Cyber Essentials Checklist for UK Businesses: A Practical Guide

Posted byMichael WierciochPosted inUncategorized

Cyber Essentials Checklist for UK Businesses: A Practical Guide

Most businesses that fail their Cyber Essentials assessment do not fail because their security is terrible. They fail because they never checked exactly what the
assessment required before submitting.

The industry average first-time pass rate for Cyber Essentials is around 60%. With proper preparation that figure climbs to over 90%.

The difference between the 60% and the 90% is almost always preparation. Specifically, working through a proper checklist before submitting rather than answering the questionnaire and hoping for the best.

This post is that checklist. It covers all five Cyber Essentials controls in plain English, flags the specific areas that catch businesses out most often, explains exactly what evidence you need to provide, recommends specific products for every remediation step and includes Apple-specific guidance for businesses running Mac, iPhone and iPad fleets. Work through each section honestly before you submit and you will know exactly where your gaps are and exactly what to use to close them.

Step one – define your scope before anything else

This is the step most businesses skip. They jump straight into the five controls without first defining what is actually in scope. Scoping incorrectly wastes remediation effort and can cause a failed assessment even when your controls are otherwise solid.

Every device that connects to the internet and can access your business data is in scope. In practice that means all company-owned laptops, desktops, Macs, iPhones and iPads. Personal devices used to access work email, Slack, Google Workspace, Microsoft 365 or any other business application, whether through an app or a browser. Cloud services your organisation uses. Network equipment including routers and firewalls. Cloud infrastructure including virtual machines.

What is not in scope:

Home routers used by remote workers are explicitly out of scope under the current Cyber Essentials requirements. The software firewall on the work device itself covers the home working requirement.

Printers, smart TVs and IoT devices that do not access business data and sit on a separate segregated network.If they share the same network as your work devices they are in scope. The practical solution is to put them on a guest or separate VLAN.

Once you have defined your scope, document it. Write down every device category, every cloud service and every user group in scope before you open the questionnaire. The biggest mistake businesses make is answering based on assumption instead of evidence. Most problems come from weak scoping, unclear ownership or answers that do not match the real environment.

The automatic failure points – read these first

Before working through the five controls, understand that certain failures are automatic. A single automatic fail brings down the entire assessment regardless of how well everything else scores.

MFA not enabled on all cloud services – every cloud service your team accesses must require MFA. Not most of them. All of them.

Unsupported operating system on any in-scope device – a single device running an OS no longer supported by the vendor fails the assessment.

Critical patch not applied within 14 days – any device with a critical or high severity update outstanding for more than 14 days fails the patching control.

Admin accounts used for day-to-day work. Your team must use separate standard accounts for email, browsing and daily tasks, keeping admin privileges for administration tasks only.

Default credentials still in place – any router, firewall or device still using factory default admin credentials fails immediately.

Check these five points before doing anything else. If any of them apply to your current setup, fix them first

What Cyber Essentials actually requires

The Cyber Essentials scheme centres around five technical controls that help protect organisations from the most common cyber attacks. The five controls are firewalls, secure configuration, user access control, malware protection and security update management.

The NCSC estimates that Cyber Essentials can help protect against around 80% of common cyber attacks. The controls are deliberately practical rather than exhaustive, they represent the baseline every business should have in place.

The April 2026 update brought specific changes worth noting before you work through the checklist. Greater emphasis on passwordless authentication and MFA in the user access control section, mandatory cloud service scoping and stricter BYOD controls are all reflected below.

Control 1 – Firewalls

The firewall control demands that every device connecting to the internet sits behind a properly configured firewall. This applies to office networks, home working setups and cloud infrastructure.

The checklist:

– Every internet-facing device including routers, firewalls and cloud virtual machines has a firewall enabled.
– You have replaced default admin passwords on all routers, firewalls and switches with strong unique passwords.
– Your firewall rules allow only the traffic your business explicitly needs. You have closed all unnecessary open ports.
– Every device your home workers and remote employees use for work has a software firewall running. Windows Defender Firewall or macOS Application Firewall both satisfy this requirement.
– Every device your home workers and remote employees use for work has a software firewall running.

Products to use:

For Mac fleets, the macOS Application Firewall satisfies the requirement. Push it centrally via MDM using a configuration profile rather than relying on users to enable it themselves.

Use Jamf Pro or Iru (formerly Kandji) to push a configuration profile enabling the firewall across every Mac in your fleet simultaneously. Smaller businesses not yet on a full MDM platform should start with Apple Business, it is free and provides the foundation for MDM enrolment with any major platform.

For Windows devices, Windows Defender Firewall is built-in and enforced via Microsoft Intune or Group Policy at no additional cost if you already have Microsoft 365 Business Premium.

For office network routers and firewalls, Cisco Meraki, Ubiquiti UniFi are all widely used by UK SMBs and provide centralised management, clear logging and straightforward configuration for Cyber Essentials compliance evidence.

