Skip to content
Prepared beats reactive  Incident Response Activation & Advisory for UK SMEs
Security Advisory & Incident Intake+44 (0)33 0122 4448
Download IR checklist Book a readiness call
Checklist · Cyber Essentials

Are we actually ready for Cyber Essentials?

A sanity check before you dive into forms or let a supplier sell you a quick-fix. This pre-check focuses on the gaps that typically trip UK SMEs up: scope, accounts, MFA, patching discipline, endpoints, and evidence.

This checklist is read-only and built for operational clarity. It is not a certification service. Use it to confirm your reality before you pay for assessment.

Cyber Essentials Pre-assessment Controls focus Evidence-first

How to use this pre-check

  • Answer each item as True / Mostly / Not true.
  • If an item is "Mostly", treat it as Not true until you can evidence it.
  • Fix scope, accounts and MFA first. Most failures start there.
  • Keep evidence lean: screenshots, exports, change records, and dates.
What trips SMEs up

Cyber Essentials is not "advanced security". It is basic control discipline. Most SMEs fail because the stated answer does not match reality: shadow devices, unmanaged accounts, inconsistent MFA, patch drift.

Pre-check sections

1) Scope & inventory

Be honest about what is in scope and who uses what. You cannot secure what you have not listed.

  • We have a current device list (laptops, desktops, mobiles)

    Includes owners, OS version, and whether devices are company-managed.

    Common gapAsset list
  • We have a current software list (core apps and security tools)

    At minimum: OS, browser, Office or Google, email, VPN, AV or EDR, remote tools.

    InventoryLicences
  • We can clearly define what is "in scope" for assessment

    People, devices and systems used for business. No "we forgot that laptop".

    Pass predictor

2) Accounts & access control

Account hygiene is where most "yes" answers become "no" under scrutiny.

  • No shared user accounts exist (or they are strictly controlled)

    Shared accounts destroy accountability and complicate MFA. Replace them.

    High impactFail risk
  • Admin accounts are separate from standard accounts

    Admins use a standard account daily and elevate only when needed.

    Least privilege
  • Joiner, mover and leaver process exists and is followed

    Access is granted and revoked within defined timeframes, with evidence.

    EvidenceProcess

3) MFA (properly applied)

MFA must cover the right systems and the right roles, especially admins.

  • MFA is enforced for email accounts (all users)

    Not "available". Enforced. Check conditional access rules.

    CoreEmail
  • MFA is enforced for remote access (VPN, RDP, admin portals)

    Remote access without MFA is an attacker's favourite doorway.

    Common gapFail risk
  • MFA covers privileged and admin access everywhere

    Admin MFA is non-negotiable. If an exception exists, document why and fix it.

    High riskPrivileged

4) Patching & supported software

Patching is simple: supported software, predictable updates, and evidence of compliance.

  • All devices run supported OS versions

    No end-of-life Windows or macOS. Legacy devices are isolated or removed.

    Fail riskEOL
  • Security updates are applied within a defined window

    For example: 14 days for critical updates. Choose a number and enforce it.

    DisciplineSLA
  • We can evidence patch status for a sample of devices

    Export reports or screenshots from MDM, RMM or endpoint tooling.

    Evidence

5) Malware protection

Basic malware protection must be present, active, and centrally manageable.

  • Endpoint protection is deployed on all devices

    Defender for Business, EDR or reputable AV. Not "some laptops have it".

    CoreCoverage
  • Definitions and agents are updating successfully

    Prove it with console screenshots or status reports.

    HealthEvidence

6) Firewalls & secure configuration

Default-deny mindset. Reduce exposed services. Remove unnecessary inbound access.

  • Host firewalls are enabled on all endpoints

    Windows Firewall or macOS firewall active, not disabled "for convenience".

    CoreEndpoint
  • No direct RDP exposure to the internet

    If you need remote admin: VPN, MFA, allowlisting and logging.

    CriticalCommon gap
  • Default passwords removed; unused services disabled

    Routers, NAS, printers, CCTV. These are classic "forgotten" entry points.

    Attack surface

Evidence pack (minimum)

  • Inventory evidence: device list export or spreadsheet dated within 30 days.
  • MFA evidence: policy screenshot showing enforcement for email and admins.
  • Patch evidence: report showing OS versions and update compliance for sample devices.
  • Endpoint protection evidence: console view showing coverage and healthy status.
  • Firewall evidence: configuration screenshot for endpoints (and perimeter if applicable).
DefendVista note

The goal is not "passing a form". The goal is repeatable control you can keep without heroics. If any section felt uncertain, treat it as a gap and fix it before assessment.