Cyber Essentials Compliance Checklist: Complete Preparation Guide

Key Takeaways

Point	Summary
Define scope first	List all locations, networks, devices, cloud services, and home workers in scope
Firewall checklist	Default deny inbound, change default passwords, document rules
Secure config checklist	Remove defaults, disable unnecessary features, enforce strong passwords, lockout policy
Updates checklist	Patch within 14 days, remove unsupported software, enable auto-updates
Access control checklist	Unique accounts, least privilege, MFA on cloud services, remove leavers promptly

Quick Answer: Before starting: define scope, inventory all devices, check all 5 controls. Key items include firewalls with default-deny, no default passwords, patches applied within 14 days, MFA on cloud services, and unique user accounts with least privilege.

Pre-assessment preparation

Define your scope

• Identify all locations to include
• List all internet-connected networks
• Inventory all devices in scope
• Document cloud services used
• Determine if home workers are in scope
• Consider any exclusions (with justification)

Gather information

• Create device inventory (type, OS, count)
• Document network topology
• List all software in use
• Identify all user accounts
• Document current security tools
• Map cloud service responsibilities

Control 1: Firewalls

Boundary firewalls

• Firewall present on all internet connections
• Default inbound rule is DENY
• Only necessary services allowed inbound
• Each allowed service documented and justified
• Admin credentials changed from default
• Firewall firmware up to date
• Management access restricted
• Logging enabled

Host firewalls (each device)

• Firewall enabled on all Windows devices
• Firewall enabled on all macOS devices
• Firewall enabled on all Linux devices
• Configured to block inbound by default
• Only necessary exceptions created

Cloud firewalls

• Security groups/NSGs configured
• Default deny for inbound
• Rules documented
• Regular review scheduled

Control 2: Secure configuration

Software management

• Unnecessary software removed from all devices
• Trial software uninstalled
• Unused browser extensions removed
• Only business-required applications installed

Account configuration

• Guest accounts disabled
• Default accounts disabled or renamed
• All default passwords changed
• Unused accounts removed
• Each user has unique account
• No shared accounts in use

Password requirements

• Minimum 8 characters (12+ recommended)
• OR passphrases of 12+ characters
• OR MFA enabled (reduces length requirement)
• Account lockout after failed attempts configured
• Password policy documented

Feature configuration

• Auto-run disabled (Windows)
• AutoPlay disabled or set to "Take no action"
• Screen lock enabled (within 15 minutes)
• Password required after sleep/lock
• Unnecessary services disabled

Device configuration checklist

Windows devices:

• Windows Firewall enabled (all profiles)
• Windows Defender or AV active
• Automatic updates enabled
• Guest account disabled
• Screen lock configured
• AutoRun/AutoPlay disabled
• Unnecessary features disabled

macOS devices:

• Firewall enabled
• XProtect/Gatekeeper active
• Automatic updates enabled
• Guest account disabled
• Screen lock configured
• FileVault enabled (recommended)

Mobile devices:

• Screen lock enabled
• Encryption enabled
• Only App Store/Play Store apps
• Device management (if applicable)
• Automatic updates enabled

Control 3: Security update management

Operating systems

• All Windows systems on supported versions
• All macOS systems on supported versions
• All Linux systems on supported distributions
• All mobile devices on supported OS versions
• Automatic updates enabled where possible
• Critical/high patches applied within 14 days

Applications

• All browsers supported and updated
• Office applications updated
• PDF readers updated
• Java updated (or removed if not needed)
• All business applications updated
• Automatic updates enabled where available

Firmware

• Router firmware up to date
• Firewall firmware up to date
• Network equipment firmware current
• BIOS/UEFI updated (where practical)

End-of-life software

• No Windows 7 or earlier
• No Windows Server 2012 or earlier
• No unsupported macOS versions
• No unsupported applications
• EOL software removed or isolated (with justification)

Control 4: User access control

Account management

• Each user has unique account
• No shared accounts
• Documented process for new accounts
• Documented process for leavers
• Accounts disabled when staff leave
• Regular review of accounts

Privilege management

• Standard user accounts for daily work
• Admin accounts only for those who need them
• Separate admin and standard accounts for IT staff
• Admin accounts not used for email/browsing
• Admin accounts documented and justified
• Regular review of admin access

Authentication

• Password policy implemented
• MFA enabled for admin accounts (recommended)
• Account lockout configured
• Biometrics acceptable (device-stored templates)

Control 5: Malware protection

Coverage

• Anti-malware on all Windows devices
• Anti-malware on all macOS devices (built-in or third-party)
• Protection on servers
• Mobile devices protected (MDM or built-in)

Configuration

• Real-time protection enabled
• Automatic signature updates enabled
• Scheduled scans configured (at least weekly)
• Email scanning enabled
• Web protection enabled
• Removable media scanning enabled

Alternative methods (if used instead)

• Application whitelisting configured
• OR sandboxing implemented
• Approach documented and effective

Pre-certification final checks

Documentation

• Scope clearly defined
• Network diagram available
• Device inventory complete
• Software inventory complete
• Policies documented
• Processes documented

Technical verification

Run these checks before submitting:

• Verify firewall status on sample devices
• Check Windows Update status
• Verify anti-malware is running and updated
• Test screen lock on sample devices
• Review admin account list
• Check for any EOL software
• Verify password policy is enforced
• Test auto-run is disabled

Document results:

• Screenshot evidence (optional but helpful)
• Note any exceptions
• Document compensating controls
• Prepare clarification responses

For Plus certification

Additional preparation

• Run external vulnerability scan
• Remediate any high/critical findings
• Run internal scan (if applicable)
• Verify all devices would pass inspection
• Prepare representative device sample
• Ensure 90-day window is achievable

Audit readiness

• All devices fully patched
• No outstanding critical vulnerabilities
• All configurations as declared in Basic
• Access ready for assessor
• IT support available for audit day
• Documentation accessible

Quick self-assessment

Rate your readiness (0-5) for each control:

Control	Score	Notes
Firewalls	_/5
Secure Configuration	_/5
Security Updates	_/5
User Access Control	_/5
Malware Protection	_/5

Scoring guide:

• 5: Fully compliant, documented
• 4: Mostly compliant, minor gaps
• 3: Partially compliant, some work needed
• 2: Significant gaps
• 1: Major work required
• 0: Not addressed

Readiness: 20+ points suggests good readiness; below 15 suggests more preparation is needed.

How Bastion can help

A checklist is helpful, but expert guidance can ensure nothing is missed.

Challenge	How We Help
Gap assessment	We evaluate your current state against requirements
Remediation	We help implement necessary changes correctly the first time
Documentation	We assist with policy and evidence preparation
Verification	We conduct pre-assessment checks
Certification	We guide you through the process

Working with a managed service partner means you're not trying to interpret requirements on your own. We've helped many organisations through this checklist, and we know where the common gaps are and how to address them efficiently.

---

Need help completing your Cyber Essentials checklist? Talk to our team