In this article, we’ll walk you through the Cyber Essentials Plus checklist, a UK government-backed certification designed to help businesses protect themselves against common cyber threats.
You’ll learn about the Cyber Essentials Plus requirements, including firewalls, secure configuration, user access control, malware protection, and security update management.
By the end of this article, you’ll clearly understand how to achieve this certification and safeguard your business from cyber-attacks.
Cyber Essentials Plus Checklist
We have prepared a checklist to help support you with a readiness check internally without external support. This checklist contains all the requirements under five technical control areas.
1. Firewalls
☐ Prevent access to the firewall administrative interface from the Internet. Ensure it is protected with MFA (multi-factor authentication) and IP white-listed access if required.
☐ Change default administrative passwords to a strong and unique password or disable remote administrative access entirely
☐ Block unauthenticated inbound connections by default
☐ Ensure that inbound firewall rules are aligned with business requirements and follow a change management process
☐ Review firewall rules regularly and remove outdated or unnecessary rules
☐ Ensure firewall firmware is kept up-to-date with the latest security patches
Example: Configure your firewall to block unauthorised incoming traffic and restrict outgoing traffic to only necessary ports and protocols.
2. Secure Configuration
☐ Change all default passwords or guessable account passwords
☐ Remove or disable unnecessary software, unnecessary user accounts and services
☐ Implement security settings that are appropriate for your organisation
☐ Ensure all network devices are configured to lock after a period of inactivity
☐ Disable the auto-run feature without user authorisation to prevent malware execution
☐ For physical access to user devices, biometric, PIN or password-based authentication must be in place
☐ Protect your chosen authentication methods against brute-force attacks by throttling the rate of attempts (don’t allow more than 10 guesses in 5 minutes) and device lockout after 10 failed attempts
☐ Use technical controls to manage the quality of passwords. This will include either using MFA, a minimum password length of 12 characters, or a minimum password length of 8 characters with automatic blocking of common passwords
In 2017, the WannaCry ransomware attack affected over 200,000 computers across 150 countries, exploiting unpatched and unsecured systems. Keeping your systems securely configured can help prevent such attacks.
3. User Access Control
☐ Your organisation must have a process to create and approve user accounts
☐ Authenticate users with unique credentials before authorising access to applications, systems, services or devices
☐ Remove or disable user accounts when not required, i.e. leavers, inactive user accounts
☐ Remove or disable special access privileges (or admin accounts) when no longer required
☐ Cloud services authentication must utilise multi-factor authentication (MFA) and implement MFA where available
☐ Use a dedicated admin account for privileged tasks and don’t allow corporate email, web browsing or standard user activities
☐ Support users in selecting unique passwords by educating staff and providing usable, secure password storage.
☐ Ensure that there is an established process to change passwords if you know/suspect a password/account has been compromised.
☐ Ensure MFA for all administrative accounts and accounts accessible from the Internet.
Example: Use role-based access control (RBAC) to ensure that users only have access to the resources they need to perform their job duties.
4. Malware Protection
☐ A malware protection mechanism (antivirus software solution) must be in place on all devices in scope
Anti-malware software must be configured to
☐ prevent malware from running (file execution)
☐ prevent the execution of malicious codes
☐ prevent connections to malware infected websites over the Internet
☐ updated in line with vendor recommendations
☐ Your organisation should have an approved application process, maintain a current list and be restricted by code-signing.
5. Security Update Management
All software on in-scope devices must:
☐ be actively supported and licensed
☐ be removed when it becomes unsupported software or removed from scope by using a defined subset (VLAN or firewall-based segregation) that prevents
☐ have automatic updates enabled where possible
☐ Ensure all patching updates, including manual configuration changes, are in place within 14 days of an update being released. This is applicable for critical or high-risk vulnerabilities (or CVSSv3 base score of 7 or higher)
Example: Enable automatic updates for your operating systems and applications whenever possible to ensure you have the latest security patches.
Further Guidance for Cyber Essentials Plus to maintain low cyber insurance premiums
☐ Ensure regular backups occur and backup restores are tested to avoid recovery losses. It is not a technical requirement to pass the Cyber Essentials Plus certification.
☐ Conduct vulnerability assessments to identify and address potential weaknesses
☐ Perform penetration testing to simulate real-world attacks and follow a proactive approach to risk-based security
☐ Ensure all mobile devices, including BYOD and third-party devices, are compliant with security policies
☐ Implement logging and monitoring to detect and respond to security incidents
☐ Regularly review and update your incident response plan to stay prepared for incidents
By following this comprehensive Cyber Essentials checklist and implementing the necessary cyber security controls, you’ll be well-equipped to achieve Cyber Essentials Plus certification and protect your business from a wide range of cyber threats.
