Cyber Essentials Checklist 2025: Everything Your Business Needs

Cyber Essentials Checklist 2025: Your Complete Guide

This checklist is designed for UK small and medium-sized businesses preparing for Cyber Essentials certification in 2025. It covers each of the five required controls in detail, highlights the most common pitfalls that cause businesses to fail certification, and provides practical readiness tips to ensure your submission succeeds first time. As part of your broader cybersecurity strategy, achieving Cyber Essentials establishes the baseline technical controls that protect against the vast majority of common internet-based attacks.

The urgency is real. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past twelve months. Despite this, only approximately 3% of UK businesses hold Cyber Essentials certification (DSIT/NCSC), meaning the overwhelming majority have not implemented even the most basic verified security controls. The average cost of a data breach for UK organisations was £3.4 million (IBM Cost of a Data Breach Report, 2024) — a figure that dwarfs the modest cost of achieving and maintaining Cyber Essentials certification.

Control 1: Firewalls and Internet Gateways

Every device that connects to the internet must sit behind a properly configured firewall. This applies to the network firewall at the office boundary, the software firewalls on individual devices (Windows Firewall, macOS firewall), and the firewalls on home routers used by remote workers. The scope expanded significantly with the Montpellier update to include home worker environments, reflecting the shift to hybrid working patterns.

Checklist Items

• Enable the firewall on all internet-facing routers, switches, and access points
• Enable the software firewall on every endpoint — laptops, desktops, and servers
• Block all inbound connections by default; only permit those explicitly required for business purposes
• Document which inbound ports and services are open, and the business justification for each
• Change all default administrator passwords on network equipment — routers, firewalls, switches, and wireless access points
• Disable remote management interfaces on network equipment unless specifically required (and if required, restrict access to authorised IP addresses)
• Review firewall rules at least annually and remove any that are no longer needed
• For remote workers: confirm that home router firewalls are enabled and that default credentials have been changed

Common Pitfall

Default passwords on network equipment are one of the most frequent reasons businesses fail Cyber Essentials. Many office routers and firewalls are installed by broadband providers and never reconfigured. Check every piece of network equipment — including switches, wireless access points, and any IoT devices — and change any credentials that are still set to factory defaults.

Control 2: Secure Configuration

Devices and software must be configured to reduce the attack surface — minimising the number of ways an attacker could potentially gain access. This means removing or disabling unnecessary software, services, and features, and ensuring that devices are configured with security-conscious defaults before being deployed to users.

Checklist Items

• Remove or disable software and applications that are not required for business purposes from all devices
• Disable auto-run and auto-play features for removable media (USB drives, external hard drives)
• Disable macros in Microsoft Office applications unless specifically required by the business — and if required, restrict macro execution to signed or trusted macros only
• Apply a password policy requiring a minimum of eight characters (twelve or more is recommended by the NCSC)
• Configure screen lock on all devices to activate after no more than fifteen minutes of inactivity
• Ensure all default user accounts are disabled or removed before devices are deployed
• Use separate administrator accounts for administrative tasks — never use an admin account for day-to-day activities like email or web browsing
• Configure web browsers to block known malicious websites and prevent automatic execution of downloaded files

Common Pitfall

The administrator account separation requirement catches many businesses. If your IT administrator uses the same account for managing servers and reading email, this does not meet the Cyber Essentials standard. Administrative accounts must be dedicated to administrative tasks only, with a separate standard account used for everyday work.

Control 3: User Access Control

Access to systems and data must follow the principle of least privilege — each user should have only the access they need to perform their specific role, and no more. This limits the damage an attacker can do if they compromise a single account, and reduces the risk of accidental data exposure by employees accessing systems they do not need.

Checklist Items

• Audit all user accounts across all systems — remove or disable accounts that are no longer needed (former employees, temporary contractors, test accounts)
• Ensure standard user accounts do not have local administrator privileges — users should not be able to install software or modify system settings without authorisation
• Use administrator accounts only for administrative tasks — never for email, web browsing, or day-to-day work
• Enable multi-factor authentication (MFA) on all cloud services where it is available — including Microsoft 365, Google Workspace, and any SaaS applications
• Implement a documented process for granting, reviewing, and revoking access when employees join, change roles, or leave the organisation
• Review user access rights at least annually to ensure they remain appropriate for each user's current role
• Disable or remove guest and default accounts on all systems

Common Pitfall

MFA is now a requirement under the updated Cyber Essentials scheme wherever it is available. Businesses that have not enabled MFA on Microsoft 365 or other cloud platforms will fail. This is one of the most impactful controls you can implement — it blocks the vast majority of credential-based attacks, even when passwords have been compromised through phishing or data breaches.

