Cyber Essentials Checklist: The Complete List of Requirements



Jan 10, 2024

cyber essentials checklist

A 2022 study by the Ponemon Institute found that the relationship between the cost of a data breach and cloud maturity level is indirectly proportional. In other words, better security posture reduces the average cost of recovery. Cyber essentials checklist helps you implement basic security controls and best practices to reduce the chances of a security breach. 

What are cyber essentials?

Cyber essentials is a checklist of security best practices and critical controls that help organizations of all sizes strengthen their posture against a wide range of cyber threats and vulnerabilities.

This checklist acts as a guide for small businesses, security professionals, and even local government bodies to understand, implement, and maintain good security practices. It is consistent with security frameworks like NIST and similar standards. 

Cyber essentials vs cyber essentials plus

The only difference between cyber essentials and cyber essentials plus is that the latter has to be accredited by a third party, independent body. Your IT systems and controls will undergo an external audit.

If you are going for cyber essentials plus, a Cyber Essentials Verified Self-Assessed certification not older than three months is mandatory. This certification helps you demonstrate a strong security posture and confirm that your organization has met the security baselines. 

The assessor verifies if your computers and devices are correctly configured by performing a vulnerability scan. All non compliance issues and gaps must be resolved within 30 days. Failure to take corrective action means you don’t get certified. The certification is valid for 12 months from the date of issue. 

Cyber essential checklist

To comply with the cyber essentials checklist, you must comply with five basic security practices that can help you block and mitigate the vast majority of cyber-attacks. Let’s scan through them: 

Have you set up firewalls? 

If your business infrastructure operates on the cloud, securing the networks that connect the systems and devices is critical. One way to reduce the exposure to cyber-attacks is by minimizing unauthorized access. 

You can ensure this by implementing firewalls to limit inbound and outbound traffic flow. These limitations are known as firewall rules and block the source of traffic based on its source, destination, and communication protocol. 

If your organization’s network service provider is a third-party vendor, install a software firewall on user devices. While this protects the device on which you have installed the firewall and gives you the flexibility to set custom rules, it is also administrative work-heavy. 

  • Change the default passwords provided by the vendor to strong passwords or disable remote access
  • Block access to the administrative interface. You can make an exception for specific business requirements or if technical controls are in place to protect the interface. Alternatively, you can create a custom IP list that allows a limited number of authorized users and uses a strong password authentication system
  • Configure the firewall to block any unauthorized access by default
  • Disable or remove firewall rules that are not used or unnecessary

Also check: How to Get Cyber Essentials Certification in 2024

Are your networks and applications securely configured?

Poorly configured networks and devices are a source of exploitable vulnerabilities and a disaster waiting to happen. Vendor-provided devices and software are not always configured to provide the strongest level of protection. Malicious actors can easily exploit vulnerabilities like unnecessary user accounts, publicly known passwords, lack of MFA, and pre-installed applications. 

This is why you should configure computers, networks, servers, remote devices, mobile devices, IaaS, PaaS, SaaS, thin clients, and other system infrastructures to minimize security vulnerabilities, unauthorized access, and cyber risks.

Computers and network devices 

  • Uninstall or disable unnecessary user accounts
  • Change default, common passwords to strong, unguessable passwords
  • Uninstall or disable unnecessary software like applications or network services
  • Disable auto-run features that can execute without user authorization
  • Authenticate users accessing sensitive organizational information or services
  • If a device requires users to be physically present to unlock it, protect it using controls like biometrics, password, or pin.
  • Unauthorized users often gain access by using a permutation combination of passwords. Configure the system to prevent brute force attacks by setting a maximum login attempt after which the device will be automatically locked for a given period

Are your security systems updated?

Security solutions like antivirus software or anti-malware systems work by detecting unique patterns or “signatures” in the historical malware database. Threat actors release malware with new signatures every day. To combat these continuously evolving threats, developers release new signatures to the database. Keep your systems and applications updated with the latest version of the software. 

  • Configure your systems to install automatic updates to the latest available software version
  • Ensure that the software is licensed and supported
  • If the system has unsupported software, remove it using a subset to prevent incoming and outgoing traffic flow
  • Update software to the latest version within 14 days from the date of its release if
  • the vendor deems a vulnerability to be critical
  • The vulnerability has a CVSS v3 base score of 7 and up
  • if the vendor does not provide enough data on the patch

Also check: Everything You Need to Know about Cyber Essentials

Have you set up user access control?

Access control works on the same principle as data minimization—a process that limits user access to systems and networks only to what is required for a task. It protects data from insider threats, accidental data leakage due to negligence, data damage, and a wide range of malicious attacks. 

Some accounts like administrative accounts contain sensitive data or critical information. Common functions associated with admin accounts are making system changes, configuring security settings, creating new user accounts, and allowing or restricting special access privileges.

If such accounts are compromised, it can result in serious repercussions like system downtime and critical data loss. It may take weeks, or even months to recover from incidents of a large scale.

Since malicious attachments commonly run on the same privilege level, you should take extra precautions to protect admin accounts. 

  • Implement a process to create approved user accounts
  • Use special credentials like MFA to grant access to applications or devices
  • Disable or delete accounts that are no longer used for both regular and admin accounts
  • Use password-based authentication wherever applicable. Limit the number of unsuccessful attempts and lock the account after a certain number of unsuccessful attempts
  • Set the password length to at least eight characters and block common passwords using a deny list
  • Train employees to avoid poor password practices like using birth date, pet name, or common keyboard patterns
  • Promote the usage of long passwords containing multiple random words
  • Create a password storage system with instructions on how to use it

Can your system detect and prevent malware?

Malware includes a wide range of threats like viruses, worms, ransomware, and more. Essentially, these are malicious codes designed to enter your system as a normal application and inflict damage once inside. 

If your system suddenly malfunctions, loses data, or slows down, it is likely infected by malware. 

To reduce the chances of successful malware attacks, install anti-malware software on every endpoint device. The solution should be configured to: 

  • Be updated as per vendor recommendations
  • Prevent malware from running and executing malicious codes
  • Prevent connecting to malware-infected websites
  • Ensure that only authorized applications are allowed to run in systems
  • Maintain an inventory of authorized applications and block users from installing and running applications with an unknown or invalid signature

Maximize savings on your compliance audit

How to get started with cyber essentials

The cyber essentials requirements checklist may appear easy and achievable, but there’s more to it than meets the eye. It requires you to identify a number of things – systems that require firewalls, manage poorly configured administrative access, implement password policies, and more. This is not just manual heavy work, but is prone to error. 

Sprinto is a security compliance automation platform that does all the heavy lifting to help you meet certification requirements. 

  • It connects with any cloud-based system to continuously monitor your posture to detect risks. 
  • It ensures that your cyber security measures align with the requirements of the cyber essentials checklist. 
  • If the tool detects non-compliant activities or security risks, you get instantly notified to take corrective actions. 
  • It helps you implement role-based access, manage software patches, prevent shadow IT, and much more. 

Gain compliance in weeks rather than months.


What is the difference between cyber essentials and cyber essentials plus?

The key difference between the two levels of certification is that the latter requires a technical audit of your cyber security controls to provide a higher level of assurance. 

 Is cyber essentials mandatory for my organization?

While cyber essentials is not mandatory for all organizations by default, many government contracts require you to get certified.

Do you need Cyber Essentials if you have ISO 27001?

If you have ISO 27001, you need not comply with the cyber essentials requirements checklist as ISO 27001 is pretty rigorous. However, cyber essentials is quite basic and does not help you implement an ISMS. So if you need a strong security posture and wish to unlock sales deals, ISO is a solid choice. 



Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.