Axia Computer Systems Ltd

Guide

Cyber Essentials checklist for UK SMEs (2025)

The five technical controls required to pass Cyber Essentials, translated into plain English — plus what changes for Cyber Essentials Plus and how to get certified quickly.

Cyber Essentials is the UK government-backed certification scheme that confirms your business has the basic technical defences in place to protect against the most common cyber attacks. For most SMEs in the UK, it's now a prerequisite — for public-sector contracts, insurance, and supply-chain due diligence.

The good news: the five required controls are achievable. The bad news: most SMEs fail their first self-assessment on small misconfigurations rather than missing controls outright. This guide walks through what's actually required.

The five control areas

  1. Firewalls and routers
  2. Secure configuration
  3. Security update management (patching)
  4. User access control
  5. Malware protection

1. Firewalls & routers

  • Change all default admin passwords on routers and firewalls.
  • Block unauthenticated inbound connections from the internet by default.
  • Disable any unused services on the firewall.
  • For home workers: each user's device must have its own software firewall enabled (this is the default on Windows and macOS — just don't turn it off).

2. Secure configuration

  • Remove or disable unused user accounts.
  • Remove or disable unnecessary software on company devices.
  • Change default passwords on any device, server or service before deployment.
  • Auto-run / auto-play of removable media disabled.
  • A device lock (PIN, password or biometric) is required before access to corporate data.

3. Security update management

  • All software must be licensed and supported (no Windows 7, no Server 2012 R2, no out-of-support iOS or Android).
  • Critical and high-severity security updates must be applied within 14 days of release. This is the rule most SMEs trip on.
  • Automatic updates enabled wherever possible.

4. User access control

  • Unique user accounts for every user — no shared logins.
  • A formal process for creating, reviewing and removing accounts (especially leavers).
  • Admin accounts used only for admin tasks; day-to-day work done on a standard account.
  • Multi-factor authentication (MFA) on all cloud services, including admin accounts. This is now mandatory.
  • Strong password policy (minimum 8 characters with MFA, or 12+ without; plus protection against brute force).

5. Malware protection

  • Anti-malware on every in-scope device, updated automatically.
  • Or: application allow-listing (only approved applications can run).
  • Or: application sandboxing for code from untrusted sources.

Cyber Essentials vs Cyber Essentials Plus

Standard Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds a hands-on technical audit by an external assessor — they'll sample your devices and verify the controls actually work. CE Plus is significantly stronger evidence and is increasingly required for serious contracts.

The fastest path to certification

  1. Run a gap assessment against the checklist above.
  2. Fix the gaps — typically MFA enforcement, patching policy and device configuration.
  3. Submit the self-assessment via an approved certification body.
  4. If targeting Plus, schedule the on-site / remote technical audit straight after.

For a typical 25–50 user SME, a clean run from gap analysis to certification takes 4–8 weeks. The biggest delays are almost always around legacy devices, shared logins and out-of-support software.

Need help getting certified?

We help SMEs across Hertfordshire, Bedfordshire and London prepare for and pass Cyber Essentials and Cyber Essentials Plus — and put the operational controls in place to stay certified year after year.

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

01923 333111Get in touch

Authorised trading partners