A plain-English checklist covering all five Cyber Essentials control areas. Work through it to know exactly where your business stands.
How to use this checklist
Work through each section and mark each item as Done, Partial, or Not in place. Any item marked Not in place is a gap to address. For a full scored assessment with a professional PDF report, use our 10-minute online assessment.
Section 1: Broadband & Router
The admin password on your broadband router has been changed from the factory default
Your router's firewall is switched on
If staff work from home, they connect via a VPN or secure connection
Visitors use a separate guest Wi-Fi — not the same network as staff
Each business location has its own properly secured broadband connection
Section 2: Devices & Software Setup
New devices have security settings checked before being given to staff
Every member of staff has their own individual login — no shared passwords
Admin accounts are separate from day-to-day accounts
Staff cannot install software without approval
Old devices are properly wiped before disposal
Section 3: Passwords & Account Access
Two-step verification (MFA) is enabled on email and cloud services
Passwords are strong — at least 12 characters, not based on obvious words
A password manager is used to store and generate passwords
Access is removed promptly when staff leave or change roles
Sensitive data is only accessible to those who need it
Section 4: Antivirus & Malware Protection
All work computers have active, up-to-date antivirus software
Antivirus updates automatically
Email has anti-phishing filtering in place
Staff know how to recognise and report suspicious emails
Backups are stored separately from the main system and tested regularly
Section 5: Software Updates
Operating system updates are applied automatically or within 14 days
Business software (Office, browsers, accounting tools) is kept up to date
No devices are running software no longer supported by its vendor
Mobile devices used for work are included in the update process
Someone periodically checks that all devices and software are up to date
What to do with your results
Any unchecked items are gaps against the Cyber Essentials standard. Prioritise by risk — access control and patch management gaps are typically the most urgent to fix.
For a full scored assessment that identifies your biggest gaps and produces a professional PDF report suitable for insurance applications and client due diligence, use our 10-minute online assessment.