Cyber Essentials Plus Checklist for your certification process

cyber essentials plus checklist

Cyber Essentials Plus is an officially recognised program to assist organisations in identifying and defending against prevalent cyber threats. It serves as a way for organisations to showcase their dedication to cybersecurity.

We will cover the two certifications and discuss the Cyber Essentials Plus Checklist, which will help you achieve Cyber Essentials Plus certification.

What are Cyber Essentials?

Cyber Essentials is a UK government-backed cyber security scheme that helps organisations protect themselves against cyber attacks. It is administered by the IASME Consortium, which authorises certification bodies to conduct assessments and provide certifications.

The Cyber Essentials checklist sets out five cyber security controls, covering:

  • Access controls
  • Firewalls
  • Malware protection
  • Secure configuration
  • Security update management

Organisations can protect themselves from cyber attacks, ransomware, phishing and other malware by implementing security controls and maintaining these controls.

Why Cyber Essentials Certification is important?

Obtaining Cyber Essentials certification helps safeguard your organisation from cyberattacks, ensuring the security of critical data and instilling confidence in your ability to withstand digital threats, which can be highly advantageous in several ways:

cyber essentials plus checklist

Customer Trust

Earning this certification demonstrates your commitment to safeguarding your IT infrastructure and customers’ sensitive information, which can significantly enhance their confidence in your organisation.

Business Protection

Cyber Essentials certification acts as a protective shield against cybercriminals aiming to steal valuable intellectual property or compromise your information systems, reducing your vulnerability to such threats.

Compliance with Tender Requirements

Many businesses and organisations mandate that their suppliers possess valid Cyber Essentials certification, making it a crucial prerequisite for engaging in various business partnerships, mod contracts and collaborations.

Enhanced Cyber Security Awareness

Pursuing this certification fosters a deeper understanding of cybersecurity within your organisation, helping employees patch management and stakeholders become more conscious of potential threats and security best practices.

Cyber Essentials Plus preparation process

Begin by downloading and reading the “Cyber Essentials Requirements for IT infrastructure” document to clearly understand the certification’s prerequisites and define the scope of your infrastructure, distinguishing what’s up to date included and what’s not.

Proceed to complete your Self-Assessment Questionnaire (SAQ) to ensure that your IT infrastructure adheres to the scheme’s security requirements and is appropriately fortified against cyber threats.

Submit your SAQ for an official assessment by an IT Governance Cyber Essentials assessor. They will evaluate your submission and either grant or deny certification. In the case of success, you will receive your Cyber Essentials certificate within 14 days and a three-month window to move on to the Cyber Essentials Plus submission.

Undergo a technical audit, which involves conducting all the necessary scans and tests within three months of obtaining your Cyber Essentials certification.

If any nonconformities are detected during the first audit process, you will receive feedback to assist you in resolving these issues. A reassessment or technical audit must be completed within one month of the initial assessment to confirm that all nonconformities have been addressed.

Cyber Essentials Plus checklist

The Cyber Essentials checklist serves as a tool to assess your organisation’s preparedness for the certification requirements. Cyber essentials checklist includes:

cyber essentials plus checklist

Access controls

Adequate user access controls ensure that only authorised individuals have user accounts with the minimum necessary access. This is achieved by having a process for creating and approving user accounts, verifying users’ unique credentials before granting access, promptly deactivating or removing unnecessary accounts, employing multifactor authentication, especially for cloud services, restricting administrative accounts to administrative tasks, and discontinuing special access privileges when they are no longer needed.

A blue background with a plane flying in the sky, showcasing CTA-CE Plus.

Cyber Essentials Plus Certification

  • Protect sensitive data, protect your business
  • Improve eligibility for new opportunities across regulated industries and public sector.

Collectively, these measures enhance security by minimising the risk of unauthorised access and potential breaches of user devices.


Firewalls serve as a protective barrier between your internal network and external networks. To ensure their effectiveness, it is essential to take several key actions.

Firstly, change default administrative passwords to strong ones or deactivate remote administrative access. Suppose there is a legitimate business need to allow external access to the operating system or administrative interface. This access should be safeguarded using strong passwords and additional authentication factors like one-time passwords (OTPs) or an IP whitelist restricting access to trusted addresses.

If you have never identified weaknesses in your firewall configuration, book our third-party firewall security assessment to find out the security posture for your firewalls.

By default, block unauthenticated inbound connections and thoroughly document and approve all inbound firewall rules, clarifying the business necessity for each rule. Promptly remove or turn off any permissive firewall rules that are no longer required.