Control 4: Malware Protection

All devices in scope must have active protection against malware. The scheme accepts three approaches: antivirus software with real-time scanning, endpoint detection and response (EDR) tools with behavioural analysis, or application allowlisting that prevents any unauthorised software from running. For most businesses, antivirus or EDR is the practical choice.

Checklist Items

• Install reputable antivirus or EDR software on every device in scope — laptops, desktops, and servers
• Enable real-time scanning so that files are checked when they are opened, downloaded, or executed
• Configure automatic updates for malware definitions — for Cyber Essentials Plus, definitions must be updated within 24 hours of release
• Enable cloud-delivered protection if available (Microsoft Defender for Business and other modern tools use cloud intelligence for faster detection of new threats)
• Configure email scanning to detect malicious attachments before they reach users' inboxes
• Ensure malware protection cannot be disabled by standard users — only administrators should be able to modify security software settings
• Consider managed EDR for continuous monitoring — 55,995 Cyber Essentials certifications were issued in 2025 (NCSC), and businesses with managed endpoint protection pass more consistently

Common Pitfall

Relying on Windows Defender in its default consumer configuration is insufficient for many businesses. Windows Defender is acceptable for Cyber Essentials, but it must be properly configured — real-time protection enabled, cloud-delivered protection active, and automatic sample submission turned on. Microsoft Defender for Business (included in M365 Business Premium) provides significantly stronger protection with EDR capability and centralised management.

Control 5: Patch Management (Security Update Management)

Unpatched software is one of the most commonly exploited attack vectors. Operating systems, web browsers, plugins, and applications must all be kept up to date with security patches. The Cyber Essentials standard sets specific timeframes for patch application and requires the removal of software that is no longer supported by the vendor.

Checklist Items

• Enable automatic updates on all operating systems — Windows, macOS, iOS, Android
• Apply high-risk and critical security patches within 14 days of release — this is a firm requirement, not a guideline
• Update web browsers automatically — Chrome, Edge, Firefox, and Safari should all be set to update without user intervention
• Maintain an inventory of all software installed across your organisation — you cannot patch what you do not know you have
• Remove any software that is no longer receiving security updates from the vendor (end-of-life software) — this includes older versions of Windows (Windows 7, Windows 8.1), unsupported versions of Office, and any third-party applications that have reached end of support
• For businesses using Microsoft 365 and Intune, configure compliance policies that flag devices with outstanding patches and block non-compliant devices from accessing business data
• Test patches in a limited deployment before rolling out to all devices, where business-critical applications are in use

Common Pitfall

End-of-life software is the most common cause of Cyber Essentials failure. Any device running an unsupported operating system, an outdated browser, or software that no longer receives security patches will fail the assessment. Conduct a thorough audit before beginning the certification process — AMVIA's Cyber Essentials readiness assessment identifies these issues before they cause a failed submission.

Beyond the Five Controls: Additional Readiness Tips

Scope Definition

Before beginning the assessment, clearly define the scope — which devices, networks, and cloud services are included. The scope for Cyber Essentials includes all devices that can access business data and all internet-connected infrastructure. Getting the scope right from the start avoids confusion during the assessment and ensures no devices are overlooked.

Backup and Recovery

While not one of the five Cyber Essentials controls, backup is your last line of defence against ransomware. Follow the 3-2-1 rule: three copies of data, on two different media types, with one stored offsite or in the cloud. Test your backups regularly — an untested backup is not a reliable backup. Only 14% of UK businesses have a formal incident response plan (DSIT Cyber Security Breaches Survey 2025), and backup recovery procedures are a critical component of any such plan.

Staff Security Awareness Training

The majority of successful cyberattacks begin with human error — typically a phishing email that tricks an employee into clicking a malicious link or entering credentials on a fake login page. Regular security awareness training, combined with simulated phishing exercises, builds the habits needed to spot and report suspicious activity. While not required for Cyber Essentials certification, staff awareness significantly reduces the likelihood of the incidents that Cyber Essentials controls are designed to contain.

How AMVIA Helps Businesses Through the Checklist

AMVIA works with UK SMEs to assess their current security posture against every item on this checklist, identify gaps, and implement the technical changes required for Cyber Essentials certification. Our readiness assessment provides a detailed gap analysis before the formal process begins, so there are no surprises during assessment. We handle the remediation, prepare the submission, and manage the relationship with the certification body — typically achieving certification within four to six weeks for SMEs. Our managed service then ensures the five controls remain in place throughout the year, so your annual renewal is straightforward. Contact AMVIA on 0333 733 8050 to start your Cyber Essentials journey.