Evidence you need to provide:
Screenshots showing the firewall is enabled on a representative sample of devices. For MDM-managed fleets this is a compliance report from Jamf, Iru or Intune. Screenshots or configuration exports showing firewall rules on your network perimeter device. For cloud virtual machines, screenshots of security group or network ACL settings.

Where Apple fleets commonly fail this control:
macOS Application Firewall is not enabled by default. Without MDM you have no reliable way to confirm it is on across every device in your fleet.

Control 2 – Secure Configuration

Secure configuration requires that every device and software application is configured to minimise the attack surface. Default settings on new devices are rarely secure.

The checklist:

– All devices have unnecessary software, features and services removed or disabled.
– Default passwords on all devices and applications have been changed.
– Auto-run and auto-play features are disabled where not required.
– All devices use a supported, vendor-maintained operating system. Check which macOS, iOS and iPadOS versions Apple currently supports before submitting.
– Cloud services are configured with security settings enabled. Microsoft 365 tenants with security defaults not enabled and Google Workspace with no password policy enforcement are common failure points.
– Screen lock activates after a maximum of 10 minutes of inactivity on all devices.

Microsoft 365 specific steps:
Go to the Microsoft 365 admin centre. Navigate to Settings, then Org Settings, then Security and Privacy. Enable Security Defaults if you are not using Conditional Access policies. Security Defaults enforces MFA for all users and blocks legacy authentication. Confirm modern authentication is enabled for Exchange Online. Check all admin accounts have MFA enforced separately.

Google Workspace specific steps:
Go to the Google Admin console. Navigate to Security, then Authentication. Enforce MFA for all users, set it to required rather than optional. Go to Security, then Password Management and set minimum password length to 12 characters. Enable account enumeration protection. Under Devices, enable endpoint verification to see which devices are accessing Workspace.

Products to use:

For Mac fleet secure configuration, Jamf Pro and Iru both provide configuration profiles that enforce macOS hardening settings, FileVault encryption, Gatekeeper, automatic login disabled, screen lock – across every device from a single console.
For smaller businesses, Apple Business provides basic MDM management and is designed specifically for businesses under 50 employees. Apple Business (used to be called Apple Business Manager) is the foundation every Apple fleet needs regardless of which MDM platform you choose.

For Windows, Microsoft Intune included with Microsoft 365 Business Premium enforces configuration baselines across the Windows fleet. CIS Benchmarks are free and provide the specific hardening settings recommended for Windows and macOS environments.

Evidence you need to provide:
MDM configuration profile export or compliance report. Screenshots of Microsoft 365 Security Defaults or Conditional Access. Screenshots of Google Workspace security settings. Software inventory with version numbers confirming all software is on a supported current version.

Control 3 – User Access Control

This is the control that has changed most significantly in the April 2026 update. The user access control section now places greater emphasis on passwordless authentication and MFA.


The checklist:

– Every user account has the minimum level of access needed for their role. Admin accounts are separate from standard user accounts.
– MFA is enabled on all cloud services accessible from the internet.
– Passwords meet minimum requirements: at least 12 characters, or at least 8 characters where MFA is enforced. Account lockout is configured after a maximum of 10 failed login attempts.
– Privileged admin accounts are not used for email or web browsing.
– Accounts for former employees have been disabled or deleted.
– Guest and default accounts that are not required have been disabled or removed.

Practical MFA audit:

Write down every cloud service your team uses. Go through each one individually and confirm MFA is not just available but actively enforced for all users. Pay particular attention to tools used by finance, HR and senior leadership. Check tools that smaller teams use independently, accounting platforms, HR tools, reporting dashboards, that may sit outside your main SSO umbrella.

Products to use:
Okta is the most widely used identity platform for UK businesses running mixed cloud environments. It enforces MFA centrally across every connected application, automates user provisioning and deprovisioning, and provides a single dashboard for managing access across the entire organisation. When MFA is enforced at the Okta layer, it covers every connected application simultaneously rather than requiring individual MFA configuration in each tool.

Microsoft Entra ID – formerly Azure Active Directory is the natural choice for businesses running Microsoft 365 and Windows-first environments. Conditional Access policies enforced through Entra ID can require MFA, enforce device compliance and block legacy authentication protocols.

Google Workspace provides built-in MFA enforcement for businesses running Google’s productivity suite. MFA enforced at the Google Workspace admin level covers Gmail, Drive, Meet and all connected Google services.

For businesses not yet on a full identity platform, most individual SaaS applications including Slack, GitHub and Notion have MFA settings in their own admin consoles. The risk is that each one must be checked individually and there is no central reporting. Moving to Okta or Entra ID resolves this at scale.

For password management, 1Password Business provide centralised password management with MFA enforcement and are widely used by UK SMBs for Cyber Essentials compliance.

Evidence you need to provide:

Screenshots confirming MFA is enforced on each cloud service. For Okta or Entra ID this is a screenshot of the MFA policy. For individual applications this means a screenshot of MFA settings in each admin console. A screenshot of your admin account list showing separation from standard accounts. Confirmation that former employee accounts are disabled or deleted.

