Cyber Essentials Readiness Checklist

David Pinel Blog, Computer Advice

This checklist helps organisations prepare for both Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently audited).


Follow each section to ensure you meet the baseline requirements before certification.

1. Scope & Asset Identification

Define your certification scope

  • Identify which parts of the business are included (e.g., entire organisation or specific business units)
  • List all office locations, remote workers, cloud services, and third-party systems included
  • Confirm all devices in scope connect to the internet or company data

Create an asset inventory

  • Laptops, desktops, mobiles, tablets
  • Servers (physical or cloud-hosted)
  • Routers, firewalls, and network devices
  • User accounts and admin accounts
  • Software and operating systems (including versions)
  • Third-party tools and SaaS services

2. Secure Configuration

Device hardening

  • Remove unnecessary software, apps, and services
  • Ensure default manufacturer passwords are changed
  • Disable unused user accounts
  • Enable device firewalls on all endpoints
  • Enable automatic lock screens and inactivity timeouts

Password & authentication standards

  • Enforce MFA on all cloud services (M365, Google Workspace, RMM, PSA, etc.)
  • Enforce strong passwords OR passwordless sign-in
  • Apply account lockout policies for repeated failed login attempts

3. Patch Management / Security Updates

Core requirements

  • Enable automatic updates for all operating systems
  • Enable automatic updates for all applications
  • Apply security patches within 14 days of release (mandatory CE rule)

Check for unsupported systems

  • Ensure no Windows 7, Windows 8.1, Server 2008, or other EOL platforms
  • Replace or isolate any legacy systems if they cannot be updated

4. Malware Protection

Anti-malware controls

  • Install centrally managed antivirus/antimalware on all devices
  • Enable real-time scanning
  • Ensure definitions update automatically
  • Block execution of unsigned or unknown applications where possible

Email filtering

  • Implement phishing protection
  • Enable attachment scanning
  • Block or quarantine dangerous file types

5. User Access Control

User management

  • Ensure each user has an individual account (no shared logins)
  • Remove unused accounts immediately
  • Review access levels regularly

Administrator access

  • Create separate admin and non-admin accounts
  • Disable admin access for everyday work
  • Use privileged access groups (e.g., Microsoft Entra ID roles)
  • Enforce MFA on all admin accounts

6. Firewalls & Network Security

Firewalls on every route to the internet

  • Ensure firewalls are enabled on all devices
  • Ensure hardware routers/firewalls use strong admin passwords
  • Disable port forwarding where not required
  • Document all inbound and outbound rules

Network segmentation (recommended for CE+, not required for CE)

  • Separate guest Wi-Fi from internal networks
  • Restrict access to servers and sensitive systems

7. Backups & Business Continuity (Best Practice)

(Not mandatory for CE, but strongly recommended and often required for CE+ context)

  • Ensure regular cloud/offsite backups
  • Test restore procedures
  • Protect backups from ransomware (immutable or versioned storage)

8. Prepare for Cyber Essentials Plus Testing

The CE+ audit includes hands-on validation. Ensure:

Vulnerability scan ready

  • All devices are powered on
  • All devices are reachable on the network
  • All software is up to date
  • No high or critical vulnerabilities appear on scanners

Endpoint configuration checks

  • Screensaver timeout set to ≤ 10 minutes
  • Full-disk encryption enabled (BitLocker/FileVault)
  • Antivirus running and updating correctly
  • Web filtering enabled where possible

Email & web tests

The assessor will test:

  • Malicious email attachment blocking
  • Browser malware protection
  • Ability to detect unsafe downloads

Sample user devices

  • Ensure a consistent configuration across all user devices
  • Ensure the assessor can randomly select any device for testing

9. Documentation & Evidence Collection

Prepare required evidence such as:

  • Network diagrams
  • Password policies
  • MFA enforcement screenshots
  • Update/patching reports
  • Antivirus console screenshots
  • Firewall configuration summary
  • Asset inventory spreadsheet

10. Final Pre-Certification Checks

Before submitting:

  • Verify scope matches real-world environment
  • Ensure no unsupported software or operating systems
  • Confirm all patches applied in the last 14 days
  • Check all admin accounts are controlled and secured
  • Run an internal vulnerability scan (CE+ prep)
  • Ensure staff understand policies and acceptable use rules