By Andy Pickett · Managing Director

Published 22 April 2026 · About the author

Last updated: April 2026  |  Reviewed by: Connection Technologies team

Cyber Essentials Checklist UK 2026: 5 Controls, Step by Step

This cyber essentials checklist is the same one our consultants use to prepare UK businesses for IASME assessment in 2026. Work through every item before you submit the SAQ and you’ll dramatically improve your first-time pass rate (industry average is around 60% — with a proper checklist it climbs to 90%+).

The list maps directly to the five Cyber Essentials technical controls and the wording of the official IASME questionnaire so that every “Yes” you tick has documented evidence behind it. For the audited tier, jump to the Cyber Essentials Plus checklist further down.

Before you start — scope and prep

• Confirm the scope: whole organisation (recommended) vs a defined sub-organisation. Whole-org scope is required for the free £25k cyber-liability insurance.
• List every device type and operating system in scope: Windows 10/11, macOS, iOS, Android, Linux servers, on-prem hypervisors.
• List every cloud service handling business data: Microsoft 365, Google Workspace, Dropbox, accounting (Xero/Sage/QuickBooks), CRM, project management, AI tools.
• Build a software inventory across all devices — IASME wants to see you can answer “what’s installed and what version?”
• Choose a licensed assessor. IASME publishes the full directory; pricing is uniform but service quality varies — ask for references in your sector.

Cyber Essentials checklist — the five controls

Control 1 — Boundary firewalls & internet gateways

• ☐ Every internet-facing device (router, firewall, server, cloud VM) has a firewall enabled.
• ☐ Default admin passwords on routers, firewalls and switches have been changed to strong unique passwords.
• ☐ Admin web interfaces are not reachable from the public internet (no port 443 admin panel exposed).
• ☐ Inbound services are documented and there’s a business reason for every open port.
• ☐ RDP (port 3389) is closed at the boundary; remote access uses VPN or a Zero Trust gateway with MFA.
• ☐ Any open inbound rule has been reviewed in the last 12 months.
• ☐ Home / hybrid workers either use the corporate VPN or have host-based firewalls enabled (Windows Defender Firewall on / macOS Firewall on).

Control 2 — Secure configuration

• ☐ Every device has an inventory record including OS version, owner and last-patched date.
• ☐ Auto-run / auto-play is disabled for removable media.
• ☐ Default user accounts (Guest, Admin) are disabled or have unique strong passwords.
• ☐ Unused software is uninstalled — no Java 8, no Flash, no abandoned trial apps.
• ☐ Bluetooth, NFC and other wireless interfaces are disabled where not used.
• ☐ Auto-lock screen kicks in after no more than 10 minutes of inactivity.
• ☐ A password / PIN / biometric is required to unlock every device.
• ☐ Mobile devices have full-disk encryption enabled (BitLocker on Windows, FileVault on macOS, default on iOS/Android with PIN).

Control 3 — User access control

• ☐ Every user has a unique account — no shared logins.
• ☐ MFA is enabled on every cloud admin account (M365 global admin, Google Workspace super admin, AWS root, Azure subscription owners).
• ☐ MFA is enabled on all standard cloud user accounts (M365, Google Workspace, Xero, CRM, etc.).
• ☐ Local admin rights on workstations are limited to IT staff or named technical users.
• ☐ A documented joiner / mover / leaver process exists — and was followed for everyone who left in the last 12 months.
• ☐ Ex-staff accounts are disabled within 1 working day of leaving (CE+ tightens this to “before they leave”).
• ☐ Service / shared accounts are documented with an owner.
• ☐ Password policy requires either: (a) 12+ character passwords with no expiry plus MFA, or (b) 8+ character passwords with breached-password checking and MFA.

Control 4 — Malware protection

• ☐ Every Windows endpoint runs Microsoft Defender (or equivalent EDR) with real-time protection enabled.
• ☐ Every Mac in scope runs an EDR product (built-in XProtect alone is no longer sufficient for CE+).
• ☐ Definitions / cloud lookups are auto-updating — no devices over 7 days behind.
• ☐ Web filtering is in place (Microsoft Defender SmartScreen, Cloudflare DNS filtering, Cisco Umbrella, etc.).
• ☐ Email filtering blocks known malware and phishing (M365 Defender for Office 365, Mimecast, Proofpoint).
• ☐ Sandboxing or attachment-scanning is enabled for unknown files.
• ☐ Mobile devices use the official Apple App Store / Google Play; sideloading is disabled or restricted via MDM.

Control 5 — Security update management

• ☐ Every OS in scope is vendor-supported (no Windows 7, no Windows 10 after October 2025 without ESU, no macOS older than the 3 most recent versions).
• ☐ Critical and high-severity OS patches are applied within 14 days of release.
• ☐ Application patches (browsers, Office, Adobe, third-party apps) are applied within 14 days.
• ☐ Windows Update for Business / Intune / equivalent enforces patching automatically.
• ☐ Mac App Store auto-update and macOS auto-install for security updates are enabled.
• ☐ Mobile devices receive OS updates within 14 days (BYOD policy enforces this).
• ☐ Firmware on routers, firewalls, switches and IoT devices is up to date.
• ☐ Out-of-support software (Java 8, Office 2016 from October 2025, etc.) has been removed or replaced.

Cyber Essentials Plus checklist — additional items for the audit

For Cyber Essentials Plus, the auditor independently verifies the checklist above using external scans, an authenticated sample audit of devices and an email phishing test. Add these items to the basic Cyber Essentials Plus requirements list:

• ☐ Every public IP has been scanned with Nessus / Qualys in the last 30 days; no unpatched CVEs over 7 days old.
• ☐ A random sample of devices (typically 10-15% of the fleet, minimum 1 of each OS variant) is ready for an authenticated vulnerability scan.
• ☐ Email filtering blocks both file payloads (EICAR-style test executable) and link payloads (test phishing URL).
• ☐ Mobile devices are reviewed: at least 1 iOS and 1 Android per OS version in use.
• ☐ The auditor has remote access (Splashtop / TeamViewer / similar) to the sample devices for the scan day.
• ☐ A network diagram is available showing every device type and connection.

Common reasons UK businesses fail the Cyber Essentials checklist

How long the Cyber Essentials checklist takes to complete

• Already pretty tight (M365, MFA on, EDR deployed, no on-prem servers): 4-8 hours of senior IT time to walk the checklist + collect evidence.
• Average SMB (mixed Win/Mac, some legacy stuff, MFA not universal): 2-3 working days of remediation + 1 day of evidence gathering.
• Older / heavier estate (on-prem servers, line-of-business apps, BYOD, distributed workforce): 1-3 weeks of remediation + a final evidence-gathering sprint.

If you’d rather not run this checklist yourself, see our managed Cyber Essentials & CE+ service or read the wider UK IT compliance guide.

Get Cyber Essentials & Cyber Essentials Plus — fully managed

Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.

Frequently asked questions about cyber essentials checklist