The Cyber Essentials UK checklist

Photo: Unsplash

Cyber Essentials is a UK government-backed scheme that helps organizations implement a cyber hygiene baseline—focused on reducing common attack paths like malware, weak authentication, and misconfiguration.

Launched in June 2014, it quickly became a practical requirement in the market—and from October 2014, it became a common prerequisite for bidding on many UK government contracts.

This guide turns the requirements into a skimmable, stage-by-stage checklist you can use to plan work, close gaps, submit the Self-Assessment Questionnaire (SAQ), and (if needed) pass Cyber Essentials Plus.

GIF via GIPHY

---

Key takeaways

• Cyber Essentials focuses on five control areas: firewalls, secure configuration, user access control, malware protection, and security updates.
• It’s intentionally prescriptive: compared with broader frameworks (like ISO-style programs), it tells you more directly what “good” looks like for a baseline.
• Cloud is in scope: certification expectations commonly apply to cloud services and modern identity controls (including stronger authentication and credential handling).
• Cyber Essentials Plus adds independent testing: it’s the same baseline requirements, validated by a technical assessment rather than only self-attestation.
• Maintenance matters: certificates are typically valid for 12 months, so renewal is easiest when you run controls continuously, not as a once-a-year project.

---

What Cyber Essentials is (in plain English)

Cyber Essentials is designed to help organizations protect against the most common internet-based threats by implementing a set of baseline security controls. Instead of being a broad “do everything” security program, it narrows the scope to the controls most likely to prevent commodity attacks.

It’s also a helpful stepping stone if you plan to pursue bigger certifications later. Many teams find there’s meaningful evidence reuse across programs—Cyber Essentials control intent overlaps substantially with ISO 27001, but it’s more prescriptive: it tells you more directly what "good" looks like at the baseline level, rather than leaving room for multiple acceptable approaches (as SOC 2 or ISO 27001 do).

---

Why teams pursue Cyber Essentials

• Trust signal for buyers: a recognized baseline that reduces procurement friction.
• Clear visibility into gaps: forces a practical review of identity, devices, patching, and configuration hygiene.
• Meets UK expectations: commonly requested in UK supply chains and regulated contexts.
• Unlocks contract eligibility: often required (or strongly preferred) in UK government and adjacent procurement.

If you’re also budgeting and planning timeline, see: How much does Cyber Essentials certification cost?

---

The five Cyber Essentials control categories (what you’re assessed on)

1) Firewalls

You’re expected to manage network boundaries and reduce exposure to the internet. This usually means configured firewalls (or equivalent cloud/network controls) with documented rules and justified access.

2) Secure configuration

Systems should be hardened from default settings. The goal is to reduce misconfiguration risk across endpoints, servers, and cloud services.

3) User access control

Access should be limited to what people need. Strong authentication practices matter here (including modern expectations around passwords, PINs, and MFA where applicable).

4) Malware protection

Devices and systems should have protection appropriate to the risk—such as endpoint protection, controlled app execution, and safe handling of email/web threats.

5) Security updates

You need a repeatable patching process for operating systems, apps, and firmware—especially for high-risk vulnerabilities.

---

The Cyber Essentials UK checklist (5 stages)

1) Pre-work (set scope and ownership)

Before you touch controls, reduce rework by aligning on what’s in scope and who owns what.

Checklist

1. Define scope: systems, users, devices, networks, and cloud services that store or access organizational data.
2. Document your environment: identity provider(s), device management, endpoints, servers, VPN/remote access, key SaaS apps.
3. Assign owners: name a program owner plus control owners for each of the five categories.
4. Choose your target level: decide whether you need Cyber Essentials or Cyber Essentials Plus (see comparison below).
5. Set a timeline: include time for gap analysis + remediation before SAQ submission.

Outputs to produce

• Scope statement (what’s included/excluded and why)
• Asset/endpoint inventory (even if lightweight)
• Implementation plan mapped to the five control categories

---

2) Prepare (gap analysis + remediation plan)

This stage is about finding what won’t pass and fixing it deliberately.

Checklist

1. Run a gap analysis against the five control categories.
2. Prioritize remediation by risk and dependency (e.g., identity first, then devices, then patching workflows).
3. Standardize “secure configuration” baselines for endpoints and servers.
4. Harden identity and access: confirm joiners/movers/leavers, admin separation, and access approval paths.
5. Confirm patching expectations: define what “critical” means, who patches what, and how you track completion.
6. Record evidence as you go so you’re not reconstructing proof later.

