Cyber Essentials checklist: the five controls (2026).

Before the controls: get your scope right

The first thing the assessment establishes is what’s in scope. That’s every device that accesses your data or services — laptops, desktops, servers, mobiles, and the cloud services you use such as Microsoft 365. You can certify a defined subset, but whatever you include must meet all five controls. Scoping too narrowly to dodge a problem device usually backfires, so it’s worth getting an honest inventory down before you start.

Control 1 — Firewalls

Every in-scope device must sit behind a correctly configured firewall — a boundary firewall on your network and the host firewall on each device.

• Confirm a firewall is enabled on every device, including laptops used off-site.
• Change the default administrative password on any boundary firewall or router.
• Block unauthenticated inbound connections by default; only open what you genuinely need.
• Document any inbound rules and the business reason for each.
• Disable remote administrative access from the internet, or protect it with MFA and IP restrictions.

Control 2 — Secure configuration

Devices and software should ship locked down, not wide open. The aim is to remove anything that increases attack surface without adding value.

• Remove or disable software, user accounts and services you don’t use.
• Change every default password before a device goes into use.
• Disable auto-run / auto-play for removable media.
• Apply a device lock (PIN, password or biometric) that engages after a short idle period.
• Make sure cloud services like Microsoft 365 are configured securely, not left on defaults.

Control 3 — Security update management

This is patching, and it’s where a lot of businesses come unstuck. The rule is simple but strict.

• Use only supported operating systems and software — anything past end-of-life is an automatic fail.
• Enable automatic updates wherever possible.
• Apply high and critical security updates within 14 days of release.
• Remove software that’s no longer supported or no longer needed.
• Keep firmware and mobile OS versions current too, not just desktops.

Doing this reliably by hand across a fleet is hard, which is why managed patch management is one of the most effective ways to stay continuously certifiable rather than scrambling before each assessment.

Control 4 — User access control

People should have the access they need to do their job, and no more.

• Give each user their own account — no shared logins.
• Apply the principle of least privilege; standard users should not have admin rights for daily work.
• Keep admin accounts to the minimum and use them only for admin tasks.
• Enable MFA on all cloud services and especially on administrative accounts.
• Have a leaver process that disables accounts promptly when someone departs.

Control 5 — Malware protection

Every in-scope device needs effective protection against malware.

• Run reputable, up-to-date anti-malware on all in-scope devices.
• Keep its definitions and engine current (this overlaps with secure update management).
• On mobiles, restrict installation to approved app stores or a managed catalogue.
• Consider behaviour-based EDR — it satisfies the control and goes well beyond it, catching threats signature antivirus misses. Our guide to EDR vs antivirus explains the difference.

None of the five controls is exotic. The reason businesses fail isn’t difficulty — it’s the one device, account or app that quietly slipped through.

The common gaps that cause failure

Across first-time applicants, the same handful of issues come up again and again:

1. Unsupported or out-of-date operating systems and software still in use.
2. Missing MFA on cloud or admin accounts.
3. Unpatched high or critical vulnerabilities older than 14 days.
4. Default or unchanged passwords on devices and network kit.
5. Everyday users running with admin rights.
6. A device or cloud service that wasn’t protected because it wasn’t on anyone’s radar.

How to prepare

Work the checklist above against a complete asset inventory, fix what fails, and gather evidence as you go — screenshots of MFA settings, patch policies, firewall rules and your device list. If you’re heading towards the hands-on audit, our Cyber Essentials Plus guide shows what the assessor will independently test, so nothing catches you out.

If you’d rather not run the whole exercise yourself, our Cyber Essentials service handles the scoping, remediation and submission, and keeps the controls in place so re-certifying each year is routine.