Cyber Essentials and Cyber Essentials Plus Checklist for UK Startups

TL;DR

Cyber Essentials is a UK government-backed certification scheme that protects organisations against the most common cyber attacks. The scheme centres on five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Cyber Essentials Plus adds independent technical verification through hands-on testing. For UK startups, particularly those handling government contracts or sensitive data, certification demonstrates baseline security maturity and can be a competitive differentiator.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme introduced by the National Cyber Security Centre (NCSC) in 2014. The scheme provides a clear, achievable standard for organisations of all sizes to protect themselves against the most common internet-based threats.

The core premise is straightforward: implementing five technical controls addresses the most common attack vectors. According to insurer data, certified organisations are 92% less likely to make a cyber insurance claim. Since the scheme launched, over 190,000 certificates have been issued to UK organisations.

Two Levels of Certification

Cyber Essentials is a self-assessment. You complete a questionnaire about how your organisation implements each of the five controls, and a qualified assessor reviews your responses. You do not need to provide technical evidence, but your answers must accurately reflect your actual configuration.

Cyber Essentials Plus builds on the basic certification. After completing the self-assessment, a qualified assessor performs hands-on technical testing of your systems to verify that the controls are actually operating as described. This includes vulnerability scans, configuration reviews, and verification of security settings.

Why UK Startups Should Consider Certification

Government contracts: Since 2014, Cyber Essentials has been a mandatory requirement for UK government contracts involving the handling of sensitive or personal data. If you are selling to the public sector, you likely need certification.

Supply chain requirements: Large enterprises increasingly require suppliers to hold Cyber Essentials certification. It is becoming table stakes for B2B relationships in regulated industries.

Insurance benefits: Some cyber insurance providers offer reduced premiums for certified organisations. The certification provides insurers with confidence in baseline security controls.

Customer trust: For UK-based customers, the NCSC-backed certification is a recognised signal of security maturity, particularly for startups without the resources for a full SOC 2 or ISO 27001 programme.

The Five Technical Controls

The Cyber Essentials scheme is built around five control areas. Each addresses a specific category of common attacks. Here is what each control requires and how to implement it effectively.

1. Firewalls

Firewalls create a barrier between your internal network and the internet, controlling what traffic is allowed in and out. Every device in scope must be protected by a firewall, whether that is a network-level boundary firewall, a software firewall on individual devices, or cloud-native security groups.

Requirements Checklist

Boundary protection:

• All connections to the internet pass through a firewall or equivalent boundary device
• All devices in scope (laptops, servers, virtual machines, cloud instances) are protected
• Cloud services use security groups, network ACLs, or equivalent controls

Firewall configuration:

• Default administrator passwords have been changed to strong, unique passwords
• Administrator access to firewall settings requires MFA or is restricted by IP allowlist
• All firewall rules are documented and approved
• Only necessary ports and services are permitted through the firewall
• All other inbound traffic is blocked by default (deny-by-default policy)
• Unused ports and services are disabled

Software firewalls (for devices):

• Host-based firewalls are enabled on all laptops, desktops, and servers
• Default-deny rules are configured for inbound connections
• Approved applications that require inbound connections are explicitly permitted

Common Mistakes to Avoid

• Leaving default passwords on firewall appliances
• Creating overly permissive rules ("allow all from anywhere") during troubleshooting and forgetting to remove them
• Not applying firewall protection to devices used remotely or under BYOD arrangements
• Forgetting to protect cloud infrastructure with equivalent controls (security groups, WAF rules)

2. Secure Configuration

Secure configuration means setting up devices and software in a way that reduces vulnerabilities. Out-of-the-box configurations often include unnecessary features, default accounts, and insecure settings that attackers can exploit.

Requirements Checklist

Default credentials:

• All default passwords have been changed to unique, strong passwords
• Default accounts that are not needed have been disabled or removed
• Guest accounts are disabled unless explicitly required and documented

Unnecessary services:

• Only necessary software is installed on each device
• Unnecessary services and features are disabled
• Autorun/autoplay is disabled on all devices
• Browser plugins and extensions are limited to those with a documented business need

Password and authentication policies:

• Passwords have a minimum length of 12 characters (8 characters is acceptable only when MFA is enabled or a password deny list blocks common passwords)
• Technical controls prevent the use of common weak passwords (deny list)
• Account lockout is configured after no more than 10 failed login attempts, or rate limiting restricts attempts to no more than 10 guesses within 5 minutes
• If biometric authentication is used, a strong backup password is also required

