to-use document?

We can tailor this to your organisation and complete it with you as part of a transparent, fixed-fee engagement.

Talk to us about this