Cyber Essentials Plus Checklist

The UK government introduced the Cyber Essentials accreditation/certification in 2014 to protect the businesses being a victim of cyber attacks. Nearly 85% of the most common cyber attacks could be prevented by implementing the fundamental security controls described in Cyber Essentials framework. The certification has two different levels. The Cyber Essentials and Cyber Essentials Plus. The cyber essentials level 1 is a self-assessment certification where as Cyber Essentials plus is the more advanced and comprehensive. At the advanced level, an onsite assessment including a vulnerability scan will be performed by the Cyber Essentials Certification body. Under IASME, the new (and only) accreditation body and it’s Cyber Essentials process the applicant’s business has to achieve the Cyber Essentials level 1 before applying for Cyber Essentials Plus. 

There are 5 different areas Cyber Essentials focuses on. They are Firewalls, Secure configuration, User access controls, Patch Management and Malware management. Having performed dozens of these certifications we know what the challenges are and how you can avoid them to avoid any surprises. Here is a checklist to help you achieve the Cyber Essentials Plus certification in the order, biggest challenge first. 

3rd party Patch Management - The biggest challenge of all

  • How do you manage 3rd party software updates? Likes of Java, Chrome, Adobe, vlc, AutoCAD, etc… 
  • Are all systems up-to-date? The critical updates have to be applied within 14 days of their release. 
  • Do you have unsupported operating Systems on the network? Likes of Windows 7, Windows server 2008 or older. If you do, it's a fail straight away unless they are isolated. 
  • Is all the software used in the business properly licenced?


Secure configuration

  • Did you change the default login details on network devices? Likes of firewalls, routers, printers, etc… 
  • Have you uninstalled the unnecessary software? 
  • Have you disabled unnecessary user accounts on the company’s systems? 
  • Do you have a strong password policy and is it enforced? 


  • Did you close the opened ports when they are no longer necessary? 
  • Is opening/closing ports process and authorisation documented? 
  • Is admin access restricted to certain IP addresses only? 
  • Do you have a firewall enabled on end user devices? 

Malware protection

  • Do you have an anti-virus software installed on all the machines? 
  • Is the Anti-virus software regularly updated? 
  • Does the antivirus software scans automatically and regularly? 

User access controls 

  • Do you have a policy & process for joiners and leavers’ user accounts? 
  • Do you have a policy for setting user permissions? 
  • Do you have separate accounts for admin tasks? Is the process documented? 
  • Do you review the admin accounts regularly? 

If you answered YES to most of the questions above then you are likely to get through the Cyber Essentials Plus certification on the first attempt. It’s always a good idea to get a full vulnerability assessment done on the network to understand the overall gaps in the software patching. I hope this article has helped you. Please refer to ‘Everything you need to know about Cyber Essentials’ to know more about the Cyber Essentials certification and the process involved. Also, the National Cyber Security Centre has useful guidance laid out too. For more information on the Accreditation body and the certification bodies please check out ‘IASME’ website.  If you are unsure whether you are ready for the cyber essentials plus certification or if you would like to make sure you pass first time we have a package for you. It’s called ‘Cyber Essentials Plus Extra’ where we will perform a per-assessment and advise you of the gaps so that you can resolve them before submitting the application. Get in touch.

Related Content

Related Articles


Back to start