Device security:

• Device encryption is enabled on all laptops and mobile devices
• Screen lock is configured to activate after a short idle period (5 minutes recommended)
• Users cannot install unapproved software without administrator authorisation

Common Mistakes to Avoid

• Leaving default accounts enabled on network devices, servers, or applications
• Allowing users to disable security features like firewalls or antivirus
• Not enforcing password complexity at the technical level (relying on policy alone)
• Running unnecessary services "just in case" they are needed later

3. User Access Control

User access control ensures that only authorised individuals can access your systems and data, and that they only have the access they need to do their jobs. This control directly limits the blast radius when credentials are compromised.

Requirements Checklist

Account management:

• Each user has a unique account (no shared accounts)
• User accounts are only created for authorised individuals
• Accounts are promptly disabled or deleted when no longer needed (e.g., when employees leave)
• A documented process exists for provisioning and deprovisioning access

Principle of least privilege:

• User accounts are granted the minimum permissions necessary for their role
• Standard user accounts do not have administrator privileges
• Administrative accounts are separate from day-to-day user accounts
• Users with admin access maintain a separate standard account for daily work

Administrative access:

• Admin accounts are only used for administrative tasks, not general work
• The number of administrator accounts is limited and documented
• Admin credentials are protected with strong, unique passwords
• Admin access is reviewed regularly to ensure it remains appropriate

Authentication strength:

• MFA is enabled for all cloud services that support it (this is mandatory, not optional)
• MFA is enabled for remote access to the network (VPN, remote desktop)
• If MFA is not available, accounts use passwords of at least 12 characters
• Device unlock PINs or passwords are at least 6 characters
• Consider passkeys or FIDO2 authentication where supported (NCSC recommended)

Common Mistakes to Avoid

• Granting admin access "just in case" or for convenience
• Using shared accounts for common tasks (support inbox, social media, etc.)
• Not revoking access promptly when contractors or employees leave
• Using the same account for administrative and day-to-day tasks

4. Malware Protection

Malware protection defends against malicious software, including ransomware, trojans, and data-stealing tools. The scheme accepts multiple approaches to malware protection, not just traditional antivirus.

Requirements Checklist

Protection method (at least one must be implemented):

Option A: Anti-malware software

• Anti-malware software is installed on all in-scope devices
• Software is configured to update signatures automatically (at least daily)
• Real-time scanning is enabled for files when accessed or downloaded
• Regular full-system scans are scheduled
• Users cannot disable or bypass the anti-malware software

Option B: Application allowlisting

• Only approved applications can execute on devices
• The allowlist is maintained and reviewed regularly
• Unsigned or unapproved code is blocked by default

Option C: Sandboxing (for internet-facing applications)

• Web browsers and email clients run in a sandboxed environment
• Downloaded files are analysed in a sandbox before execution

Additional defences:

• Email filtering blocks or quarantines known malicious attachments
• Web filtering blocks access to known malicious sites
• Users are trained to recognise and report phishing attempts

Common Mistakes to Avoid

• Relying on free antivirus products that lack enterprise management features
• Not configuring automatic signature updates
• Allowing users to disable protection "temporarily" and forgetting to re-enable it
• Assuming macOS or Linux devices do not need malware protection

5. Patch Management (Security Update Management)

Patch management ensures that software vulnerabilities are fixed before attackers can exploit them. This is one of the most impactful controls, as unpatched vulnerabilities are a leading cause of breaches.

Requirements Checklist

Supported software:

• All operating systems are supported versions (receiving security updates from the vendor)
• All applications are supported versions (receiving security updates)
• Unsupported software has been removed, isolated, or has a documented risk acceptance
• A process exists to track vendor support end dates

Patching timeline:

• Critical and high-severity vulnerabilities are patched within 14 days of patch release
• CVSS 7.0+ vulnerabilities are treated as high priority
• Automatic updates are enabled where practical and reliable
• A process exists to apply patches that cannot be automated

Scope of patching:

• Operating systems (Windows, macOS, Linux, iOS, Android)
• Web browsers and plugins
• Office productivity software
• Anti-malware software
• Network devices (routers, firewalls, switches)
• Any other internet-connected software

Verification:

• Patching status is monitored across all devices
• Non-compliant devices are identified and remediated promptly
• Evidence of patch deployment is retained

