Cyber Essentials – How to Prepare

How to Prepare for Cyber Essentials: A Step-by-Step Checklist

Cyber Essentials certification can feel overwhelming if you’re not familiar with the requirements. The good news? With the right preparation, most SMEs can meet the standard quickly and efficiently.

This guide breaks down everything you need into a simple, step-by-step checklist — covering devices, passwords, updates, backups, and policies — so you know exactly what to expect and how to get ready.

Why Preparation Matters

Cyber Essentials is designed by the UK Government and the National Cyber Security Centre (NCSC) to protect your business from common cyber threats. Preparing properly helps you:

  • Pass the assessment first time

  • Avoid expensive remediation work

  • Strengthen your overall security

  • Meet insurance, customer, and tender requirements

Learn more directly from the NCSC here:
🔗 NCSC – Cyber Essentials Overview
https://www.ncsc.gov.uk/cyberessentials/overview

Step 1: Secure All Devices (Laptops, PCs, Mobiles, Tablets)

Every device that connects to your business data must meet Cyber Essentials requirements. This includes office machines, home-working setups, and staff mobiles used for company email.

Checklist: Device Setup Requirements

✔ Password protection enabled
✔ Full-disk encryption (e.g., BitLocker)
✔ Auto-lock enabled
✔ Admin rights restricted
✔ Only approved apps installed
✔ Mobile devices protected with PIN or biometrics

NCSC provides clear advice for securing devices here:
🔗 NCSC – Device Security Guidance
https://www.ncsc.gov.uk/collection/device-security

Step 2: Enforce Strong Passwords & Multi-Factor Authentication (MFA)

Weak passwords are one of the top causes of breaches. Cyber Essentials requires strong password practices and MFA across cloud services.

Password Requirements

✔ 12+ characters (or 8+ with complexity)
✔ No shared user accounts
✔ Password manager recommended
✔ Default passwords changed

Official NCSC password guidance:
🔗 NCSC – Password Policy Guidance
https://www.ncsc.gov.uk/collection/passwords

Multi-Factor Authentication Requirements

MFA must be active on:

  • Microsoft 365

  • VPN / remote access

  • Any cloud service containing sensitive data

Microsoft’s MFA setup guidance is here:
🔗 Microsoft – Set Up MFA
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

Step 3: Keep All Software and Devices Updated

To pass Cyber Essentials, all software and systems must be supported and up to date. Outdated systems are one of the biggest causes of CE failure.

Update Standards

✔ Apply security updates within 14 days
✔ Only use supported OS versions
✔ Enable automatic updates
✔ Remove any end-of-life software
✔ Keep apps and cloud services updated

IASME outlines official CE requirements here:
🔗 IASME – Cyber Essentials Technical Requirements
https://iasme.co.uk/cyber-essentials/technical-requirements/

Step 4: Ensure You Have Robust Backups

While backups are not directly mandated in CE, they are vital for recovering from incidents — and many insurers expect them.

Backup Best Practices

✔ Daily backups
✔ Encrypted backup storage
✔ Off-site or cloud copy
✔ Ransomware-protected storage option
✔ Regular restore testing

NCSC backup guidance for SMEs:
🔗 NCSC – Backups: How to Protect Your Data
https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure/backing-up-your-data

Step 5: Implement the Required Policies

Cyber Essentials requires written policies demonstrating that your business consistently manages cyber security.

Essential policies include:

1. IT Security Policy

2. Access Control Policy

3. Patch Management Policy

4. Backup & Recovery Policy

5. Mobile Device / BYOD Policy

6. Password & Authentication Policy

Official guidance for creating cyber policies:
🔗 NCSC – Small Business Guide: Actionable Policies
https://www.ncsc.gov.uk/collection/small-business-guide

If you don’t have these, MB Digital can create a full Cyber Essentials Policy Pack for you.

Step 6: Check Your Firewall & Internet Gateway

Cyber Essentials requires strong protection at your network boundary.

Firewall Requirements

✔ Firewalls enabled on all devices
✔ Default passwords changed
✔ Only necessary ports open
✔ Firmware kept up to date
✔ Admin access restricted

NCSC firewall configuration guide:
🔗 NCSC – Firewalls & Internet Gateways
https://www.ncsc.gov.uk/collection/small-business-guide/using-firewalls

Step 7: Review Your Organisation’s Scope

You must define what is included in your Cyber Essentials assessment. This usually includes:

  • All laptops/desktops

  • All mobiles/tablets with company data

  • All cloud services (e.g., Microsoft 365)

  • Office networks

  • Home-working networks

Incorrect scoping is a major cause of CE failure — MB Digital can ensure you get this right.

Step 8: Conduct a Pre-Assessment Check

Before you complete the Cyber Essentials questionnaire, ensure:

✔ All devices comply
✔ Policies are finalised
✔ MFA is active everywhere
✔ Unsupported software removed
✔ Password rules applied
✔ Backups working

The IASME readiness resources can help:
🔗 IASME – Cyber Essentials Readiness Tools
https://iasme.co.uk/cyber-essentials/readiness-resources/

Get Cyber Essentials-Ready with MB Digital

Preparing for Cyber Essentials doesn’t have to be complicated. MB Digital helps businesses across the UK achieve certification smoothly and quickly.

We provide:

  • Full Cyber Essentials certification support

  • Cyber Essentials Plus preparation

  • Security policies and documentation

  • Microsoft 365 security configuration

  • Ongoing compliance management

👉 Email: Sales@mbdigital.co.uk
👉 Phone: 01539731681

Contact us

Contact us

Contact us to find out more about our products and print solutions

To speak to one of our experienced team, please call 01539 731681. You can also email your enquiry to: info@mbdigital.co.uk or click online enquiry.