The UK Cyber Essentials Readiness Checklist

This is for you if...

  • You're bidding for a government, NHS or supply-chain contract that requires certification
  • Your cyber insurance renewal now asks for it, or your premium jumps without it
  • You think your controls are solid but haven't tested them against the actual assessment criteria

A failed submission doesn't just cost the re-assessment fee. It can cost the contract, the renewal deadline, or weeks chasing gaps you didn't know existed. Most of that is avoidable with an honest look at where you stand first.

What's inside

  • All 5 Cyber Essentials control themes, broken into the exact checks an assessor runs
  • 30+ tick-box items covering firewalls, secure configuration, patching, access control and malware protection
  • Plain-English wording, no jargon or prior security knowledge assumed
  • A clear read on what's a genuine gap versus what's already covered
Download the free PDFFree, no email required. The full checklist is below too.

Cyber Essentials is the UK government-backed scheme that certifies a business has basic technical controls in place against the most common internet-based attacks. This checklist mirrors the five control themes assessors check against, so you can run an honest self-assessment and see exactly where the gaps are before you submit an application.

Work through each section with whoever manages your IT, whether that's an internal team or an outsourced provider. If you can't confidently tick a box, that's a gap to close before you apply.

1. Firewalls

  • Boundary firewall enabled and configured on every internet connection
  • Default admin passwords changed on all firewalls and routers
  • Unnecessary open ports and services closed at the boundary
  • Firewall rules reviewed, documented and justified by business need
  • Personal or device-level firewalls enabled on all laptops and desktops
  • Remote administration of firewalls restricted and protected by MFA

2. Secure configuration

  • Default passwords changed on all devices, software and services
  • Unnecessary user accounts removed or disabled
  • Unnecessary software, apps and services uninstalled from devices
  • Auto-run for removable media (USB drives etc.) disabled
  • Device lock screens configured to activate after a period of inactivity
  • Unused or legacy accounts on cloud services identified and removed

3. Security update management

  • All operating systems and software patched within 14 days of a security update being released
  • Automatic updates enabled wherever available
  • All software in use is licensed and still supported by its vendor
  • Unsupported or end-of-life software identified, with a replacement date scheduled
  • An up-to-date inventory of all software and firmware in use is maintained
  • Mobile devices included in the same patching regime as desktops and servers

4. User access control

  • Every individual has their own unique user account; no shared logins
  • Administrator rights limited to those who genuinely need them to do their job
  • A formal process exists for approving and provisioning new user accounts
  • Leavers' access is revoked promptly as part of an offboarding process
  • Strong password policy in place, or MFA enabled wherever it's available
  • Admin accounts are separate from everyday user accounts, and not used for email or browsing

5. Malware protection

  • Anti-malware software installed and enabled on all devices
  • Anti-malware signatures and definitions kept up to date automatically
  • Application allow-listing or sandboxing considered for higher-risk devices
  • Users prevented from installing unauthorised software
  • Malware scanning applied to files from removable media and email attachments
  • Web filtering or browser protections in place against known malicious sites

Where this leaves you

Ticking every box above doesn't guarantee certification on its own, an assessor will still verify the detail, but it puts a business in a strong position to apply with confidence rather than uncertainty. If any of these controls are missing, patchy, or you're simply not sure how your current setup measures up, Systech can guide you through closing the gaps and the certification process itself, end to end.