🛡️ Cyber Essentials Checklist

Comprehensive assessment tool for the five key controls

Overall Progress 0 of 25 items complete
0%
🔥

Firewalls

0/5
Boundary firewalls configured correctly Common Oversight
All internet-facing connections protected by properly configured boundary firewalls
⚠️ Common Mistake: Organizations often forget about home workers' broadband routers or secondary internet connections (like 4G backup links). Every connection to the internet needs firewall protection, not just the main office connection.
Default passwords changed on all network devices
Router, firewall, and switch default credentials have been replaced
Firewall rules documented and reviewed Critical
All firewall rules have business justification and are regularly reviewed
⚠️ Critical Issue: Many organizations have "allow any" rules or legacy rules from years ago that no one remembers. Document why each rule exists and when it was last reviewed. Remove unnecessary rules.
Remote access properly secured
VPN or equivalent secure remote access solution in place
Guest Wi-Fi segregated from corporate network
Visitor wireless access is isolated from business systems
⚙️

Secure Configuration

0/5
Unnecessary applications removed Common Oversight
Default and unused software uninstalled from all devices
⚠️ Often Missed: New computers come with bloatware and trial software. Printer software often includes unnecessary utilities. Remove everything users don't actively need - each application is a potential attack vector.
Autorun/AutoPlay disabled Critical
Automatic execution of removable media prevented
⚠️ Major Risk: Many organizations forget to disable AutoRun on Windows devices. This is a primary method for malware to spread via USB drives. Check all devices, especially field laptops and industrial systems.
Web browsers configured securely
Browser security settings applied and unnecessary plugins removed
Application whitelisting considered
Policy on which applications can be installed and run
Configuration baseline documented Common Oversight
Standard secure configuration documented for each device type
⚠️ Documentation Gap: Many pass technical controls but fail because they can't prove what their baseline configuration is. Document your standard build, even if it's a simple checklist.
👤

User Access Control

0/5
Administrator accounts properly controlled Critical
Admin rights restricted to necessary users only, separate from daily accounts
⚠️ Biggest Failure Point: Users having local admin rights is the #1 reason for CE failures. Standard users should NOT be administrators on their own machines. IT staff should have separate admin accounts for privileged tasks.
Guest and default accounts disabled Common Oversight
All guest accounts and default user accounts removed or disabled
⚠️ Easy to Miss: Windows "Guest" account should be disabled. Also check for default accounts on servers, databases, printers, and network equipment. These are often overlooked.
Account password policy enforced
Strong password requirements (minimum 8 characters, complexity) enforced
Unique accounts for each user
No shared accounts, all access is individually attributable
Account lockout policy configured
Accounts temporarily lock after multiple failed login attempts
🦠

Malware Protection

0/5
Anti-malware on all devices Common Oversight
Up-to-date anti-malware protection installed on all computers and mobile devices
⚠️ Don't Forget: Includes laptops used from home, tablets, and smartphones used for work email. If it accesses company data, it needs protection. Also check test/development machines and that old laptop in the cupboard.
Automatic definition updates enabled
Anti-malware signatures update automatically and frequently
Protection cannot be disabled by users Critical
Standard users cannot turn off or uninstall anti-malware software
⚠️ Common Failure: Users often disable antivirus because it's "slowing down their computer" or blocking something they want. Protection must be centrally managed and tamper-proof for standard users.
Regular scans scheduled
Full system scans occur automatically at least weekly
Anti-malware alerts monitored
Process in place to respond to malware detection alerts
🔄

Patch Management

0/5
Operating system patches applied within 14 days Critical
All critical OS security updates installed within 14 days of release
⚠️ Strict Requirement: This is non-negotiable for Cyber Essentials. Home workers and field devices are often missed. Remote/dormant devices still count - if they connect to your network, they must be patched within 14 days.
Application security patches applied within 14 days Common Oversight
Software updates for browsers, Office, Adobe, Java, etc. applied within 14 days
⚠️ Often Forgotten: Organizations focus on Windows Update but forget about third-party software. Adobe Reader, Java, browsers, and other applications need patching too. Document your patching process for ALL software.
Unsupported software removed or isolated
End-of-life products (like Windows 7) removed or properly segregated
Automatic updates enabled where possible
Automatic update features turned on for OS and key applications
Patch management process documented Common Oversight
Written procedure for identifying, testing, and deploying patches
⚠️ Documentation Required: You need to show HOW you manage patches. Even if it's "we rely on Windows Update," write it down. Include how you handle exceptions and verify patching compliance.

Assessment Summary

0
Items Complete
25
Items Remaining
0%
Progress