Cyber Essentials Checklist
Throughout 2024, cyber-attacks continued to pose a significant threat to UK businesses regardless of their size. According to the UK Government's Cyber Security Breaches Survey 2024, 32% of businesses identified at least one cyber security breach or attack within the past 12 months. This figure rises with organizational size, affecting 59% of medium-sized businesses and 69% of large businesses.
Financially, these cyber incidents have had a substantial impact with the average cost of all cyber attacks for UK businesses being estimated at £1,205, but this rises to an estimated £10,830 for medium and large businesses.
The National Cyber Security Centre (NCSC) first introduced the “Cyber Essentials” scheme in 2014, as an accessible, cost-effective way to improve security, Cyber Essentials outlines fundamental measures every business should have in place to protect sensitive data, ensure compliance, and build customer trust.
Since then, over 190,000 businesses have become certified, and a recent UK Government impact report reveals that 91% of organisations with Cyber Essentials Certification feel more confident in implementing measures to mitigate cyber security risks. In addition 92% have fewer insurance claims relating to cyber incidents.
In this article, we’ll explore the measures your business should take to become Cyber Essentials certified, plus you can access:
- our free Cyber Essentials checklist
- our free Cyber Essentials Plus checklist
From firewalls to access control, we’ll cover the essential steps needed to secure your systems, reduce risk, and achieve certification.
Changes To The Cyber Essentials Scheme for 2025
The Cyber Essentials Scheme is a UK government-backed initiative designed to help businesses protect against common cyber threats. Launched by the National Cyber Security Centre (NCSC), it provides a clear framework for implementing basic security controls that significantly reduce the risk of cyber attacks.
The scheme offers two levels of certification:
- Cyber Essentials: A self-assessment option that covers essential practices such as firewall use, user access control, and patch management.
- Cyber Essentials Plus: An advanced certification that includes an external vulnerability assessment by a certified body to verify the implementation of security measures.
The different versions of the assessment question sets are given different names, helping us to understand which is the most recent.
- Applications submitted prior to the 28th April 2025 should use the Question Set and Cyber Essentials Plus Illustrative Test Specification, known as “Montpellier” (Requirements for Infrastructure v3.1)
- Applications submitted on or after 28th April 2025 , will use the Standard known as “Willow” (Requirements for Infrastructure v3.2).
If you have any questions about which to apply for, or how the assessment questions work, please don’t hesitate to contact a member of our team and we’ll do our best to help!
Cyber Essentials Checklist for Certification Readiness:
1. Firewalls & Internet Gateways
-
Ensure all devices are protected by a firewall
-
Use a dedicated firewall device or the inbuilt operating system firewall
-
Change default admin passwords for your firewall to something unique
-
Regularly update firewall firmware within 14 days of release from vendor
2. Secure Configuration
-
Remove or disable unnecessary software and accounts on all devices, including services on cloud apps
-
Restrict administrative privileges to only those who need them
-
Ensure separation of standard and administrative accounts
-
Use strong, unique passwords for all accounts
-
Regularly review and update security settings on your devices
3. User Access Control
-
Ensure each user has their own unique login credentials
-
Use multi-factor authentication (MFA) where possible
-
Limit access to sensitive data and systems to only those who require it
-
Immediately revoke access for employees who leave the organization
4. Malware Protection
-
Install and maintain antivirus or anti-malware software on all devices
-
Only install apps from known trusted app stores
-
Enable automatic updates for your security software
-
Regularly scan devices for malicious software
-
Avoid downloading software or opening attachments from unknown sources
5. Patch Management
-
Keep all software, operating systems, and applications up to date within 14 days of release
-
Enable automatic updates wherever possible
-
Remove unsupported software or upgrade to a supported version
-
Regularly review and apply critical patches as they are released
Cyber Essentials Plus Checklist: Advanced Cybersecurity Protection
Cyber Essentials Plus builds on the Cyber Essentials framework by including a hands-on technical verification of your cybersecurity measures. Use this checklist to ensure you're ready for Cyber Essentials Plus certification:
1. Firewalls & Internet Gateways
-
A firewall protects every device connected to your network
-
Firewalls are configured to block unauthorized access and only allow necessary services
-
Default admin passwords on firewalls have been changed to secure ones
-
Firewall rules are reviewed regularly for accuracy and relevance
2. Secure Configuration
-
All unnecessary software, services, and user accounts have been removed or disabled
-
Default system settings have been replaced with secure configurations
-
All devices are configured to minimize vulnerabilities, including secure browser and email settings
-
Administrative accounts are used only when necessary
3. User Access Control
-
Each user has unique login credentials, and shared accounts are avoided
-
Permissions are limited based on user roles to ensure access is on a "need-to-know" basis
-
Multi-factor authentication (MFA) is enabled for sensitive accounts
-
Processes are in place to revoke access immediately for former employees or contractors
4. Malware Protection
-
Approved anti-malware software is installed on all devices
-
Anti-malware tools are configured for automatic updates and regular scans
-
Users are trained to avoid unsafe downloads and suspicious email attachments
-
Application controls or whitelisting is in place to restrict unauthorized software
5. Patch Management
-
Operating systems, software, and firmware are updated to the latest supported versions
-
Critical security patches are applied as soon as they become available (within 14 days)
-
Unsupported or obsolete software is removed or replaced
-
A system is in place to track and manage updates for all devices
6. Technical Verification (Cyber Essentials Plus Specific)
-
Internal and external vulnerability scans are conducted to identify weaknesses
-
Simulated cyberattacks are tested to verify defenses against common threats
-
Devices are tested to ensure they meet the Cyber Essentials Plus standards
-
All controls implemented in Cyber Essentials are verified through technical audits
What Are the Benefits of Cyber Essentials Certification for Businesses?