Cyber Essentials Plus Preparation Process
You must prepare for the latest Cyber Essentials scheme (Danzell question set) effective from 27th April 2026. If you aren’t aware of the changes yet, download our free printable CE changes summary here.
NCSC (National Cyber Security Centre) has released Cyber Essentials requirements for IT infrastructure, a guide to understanding the prerequisites and scope and distinguishing what is up to date from what is not.
Proceed to complete your Self-Assessment process for basic Cyber Essentials certification to ensure that your IT infrastructure adheres to the scheme’s security requirements and is appropriately fortified against common cyber attacks.
These Cyber Essentials certification requirements are fundamental security controls spread across five technical control areas:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection
Once this is submitted, Cyphere’s Cyber Essentials Assessor will evaluate your submission and provide further time if clarification or additional information is required for any questions. This application is then granted or denied certification. In the case of success, you will receive your Cyber Essentials certificate within a couple of days or along with CE+ certification if you have applied for both. You now have a three-month window to move on to the Cyber Essentials Plus submission.
Undergo a technical audit, which involves conducting all the necessary scans and tests within three months of obtaining your Cyber Essentials certification.
If any nonconformities are detected during the first audit process, you will receive feedback to help you resolve these issues. A reassessment or technical audit must be completed within one month of the initial assessment to confirm that all nonconformities have been addressed.
Benefits of Cyber Essentials Certification
1. Strengthened Cybersecurity Posture against cyber attacks
By achieving Cyber Essentials Plus certification, your business will have implemented comprehensive security controls that significantly reduce the risk of falling victim to common cyber threats. This robust framework helps protect your critical assets, sensitive data, and intellectual property from unauthorised access, theft, or damage.
2. Increased Customer Confidence
Customers are increasingly aware of the importance of data security. Prominently displaying your Cyber Essentials Plus certification demonstrates your commitment to maintaining the highest cybersecurity standards.
3. Competitive Advantage in Bidding Processes
Many organisations, particularly in the public sector, now require their suppliers and partners to hold a valid Cyber Essentials Plus certification as a prerequisite for business. By attaining this accreditation, you’ll be eligible to participate in a broader range of tenders and contracts, opening up new opportunities for growth and collaboration that may have been inaccessible.
4. Potential Insurance Benefits
Insurers recognise the value of Cyber Essentials Plus certification in mitigating cyber risks. As a result, some insurance providers offer reduced premiums or more favourable terms for certified businesses. This can lead to significant savings on cybersecurity insurance policies, allowing you to allocate resources more effectively while maintaining a solid security posture.
5. Improved Organisational Awareness
The process of achieving Cyber Essentials Plus certification necessitates a thorough examination of your organisation’s cybersecurity practices. This journey helps foster a culture of heightened security awareness among your employees, management, and stakeholders.
6. Regulatory Compliance
Businesses in many industries, such as healthcare, finance, and legal services, must adhere to strict data protection regulations. Cyber Essentials Plus certification provides a solid foundation for meeting these regulatory requirements, demonstrating your data security and privacy commitment. This can help you avoid costly fines and reputational damage associated with non-compliance.
By following the Cyber Essentials Plus checklist, your business can reap these numerous benefits, strengthening your overall cybersecurity posture, building customer trust, and unlocking new growth opportunities.
Now, it’s your time
Start your journey towards Cyber Essentials Certification by assessing your current cyber security measures using the checklist provided in this article. This initial step will help you determine your readiness for certification and whether Cyber Essentials Plus is beneficial. Doing so can protect your organisation from malware and phishing threats while showcasing a solid commitment to cybersecurity.
FAQ
How long does Cyber Essentials Plus take?
Cyber Essentials Plus audit can be completed within one week.
How much does Cyber Essentials Plus cost?
Cyber Essentials Plus certification costs £1399 for a small business. Based on the size of the assets in scope, this price may vary by up to £ 3,000 for large organisations.
What happens if I fail Cyber Essentials?
You are provided with one retake with Cyphere to resubmit your application. If you fail Cyber Essentials, you will need to resubmit your application.
Can I download this Cyber Essentials Plus checklist?
Yes, this checklist is available for free. The download link is in the Cyber Essentials Plus checklist section.
How long is a Cyber Essentials certificate valid?
The Cyber Essentials certificate is valid for one year.