Examples of common remediation tasks

• Firewalls: remove “any/any” rules, restrict admin access, document inbound exposure and exceptions.
• Secure configuration: disable unused services, enforce disk encryption where appropriate, remove local admin by default.
• User access controls: implement least privilege, review shared accounts, improve credential handling, tighten password/PIN policies.
• Malware protection: deploy endpoint protection, enable safe browsing controls, block known-bad downloads.
• Security updates: set a patch cadence, ensure automatic updates where appropriate, define an emergency patch process.

GIF via GIPHY

Tooling note (optional)
Some teams use readiness tools (for example, an IASME readiness tool) to sanity-check requirements before the SAQ. Treat these as accelerators—not substitutes for doing the work.

---

3) Self-assessment (SAQ submission + executive sign-off)

Cyber Essentials (base level) is typically driven by a Self-Assessment Questionnaire.

Checklist

1. Complete the SAQ accurately based on your in-scope environment.
2. Validate responses internally: involve IT/security and system owners, not only a single respondent.
3. Collect supporting evidence: configuration screenshots/exports, policy excerpts, patch reports, device management settings, access review records.
4. Get executive sign-off: a senior leader confirms the SAQ is truthful and representative.
5. Submit through your certification route (commonly via an approved certification body).

What “good” looks like

• Answers reflect how controls operate in practice, not how they’re “supposed to work.”
• Evidence is organized by control category and can be refreshed for renewal.

---

4) External audit for Cyber Essentials Plus (technical assessment)

Cyber Essentials Plus adds independent validation through technical testing.

GIF via GIPHY

Checklist

1. Schedule the Plus assessment promptly: Plus audits are commonly expected within a short window after your SAQ (often within 3 months).
2. Confirm audit scope: devices, users, networks, cloud services, and any sampling approach.
3. Prepare for assessor testing: ensure admins and system owners are available to support access, evidence, and clarifications.
4. Remediate findings quickly: treat gaps as a mini-remediation sprint.
5. Re-test if needed: close the loop on findings until requirements are met.

Outcome

• If you pass, you receive a certificate typically valid for 12 months, similar to the base level.

---

5) Maintain ongoing certification (stay ready year-round)

Renewal is easiest when you run Cyber Essentials like an operating system, not a project.

Checklist

1. Monitor control drift: track changes to firewall rules, endpoint baselines, and cloud configurations.
2. Keep patching healthy: ensure updates happen on schedule and exceptions are time-bound.
3. Run access reviews: especially privileged access, shared accounts, and third-party access.
4. Test malware protections periodically (at least sanity checks that coverage is active and reporting).
5. Plan renewal early: refresh evidence and confirm scope changes before the annual cycle.
6. Consider Zero Trust principles over time: reduce implicit trust, segment access, and tighten verification for high-risk actions.

---

Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials (self-assessment)

• Assessment style: questionnaire + self-attestation
• Best for: baseline assurance, tender requirements where Plus isn’t mandated, getting started quickly
• Trade-off: relies on accuracy of your SAQ and internal validation

Cyber Essentials Plus (independent audit)

• Assessment style: SAQ + independent technical testing
• Best for: higher-assurance buyer expectations, stronger proof of implementation, more mature environments
• Trade-off: more coordination, deeper SecureSlateiny, and typically higher cost due to assessor effort

---

FAQ: The Cyber Essentials UK checklist

How long does Cyber Essentials take?

Timelines vary with readiness. Many teams can complete work in weeks if controls are already in place; remediation-heavy environments can take longer. Plus adds scheduling time for the assessor and any re-testing.

Is Cyber Essentials required for UK government contracts?

Cyber Essentials is commonly required (or strongly preferred) for many UK government and related supply chain contracts. Always confirm the specific tender requirements, since expectations can vary by buyer and contract type.

Does Cyber Essentials cover cloud services?

Yes—modern environments often include cloud services in scope, and expectations commonly apply to cloud identity, authentication, and configuration practices as well as endpoints and networks.

How often do you need to renew?

Cyber Essentials certificates are typically valid for 12 months, so plan for annual renewal and ongoing maintenance.

What’s the most common reason teams fail?

In practice, failures often come from gaps in secure configuration, inconsistent patching, overly broad access, or “paper compliance” answers that don’t match real configurations.

---

Streamline Cyber Essentials with SecureSlate

Cyber Essentials is straightforward on paper—but teams still lose time to scattered evidence, unclear ownership, and last-minute scrambling before submission or renewal.

SecureSlate helps you run Cyber Essentials as a repeatable system by:

• Mapping work to the five control categories so nothing falls through the cracks
• Assigning clear owners for each requirement and remediation item
• Centralizing evidence (exports, screenshots, policies, tickets) so you can reuse it for Plus and renewal
• Keeping controls audit-ready year-round to reduce renewal stress

If you want Cyber Essentials to become a reliable baseline (not a recurring fire drill), SecureSlate helps you standardize the process and stay ready.

---

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.