Why Cyber Essentials matters
Cyber Essentials is the UK government-backed baseline for cyber security. It is increasingly required for public sector and supply chain contracts, and many insurers offer better terms or require it. The scheme has two levels: Cyber Essentials (self-assessment with verification) and Cyber Essentials Plus (hands-on technical verification). Preparing properly reduces cost, delay, and the risk of failure.
What assessors actually check
Assessors verify that your answers are supported by evidence. Vague or incorrect answers lead to fail or rework. Below is what you need to have in place and how to evidence it.
Before you apply: checklist and evidence
- Boundary and scope of assessment agreed — All in-scope devices and services listed (including cloud, BYOD if in scope). Evidence: network diagram or asset list showing scope.
- Asset list and software inventory are up to date — All devices in scope; software installed and licensed. Evidence: inventory export or screenshot from MDM/RMM.
- Patch management process is documented and evidenced — Supported software; patches applied within required timescales. Evidence: patch policy and evidence of patching (e.g. report from RMM).
- Malware protection and secure configuration (firewall, device lock) are in place — Anti-malware on all devices; firewall configured; screen lock and secure config. Evidence: config or policy plus sample evidence.
- User access is controlled (least privilege, MFA where applicable) — No shared admin accounts; MFA for cloud and privileged access. Evidence: access policy and MFA/SSO configuration.
- Backup and restore are tested — Backups for critical data; restore tested. Evidence: backup schedule and test record.
Common fail points
Scope creep or vagueness — In-scope and out-of-scope must be clear; assessors will question gaps. Unpatched or unsupported software — Out-of-support OS or applications are a common fail; plan upgrades before applying. Weak or shared credentials — MFA and unique accounts are expected; shared admin accounts will be challenged. No evidence — "We do it" is not enough; have screenshots, reports, or policy documents to support each control.
Next steps
The NCSC Cyber Essentials scheme provides the official criteria. Use this checklist to close gaps and gather evidence before your assessment.
Get certified with support—we help organisations prepare for and achieve Cyber Essentials and Cyber Essentials Plus.