Cyber Essentials 2026 Readiness Checklist for SMEs

Cyber Essentials is now a recognised benchmark for UK businesses that want to demonstrate good cyber hygiene, reassure customers, meet supply chain expectations, and prepare for public sector or regulated-sector requirements.

But many SMEs only discover gaps when they begin the assessment — missing MFA, unsupported software, unmanaged devices, weak administrator controls, or unclear cloud security responsibilities.

Use this checklist to assess whether your business is ready for Cyber Essentials or Cyber Essentials Plus in 2026.

Can your business answer “yes” to these key areas?

✔ Assessment Scope

• Have you identified all laptops, desktops, mobiles, tablets and servers used for business?
• Are remote and hybrid working devices included?
• Do any BYOD devices access company data or services?
• Have you listed all cloud services, including email, file storage, CRM, finance and collaboration tools?
• Do you know which systems are managed internally and which are managed by a third party or IT provider?

✔ Firewalls & Internet Gateways

• Is every device protected by a firewall?
• Have default administrator passwords been changed?
• Are unnecessary firewall rules removed?
• Is remote access properly controlled?
• Are unused or insecure services blocked?

✔ Secure Configuration

• Have unnecessary applications, services and accounts been removed?
• Are default settings changed where required?
• Are laptops, desktops, mobiles, servers and cloud services securely configured?
• Are administrator accounts limited to those who genuinely need them?
• Are configuration standards reviewed regularly?

✔ Security Update Management

• Are all operating systems and applications still supported?
• Are critical and high-risk updates applied promptly?
• Are unsupported devices or applications removed or replaced?
• Are updates managed across remote and hybrid working devices?
• Is there a clear process for checking patch compliance?

✔ User Access Controls

• Are user accounts reviewed regularly?
• Are leavers removed promptly?
• Are inactive or unused accounts disabled?
• Do users only have access to what they need?
• Are administrator privileges tightly controlled?

✔ Multi-Factor Authentication

• Is MFA enabled for email accounts?
• Is MFA enabled across cloud services such as Microsoft 365, Google Workspace, CRM, file sharing and finance platforms?
• Are administrator accounts protected with MFA?
• Are shared accounts avoided wherever possible?
• Have you checked whether any cloud service requires a licence upgrade to enable MFA?

✔ Malware Protection

• Is endpoint protection active across all devices?
• Are anti-malware tools kept up to date?
• Are laptops, desktops and remote devices protected?
• Are alerts monitored and acted on?
• Are mobile and cloud environments considered where relevant?

Preparing for Cyber Essentials Plus

Cyber Essentials Plus goes beyond the self-assessment and includes independent technical verification of your controls. Before booking Cyber Essentials Plus, your organisation should check that:

• Devices are patched and ready for testing
• Unsupported software has been removed
• Malware protection is active and updated
• MFA is enabled where required
• Remote and hybrid devices are included in preparation
• Vulnerability issues are reviewed before assessment day
• Internal teams know what access and evidence may be needed