Cyber Essentials Certification: The Definitive 2026 Checklist for UK SMEs

Cyber Essentials Certification

Need help with Professional support with Cyber Essentials Certification?

In the current digital landscape, cybersecurity isn’t just an IT concern—it’s a prerequisite for doing business. For UK SMEs, the Cyber Essentials Certification is the gold standard for proving to clients, partners, and the government that you take data protection seriously.

Whether you are looking to bid for central government contracts or simply want to sleep better at night, this guide breaks down the technical hurdles into an actionable roadmap.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed scheme designed to help organizations protect themselves against a whole range of the most common cyber attacks. It focuses on five technical controls that, when implemented correctly, can prevent up to 80% of common cyber threats.

---

The 5 Pillars of Cyber Essentials: Your Technical Checklist

To achieve certification, your business must demonstrate proficiency in these five key areas. At SI ICT, we categorize these as the “Defensive Perimeter.”

1. Firewalls and Internet Gateways

Your firewall is your first line of defence.

• Checklist: Are all devices protected by a boundary firewall? Have you changed the default administrative passwords?

• AI/SME Tip: For remote workers, ensure that software firewalls are enabled on all company-provided laptops.

2. Secure Configuration

Out-of-the-box settings are often insecure.

• Checklist: Have you removed unnecessary software and disabled “Auto-run” features?

• The SI ICT Edge: We perform “System Hardening” to ensure every workstation is locked down to its most secure state without hindering productivity.

3. User Access Control

Not every employee needs “Admin” rights.

• Checklist: Do you follow the “Principle of Least Privilege”? Are accounts deactivated immediately when an employee leaves?

• Control: Use a centralized directory (like Azure AD/Microsoft Entra, Google Workspace Admin) to manage permissions.

4. Malware Protection

Viruses and ransomware are evolving.

• Checklist: Is your anti-malware software set to scan files upon access? Are you using “Sandboxing” for suspicious applications?

• Modern Standard: Ensure your protection is updated daily.

5. Patch Management

Old software is a playground for hackers.

• Checklist: Are all operating systems and applications updated within 14 days of a security patch being released?

• Requirement: Any software that is “End of Life” (no longer supported by the manufacturer) must be removed from the network.

---

Why Certification is a Business Multiplier

Achieving your Cyber Essentials Certification offers more than just a badge:

1. Government Tendering: Required for most UK central government contracts handling personal data.

2. Reduced Insurance Premiums: Many cyber insurance providers offer lower rates for certified businesses.

3. Customer Trust: It signals to your clients that their data is in safe hands.

---

Cyber Essentials certification checklist for UK SMEs

Think of Cyber Essentials certification as a structured project with clear steps rather than a mysterious audit. This checklist breaks the journey into manageable actions you can tackle with your internal team and a partner like SI ICT.

1. Define your objectives and scope

• Confirm why you want Cyber Essentials: to meet contract requirements, reassure customers, reduce risk, or all three.

• Decide the scope: ideally your entire organisation, but at minimum clearly define locations, devices, cloud services, and networks covered.

• Document scope decisions – they will drive the questionnaire and any Plus testing.​

2. Build a simple asset list

• List all users and roles, including contractors who access your systems.​

• Catalogue devices in scope: laptops, desktops, tablets, phones, servers, firewalls, and routers.​

• Include cloud services like Microsoft 365, Google Workspace, file sharing, CRM, and line‑of‑business applications.

SI ICT stresses that workstations, networks, servers, cloud solutions, printers and mobiles are all vulnerable if not managed with consistent security controls.​

3. Tidy up firewalls and internet connections

• Identify all internet connections and boundary devices (routers, firewalls, VPN gateways).

• Change any default admin passwords and ensure management interfaces are not exposed unnecessarily.​

• Close unused ports and services, and document firewall rules.

4. Lock down secure configuration

• Remove unused user accounts, trial applications, and legacy software from devices in scope.

• Enforce strong password policies and screen lock timeouts on all devices.​

• Disable macro auto‑run, file sharing, or remote access features that are not required.

5. Get user access control under control

• Ensure every user has their own unique account; avoid shared logins.

• Limit admin rights to the smallest group possible and use separate admin accounts for privileged tasks.​

• Regularly review access, removing accounts for leavers and adjusting access when roles change.​

6. Standardise malware protection

• Deploy centrally managed endpoint protection on all in‑scope devices, with policies enforced and monitored.

• Enable automatic updates and real‑time scanning across the fleet.​

• Use email security and web filtering to block common malware delivery routes.​

SI ICT’s security service uses Microsoft, Google and Amazon Web Services centric tools to provide continuously updated, AI‑driven protection.​

7. Put patching on a schedule

• Enable automatic updates where possible for operating systems and mainstream applications.

• For systems where manual testing is required, define a regular patch cycle and keep records of what was patched and when.

• Remove or isolate unsupported systems that can no longer be patched.​

8. Document policies and procedures

• Write clear, concise policies covering passwords, acceptable use, remote access, patching, and antivirus.

• Align them with the actual technical controls you’ve implemented (and with SI ICT’s “secure by design” blueprint if you are a client).​

• Make policies accessible, and ensure staff are aware of their responsibilities.​

9. Train your team

• Explain what Cyber Essentials certification is and why you’re doing it – not just as a tick‑box but to protect customers and jobs.​

• Run short awareness sessions on phishing, safe browsing, and password hygiene.

• Repeat training periodically and for new starters, capturing attendance for evidence.​

10. Complete the self‑assessment (and prepare for Plus)

• Download the latest Cyber Essentials self‑assessment questionnaire and work through it carefully, using your asset list and documentation.

• Be honest: the assessment assumes your answers are accurate and that controls apply consistently across your scope.​

• For Cyber Essentials Plus, schedule the independent technical tests within three months of achieving basic certification.​

---

How SI ICT Simplifies Your Certification

The self-assessment questionnaire can be daunting. One wrong answer can lead to a failure, costing you time and re-application fees. SI ICT acts as your pre-audit partner. We conduct a Gap Analysis to identify where your current IT infrastructure falls short and fix the vulnerabilities before you hit “submit.”

Get Your Cyber Essentials Gap Analysis from SI ICT →

Bringing it together: SI ICT plus Cyber Essentials certification.

Book your session with an SI ICT consultant today to gain clarity and direction

Book a Free  Consultation with SI ICT