Cyber Essentials Readiness Checklist

Ready for certification

0 / 25

Items confirmed

Tick each item below as you confirm it is in place for your organisation.

Control 1 FIREWALLS

Boundary firewalls must be in place between your network and the internet, and between zones of your network. All devices connecting directly to the internet must also be protected.

A boundary firewall or router is in place between your internal network and the internetThis includes home broadband routers used for remote working

Default passwords have been changed on all firewalls and routersFactory-default credentials must be replaced before use

Firewall rules permit only the traffic your business genuinely needs — unnecessary ports and services are blockedAny open port or service that cannot be justified is a risk

Unsolicited inbound connections are blocked by defaultYour firewall should deny by default and permit by exception

Software firewalls are enabled on all devices that connect to the internet or untrusted networks

Control 2 SECURE CONFIGURATION

Computers and network devices should be configured to reduce the level of inherent vulnerabilities. Unnecessary features, services and accounts should be removed or disabled.

Unnecessary software, services and applications have been removed or disabled on all devicesEvery installed application is a potential attack surface

Auto-run and auto-play features are disabled for removable media (USB drives, external storage)

Default user accounts (e.g. "Administrator", "Guest") have been renamed, disabled or have their passwords changedWell-known default accounts are a common attack vector

Accounts are locked after a reasonable number of failed login attempts (typically 10 or fewer)Brute-force protection must be active on all accounts

Screen lock / inactivity timeout is enforced on all devices (maximum 15 minutes of inactivity)

Control 3 USER ACCESS CONTROL

User accounts should be carefully managed and given only the access they need. Administrative privileges should be tightly controlled and separately maintained.

Every user has a unique user account — no shared logins are in useShared credentials make audit trails impossible and risk uncontrolled access

Users have only the permissions they need for their role — least privilege is appliedStandard users should not have access to data or systems they don't use

Administrator accounts are used only for admin tasks — not for everyday browsing or emailAdmins should have a separate standard account for day-to-day use

Accounts are removed or disabled promptly when staff leave or change roles

MFA is enabled on all cloud services that offer it — including Microsoft 365, Google Workspace, and any SaaS tools v3.3 Auto-FailFrom April 2026 (Danzell v3.3): failing to enable MFA where it is available is an automatic fail

Control 4 MALWARE PROTECTION

Protection against malicious software must be in place on all devices. This can be achieved through anti-malware software, application allow-listing, or sandboxing.

Anti-malware software is installed and active on all devices (desktops, laptops, servers)Built-in solutions such as Windows Defender are acceptable

Anti-malware signatures / definitions are kept up to date automaticallyManual updates are not reliable — auto-update must be enabled

Malware protection performs regular scans and alerts on detected threats

Users cannot disable or bypass anti-malware protection on their devices

Potentially malicious file types (macros, executable attachments) are blocked or managed in email

Control 5 SECURITY UPDATE MANAGEMENT

All high-risk and critical security updates must be applied within 14 days of release. Danzell v3.3 introduced two auto-fail questions (A6.4 and A6.5) making enforcement stricter than ever.

All high-risk and critical security updates for operating systems and router/firewall firmware are installed within 14 days of release v3.3 Auto-Fail (A6.4)Answering no to A6.4 is an automatic failure under Danzell — auto-update alone may not cover all firmware

All high-risk and critical security updates for applications, including files and extensions, are installed within 14 days v3.3 Auto-Fail (A6.5)Answering no to A6.5 is an automatic failure — this includes browsers, plugins, Office suites, and third-party apps

No unsupported or end-of-life software is in use within scopeSoftware the vendor no longer patches must be removed or segregated from your certified environment

A process exists to identify and track available patches across all software in use

Cloud services your organisation uses (where in scope) are covered under a managed update process v3.3 Scope ChangeFrom April 2026 (Danzell v3.3): cloud services hosting your data cannot be excluded from scope

// What Next?

READY TO GET CERTIFIED?

Our UK-based team will review your environment, identify any remaining gaps, and guide you through every step of certification. View pricing →

Get Certified → Build Your Quote →

Also pursuing CE Plus? CE Plus adds an independent technical audit on top of CE basic. Use the dedicated checklist to confirm your environment is ready for the audit across all seven tested control areas. Open the CE Plus readiness checklist →

This checklist is based on the Cyber Essentials v3.3 (Danzell) requirements effective April 2026. It is provided as a self-assessment guide only — formal certification requires assessment by an IASME Approved Certification Body. For a formal gap analysis, contact our team.

CYBER ESSENTIALSREADINESS CHECKLIST