2025/2026 Updates to Be Aware Of

The patching requirements have been tightened in recent scheme updates:

Version 3.2 (from April 2025):

• High-severity patches (not just critical) must be applied within 14 days
• All internet-connected end-user devices must be in scope, including BYOD and remote devices
• Operating systems must be vendor-supported versions receiving security updates (Windows 10 support ends October 2025)
• Terminology changed from "patches and updates" to "vulnerability fixes," meaning any fix is required regardless of whether it is a patch, configuration change, or registry update

Version 3.3 (from 27 April 2026):

• Stricter marking criteria with automatic failures for non-compliance
• Enhanced focus on applying patches consistently across all devices, not just sampled ones
• Cloud services can no longer be excluded from scope; if you use a cloud service to process or store business data, it must be included

Common Mistakes to Avoid

• Running unsupported operating systems (Windows 7, older macOS versions)
• Delaying patches because they "might break something" without a formal risk process
• Only patching servers while neglecting end-user devices
• Not patching network devices and firmware

Cyber Essentials vs. Cyber Essentials Plus: Which Do You Need?

Choose Cyber Essentials if:

• You need certification quickly for a contract requirement
• Your security controls are new and you want to validate your approach before a technical audit
• You are a small organisation with straightforward IT infrastructure
• Budget is a primary constraint

Choose Cyber Essentials Plus if:

• You want independent verification that controls actually work
• Your customers or partners require the higher level of assurance
• You are handling particularly sensitive data
• You want to identify technical gaps before an attacker does

Many organisations start with Cyber Essentials and progress to Plus once they are confident in their technical controls.

The Cyber Essentials Plus Technical Audit

If you pursue Cyber Essentials Plus, here is what to expect from the technical verification process.

Scope Verification

The assessor will verify that the scope of your Plus assessment matches your self-assessment declaration. If you certified a subset of your organisation rather than the whole organisation, you must demonstrate that the subset is properly segregated from the rest of your network.

Testing Procedures

The assessor will perform hands-on verification, including:

Vulnerability scanning:

• External scans of internet-facing systems to identify known vulnerabilities
• Internal scans of a sample of devices to verify patching status
• Verification that critical and high-severity vulnerabilities have been addressed

Configuration review:

• Review of firewall rules and security group configurations
• Verification of account separation (admin vs. standard users)
• Check that MFA is enforced where required
• Verification of malware protection configuration

Sampling:

• A representative sample of devices will be tested
• Sample size is determined by IASME guidelines based on your total device count
• All device types in scope may be sampled (laptops, servers, mobile devices)

Evidence Requirements

You should be prepared to demonstrate:

• Firewall configurations and rule documentation
• Patch management reports showing current status
• User account lists with privilege levels
• Anti-malware configuration and update status
• MFA enrollment records for cloud services

Tips for a Successful Audit

Do not selectively patch. Recent audits have identified organisations that only patched devices in the testing sample. The 2026 requirements specifically address this, and assessors are now checking for consistent patching across the entire scope.

Align your declarations. What you claim in the self-assessment must match what the assessor finds during technical testing. Discrepancies will cause the assessment to fail.

Complete Plus within three months. After completing your Cyber Essentials self-assessment, you have three months (90 days) to complete the Plus technical audit. If issues are found during the audit, any remediation period must still fall within this 90-day window. Plan accordingly.

Treat it as a project. Organisations that succeed treat Cyber Essentials Plus as a project with dedicated preparation time, not a single assessment day.

Key Changes for 2026

The Cyber Essentials scheme is updated annually. Here are the most significant changes taking effect in 2026:

Mandatory MFA Auto-Fail

MFA on cloud services is already a requirement under Cyber Essentials. What changes from April 2026 is the consequence: if a cloud service supports MFA and you have not enabled it, your assessment will automatically fail. Previously, this was marked as a major non-compliance but might not prevent certification. The new marking criteria make this a hard fail.

Action required: Audit all cloud services you use (including social media, HR systems, and financial platforms) and enable MFA on every service that supports it. Document any services where MFA is not available.

Stricter Marking Criteria

The 2026 requirements introduce automatic failure conditions for critical security practices. Missing the 14-day patching window or failing to enable available MFA will result in assessment failure rather than being noted as an area for improvement.

Whole-Scope Patch Verification

The scheme now explicitly requires that patches are applied consistently across your entire Cyber Essentials scope, not just the devices sampled during a Plus assessment. Assessors will use techniques to verify consistent patching practices.