There are many benefits to being Cyber Essentials certified, such as:
- Improved protection against common cyber threats.
- Increased customer trust and business reputation.
- 91% of organisations with Cyber Essentials Certification feel more confident in implementing measures to combat cyber security threats.
- 92% have fewer insurance claims relating to cyber incidents.
- Able to work with the UK Government and the Ministry of Defence.
- Listed on the IASME’s directory of certified organisations.
How to Apply for Cyber Essentials Certification
Applying for Cyber Essentials certification is a straightforward process, but it's important to follow the right steps to ensure you meet all requirements. Here’s a general guide on how to apply for either level of certification:
1. Choose Your Certification Level
- Cyber Essentials: A self-assessment process where you answer a series of questions about your security practices.
- Cyber Essentials Plus: Requires an external vulnerability test by a certifying body such as ourselves to confirm your security measures are in place.
2. Complete the Self-Assessment or Arrange the Assessment
- For Cyber Essentials, you’ll complete a simple online self-assessment questionnaire that covers key areas like firewalls, user access control, malware protection, and patch management.
- For Cyber Essentials Plus, an accredited certification body will conduct an external test to verify the implementation of your security measures.
3. Submit Your Application
- Once the questionnaire or assessment is complete, your application needs to be submitted to IASME, along with the necessary documentation and payment. Note: Whilst you can file your own application, we find many companies have questions along the way. As a result, we include the application filing as part of our Cyber Essentials services.
4. Receive Certification
- If successful, you will receive the Cyber Essentials certificate, which you can proudly display to show your commitment to cyber security!
Common Issues and How to Avoid Them
When applying for your Cyber Essentials certification, there are several issues which you should be aware of. Let’s take a look at these issues and how to avoid them for a greater chance of certification:
- Inadequate Security Controls: Ensure that all five key areas (firewalls, secure configuration, user access control, malware protection, and patch management) are fully implemented and operational before starting the assessment.
- Inconsistent Software Updates: Establish a regular patch management routine to keep all your software, firmware, and applications up to date.
- Weak Passwords and User Access Control: Implement strong password policies, use multi-factor authentication (MFA), and ensure that users have only the access necessary for their roles.
- Incomplete or Incorrect Self-Assessment: Review each section of the self-assessment thoroughly and ensure all responses are accurate. If unsure, consult our experts for guidance.
- Lack of External Testing (for Cyber Essentials Plus): Perform internal tests and audits before the external assessment. Address any identified weaknesses in advance to ensure a smooth process.
- Neglecting Ongoing Security Maintenance: After certification, continue to monitor and update your security systems regularly to maintain compliance and protect against evolving online threats.
By addressing these potential problems early and ensuring your security measures are robust, you can confidently achieve Cyber Essentials certification. However, if you’re unsure about any part of the process, our team will be more than happy to help.
Getting Help With Assessing Your Cyber Essentials Compliance
Becoming Cyber Essentials certified offers significant benefits for your business. It also offers reassurance for potential partners, clients or customers. Our expert team is here to make the process straightforward and stress-free. Whether you need guidance on key controls or have questions, we're ready to assist. Call us today at 01242 236999, or stop by our Cheltenham office—we’re here to help!