Are we actually ready for
Cyber Essentials?

The list includes the device owner or assigned user, the operating system and version, and whether the device is company-managed or personally owned (BYOD). It was updated within the last 30 days.

At minimum: operating system, browser, productivity suite (Microsoft 365 or Google Workspace), email client, VPN, endpoint protection, and any remote access tools. Version numbers included.

All people, devices, and systems used for business operations are identified. Contractor devices and personal devices used for work email or file access are included. There are no devices you would discover during the assessment that are not already on the list.

Microsoft 365, Google Workspace, cloud storage, CRM, finance platforms, project management tools. Services where business data is processed or stored are in scope for CE even if they are not physically in your office.

Shared accounts make it impossible to attribute actions to individuals and complicate MFA enforcement. If shared accounts exist for a documented operational reason (a reception desk login, a service account), they must be documented and have restricted privileges.

Administrators use a standard account for routine work (email, documents, browsing) and a separate, named admin account only for administrative tasks. The admin account does not have a mailbox, is not used for general browsing, and is protected by MFA.

Access is granted on a defined schedule when someone joins, updated when their role changes, and fully revoked within a defined timeframe (ideally same day) when they leave. Evidence exists of the last three to five leaver events showing all systems were covered, not just the obvious ones.

Standard users cannot install software, change security settings, or access data outside their role. Privilege escalation follows a documented process. Access rights are reviewed periodically, not just at onboarding.

Not available, not recommended, not on by default for new accounts. Enforced. A user who has not set up MFA cannot log in. This is a conditional access policy setting, not a user choice. Check the policy in your Microsoft 365 or Google Workspace admin console and confirm it covers mobile app access too.

Remote access without MFA is the most common attack vector for SME breaches and a consistent Cyber Essentials failure point. If someone can reach your internal network or admin systems from outside the office, MFA must be on that path.

Admin MFA is non-negotiable. A single admin account without MFA is sufficient to fail this section. If an exception exists for a legacy system or service account that genuinely cannot support MFA, it must be documented with a compensating control and that documentation reviewed before submission.

Legacy authentication protocols bypass MFA entirely. If basic auth is enabled on Microsoft 365 mailboxes, an attacker with a password can access them without the second factor. Block legacy auth in conditional access before submission.

Windows 10 (while still supported), Windows 11, current macOS, current iOS and Android. End-of-life operating systems cannot be included in the scope of a CE assessment. If a device runs Windows 10 21H2 or earlier, it must be updated or excluded with documented justification.

A written policy commits to a specific number of days for applying security-critical and high-severity updates (CVSS 7.0 or above). 14 days is the CE standard for internet-facing software. The policy reflects what actually happens, not an aspirational number.

Browser extensions and plugins are a common blind spot. Chrome, Edge, and Firefox plugins receive security updates independently of the browser. Office add-ins, PDF readers, and collaboration tools all count as in-scope software that must be patched within the stated window.

Reports or screenshots from an MDM or RMM tool, Windows Update for Business policy compliance reports, or Intune device compliance status showing OS version and last patch date for each device in scope.

Microsoft Defender for Business, a reputable third-party EDR or AV solution, or the built-in OS protection (Windows Defender, macOS XProtect and Gatekeeper) configured and active. Not "most laptops" or "the office machines". Every device.

Automatic scheduled scans are active. Definitions are set to update automatically, and the management console shows all agents as healthy. Any devices showing as out of date or with protection disabled are flagged and resolved before submission.

Web filtering or safe browsing protections are enabled. Email scanning is active for attachments and links. In Microsoft 365, Defender for Office 365 Safe Attachments and Safe Links should be configured. These are in scope for the malware protection section of CE.

This is one of the most straightforward controls to evidence but also one of the most frequently found disabled "for convenience" or because an older application required it. Check all endpoints. Windows Firewall policy should be managed centrally via Group Policy or Intune.

Port 3389 open to the internet is one of the most actively scanned services on the internet. If remote access to Windows machines is needed: use a VPN with MFA as the entry point, allowlist specific IP addresses, enable Network Level Authentication, and ensure all accounts that can RDP have strong passwords and MFA.

Routers, wireless access points, network-attached storage, CCTV systems, smart devices, and printers all arrive with default credentials that are publicly documented. Any device on your network with an unchanged default password is an entry point. Include devices that arrived years ago.

File sharing services not needed for daily work, Bluetooth on devices that do not use it, features such as SMBv1 on Windows, Telnet and FTP on network devices, or unused cloud management interfaces. Every enabled service is an attack surface. Disable what is not needed.