Specifically, from a cyber security and essentials perspective, there are instances where a micro business or a business is located in a shared workspace; in that case, host-based firewalls are very effective, and software firewalls are considered an important line of defence. Employ host-based firewalls on devices used in public or untrusted networks for an added layer of security. These measures fortify your network’s defences and protect it from potential threats and unauthorised access.

Malware protection

Malware protection is crucial for safeguarding your systems and their data from potentially harmful or untrusted software.

To achieve this, you must implement one of the following security measures on all relevant devices: anti-malware software, whitelisting, or sandboxing.

When employing anti-malware software, it must be constantly updated with signature files refreshed daily. The antivirus software should be configured to automatically scan files as they are accessed, whether from a network folder or downloaded and open and review web pages when accessed through a web browser. It should also block connections to malicious websites unless a clear and documented business need exists, with a thorough understanding and acceptance of new vulnerabilities and associated risks.

If you opt for whitelisting, this involves maintaining an up-to-date list of approved applications while preventing users from installing unsigned applications with invalid signatures. Only authorised and safe applications can be executed on your mobile devices.

On the other hand, sandboxing involves running all code of unknown origin in a controlled environment (sandbox) to prevent it from accessing other network resources unless explicitly allowed by the user. This protection extends to other sandboxed applications, data stores, sensitive peripherals like cameras and microphones, and local network access.

Collectively, these security practices improve your systems against malware and unauthorised code execution.

Secure configuration

Secure configuration involves setting up computers and network devices with the utmost security to reduce inherent vulnerabilities and limit user access only to what’s necessary for their intended functions. It’s essential to perform the following actions regularly:

cyber essentials plus checklist

  • eliminate unnecessary user accounts
  • replace default or easily guessable passwords with strong ones
  • get rid of or deactivate unnecessary software
  • disable any auto-run functions that permit file execution without user permission
  • and verify the identity of users before granting access to organisational data or services.

Furthermore, when users are physically present, they should employ suitable device-locking mechanisms to maintain security. Collectively, these practices fortify your system’s defences and minimise potential risks.

cyber essentials plus certification

Cyber Essentials Plus Certification

  • Protect sensitive data, protect your business
  • Improve eligibility for new opportunities across regulated industries and public sector.

Security update management

To maintain the security of your devices and software, including addressing newly identified vulnerabilities, it’s crucial to keep critical or security updates, often through patch installations. Ensure that the anti-virus software is licensed, actively supported, and promptly removed when it’s no longer supported on all relevant devices. Whenever feasible, enable automatic updates to device software.

Make sure that your patch management procedures are robust. Even though software patches are designed to fix security vulnerabilities and flaws, it’s important to note that patching can occasionally introduce fresh vulnerabilities, compatibility issues or problems. This proactive approach minimises the security risks associated with outdated or unsupported software and strengthens your overall security posture.

What is the difference between Cyber Essentials and Cyber Essentials Plus

On the surface, both Cyber Essentials and Cyber Essentials Plus certifications may appear similar as they establish essential cybersecurity standards. However, several distinct differences set them apart:

Cyber Essentials

  • Focuses on fundamental cybersecurity principles.
  • Certification involves an independent evaluation of your organisation’s self-assessment.
  • It is mandatory for all organisations seeking to secure government contracts.

Cyber Essentials Plus

  • It goes beyond the basics by including ethical hacking techniques in the evaluation.
  • Certification requires a comprehensive audit of your organisation’s cybersecurity practices.
  • This is a prerequisite for all organisations pursuing contracts with the Ministry of Defence (MOD).

Cyber Essentials Plus provides a more in-depth evaluation and higher compliance assurance than the standard Cyber Essentials certification. Nevertheless, the basic Cyber Essentials Self-Assessment Questionnaire (SAQ) remains a valuable tool for assessing an organisation’s cybersecurity status, and it is a necessary step to hold the primary certification for a minimum of three months before progressing to Cyber Essentials Plus.


Start your journey toward Cyber Essentials Certification by assessing your current cybersecurity measures using the checklist provided in this article. This initial step will help you determine your readiness for certification and whether Cyber Essentials Plus is beneficial. Doing so can protect your organisation from malware and phishing threats while showcasing a solid commitment to cybersecurity.

It’s worth noting that Cyber Essentials requirements closely align with the ISO 27001 framework for information security, which guides the standards for an organisation’s information security management system (ISMS).


Article Contents

Sharing is caring! Use these widgets to share this post
Scroll to Top