Cloud Services Cannot Be Excluded

From April 2026, cloud services can no longer be carved out of your Cyber Essentials scope. If your organisation uses a cloud service to process or store business data, it must be included in the assessment. This includes SaaS platforms, collaboration tools, social media accounts used for business, and HR or finance systems.

Passkeys and Passwordless Authentication

The NCSC is promoting passkeys and FIDO2 authentication as the preferred approach to user authentication. While not yet mandatory, passkeys can satisfy MFA requirements when they involve multiple factors (such as device possession plus biometric). Expect future scheme updates to place greater emphasis on passwordless approaches.

Preparing for Certification: A Startup Checklist

If you are preparing for Cyber Essentials certification, work through this preparation checklist:

Phase 1: Scoping

• Decide whether to certify the whole organisation or a defined subset
• Inventory all in-scope devices (laptops, desktops, servers, mobile devices, cloud instances)
• Inventory all in-scope software and cloud services
• Document your network architecture and boundaries

Phase 2: Gap Assessment

• Review each of the five controls against your current configuration
• Identify gaps between requirements and your current state
• Prioritise remediation based on risk and effort

Phase 3: Remediation

• Implement missing firewall rules and configurations
• Harden device configurations and remove unnecessary services
• Implement or verify access control policies
• Deploy or verify malware protection
• Establish a patch management process with 14-day SLAs

Phase 4: Documentation

• Document your firewall rules and the business justification for each
• Document your user access provisioning and deprovisioning process
• Maintain evidence of patch deployment
• Record MFA enrollment status for cloud services

Phase 5: Assessment

• Complete the self-assessment questionnaire accurately
• If pursuing Plus, schedule the technical audit with a qualified assessor
• Prepare evidence and access for the assessor

Phase 6: Maintenance

• Set a reminder to renew certification before it expires (12 months)
• Monitor for scheme updates that may affect your compliance
• Maintain continuous compliance rather than cramming before renewal

How Cyber Essentials Fits With Other Frameworks

If you are already pursuing or have achieved other security certifications, here is how Cyber Essentials relates:

SOC 2: Cyber Essentials covers a subset of SOC 2's technical controls, particularly around access control, change management (via patching), and system operations. Achieving Cyber Essentials can help build the foundation for a future SOC 2 programme, but does not replace it.

ISO 27001: The five Cyber Essentials controls map to several ISO 27001 Annex A controls, particularly around access control (A.9), operations security (A.12), and communications security (A.13). ISO 27001 is significantly more comprehensive, covering governance, risk management, and a broader set of controls.

GDPR: While Cyber Essentials does not directly address GDPR requirements, the technical controls (particularly access control and malware protection) support the security of personal data processing. The ICO recognises Cyber Essentials as a positive step toward GDPR's security requirements.

For UK startups, Cyber Essentials is often the first formal security certification, providing a foundation that can later be built upon with more comprehensive frameworks.

Conclusion

Cyber Essentials provides UK startups with a clear, achievable path to baseline security certification. The five technical controls, while not comprehensive, address the most common attack vectors and demonstrate security commitment to customers, partners, and government buyers.

The 2026 updates make the scheme more rigorous, particularly around MFA and patch management. Start your preparation now by auditing your cloud services for MFA availability and ensuring your patching process can meet the 14-day requirement.

For organisations already confident in their security controls, Cyber Essentials Plus offers independent verification that builds additional trust. Treat the Plus assessment as a project rather than a checkbox, and you will be well positioned to pass.

Need help building a security programme that supports Cyber Essentials and scales to SOC 2 or ISO 27001? Talk to our team about getting audit-ready.

Sources

• NCSC Cyber Essentials Overview - Official scheme information from the National Cyber Security Centre
• Cyber Essentials Requirements for IT Infrastructure v3.2 - Current technical requirements document
• Cyber Essentials Requirements for IT Infrastructure v3.3 - Requirements effective from April 2026
• Cyber Essentials Plus Test Specification v3.2 - Technical audit procedures for Plus certification
• IASME Cyber Essentials - Official scheme operator information
• IASME: Changes to Cyber Essentials for April 2026 - Official announcement of 2026 requirement changes
• PGI: 2026 Cyber Essentials Plus Changes - Analysis of upcoming scheme updates
• Predatech: CE Plus Certification Guide 2025 - Practical guidance for Plus certification