Where Apple fleets commonly fail this control:
Apple devices managed without MDM often have admin accounts used for day-to-day work. The MFA requirement also catches businesses where some cloud applications sit outside the Okta or Entra ID umbrella.

Control 4 – Malware Protection

This control requires that all devices are protected against malware and that the protection is actively maintained.

The checklist:
– All devices have malware protection installed and running.
– Malware definitions update automatically.
– On-access scanning is enabled — malware protection runs in real time, not just on demand.
– App installation is restricted to approved sources. On Mac, Gatekeeper restricts installation to the App Store and identified developers by default.

For Mac devices, Apple’s built-in XProtect and Malware Removal Tool satisfy the Cyber Essentials baseline requirement at no cost. For businesses wanting dedicated endpoint protection on top of Apple’s built-in tools, here are the three most relevant options:

Jamf Protect is purpose-built for macOS and works natively within the Apple ecosystem. It integrates directly with Jamf Pro, meaning businesses already using Jamf for MDM can extend into endpoint protection without adding a separate management console. Jamf Protect provides real-time threat detection, behavioural analytics and compliance reporting specifically designed around Apple’s security architecture. For Apple-first businesses this is the most natural choice.

CrowdStrike Falcon is an enterprise-grade platform with strong Mac support alongside Windows and Linux. It uses AI-powered threat detection, a single ‘lightweight’ agent across all devices and centralised management through the Falcon console. CrowdStrike is well suited for businesses in regulated sectors or those that need a single endpoint protection platform covering a mixed Mac and Windows fleet.

Microsoft Defender for Business is included with Microsoft 365 Business Premium. It covers Windows devices natively and includes Mac support. If your business already has Microsoft 365 Business Premium, enabling Defender for Business before purchasing a separate endpoint protection tool is the most cost-effective starting point.

Other endpoint protection platforms including Sophos Intercept X and Malwarebytes ThreatDown also support Mac and Windows environments and are worth considering depending on your existing tooling and budget.

Evidence you need to provide:

Screenshots showing malware protection is active on a representative sample of devices. MDM-managed fleets should pull a compliance report from Jamf, Iru or Intune. Windows devices need a screenshot of Windows Security confirming real-time protection is active. On Mac, confirm XProtect is running and Gatekeeper is set to App Store and identified developers.

Where Apple fleets commonly fail this control:
The most common failure is assuming macOS’s built-in protection is sufficient without verifying it is running and configured correctly across every device. On an unmanaged fleet you have no reliable way to confirm this.

Control 5 – Security Update Management

Patching is consistently one of the most common failure points. The April 2026 update enforces 14-day patching all critical and high severity updates must be applied within 14 days of release.

The checklist:
– All operating systems receive automatic security updates applied within 14 days of release.
– All applications are kept up to date – every application on every device must be on a current supported version.
– Software no longer supported by the vendor has been removed or replaced.
– For cloud services, automatic updates are configured where possible.
– Unsupported operating systems are removed from scope or replaced.

Products to use:

For Mac fleet patching, Jamf Pro and Iru both provide centralised OS and application update management with enforcement policies, deadline-based update prompts and compliance reporting. You can enforce that devices must be running the current macOS version within 14 days of release and report on any devices that have not yet updated. This is the most reliable way to evidence patch compliance for an Apple fleet.

For Windows application patching, beyond Windows Update, Patch My PC is the most widely used third-party patching tool for Windows environments. It integrates directly with Microsoft Intune and SCCM, covering over 1,500 applications and automating the 14-day patch cycle without manual intervention. For SMBs already using Intune this is the most practical way to meet the patching requirement for third-party applications like Chrome, Adobe and Zoom.

Microsoft Intune handles Windows OS patching natively and provides compliance reporting confirming all devices are within the 14-day requirement.

For cloud services running virtual machines on AWS, Azure or Google Cloud, enable automatic patching through each platform’s native tools, AWS Systems Manager Patch Manager, Azure Update Management or Google Cloud OS Patch Management.

Evidence you need to provide:
A report showing patch levels across all in-scope devices. For MDM-managed Apple fleets this is an OS version compliance report from Jamf or Iru. For Windows devices, a patch compliance report from Intune. A software inventory showing all installed applications and version numbers confirming no unsupported software. Evidence that the 14-day patching window has been met across all devices.

Where Apple fleets commonly fail this control:
Without MDM you have no reliable way to enforce or verify that every Apple device is on a current patched version. Staff routinely delay updates. With MDM you can enforce update deadlines and report on compliance centrally.

BYOD – the most commonly mishandled scoping question

BYOD is the single most common reason businesses fail Cyber Essentials. The rules are clear but widely misunderstood.

Any device that can access organisational data, including a personal iPhone receiving work email is in scope and must meet the same five technical controls as a corporate laptop. There are two routes to compliance: enrol BYOD into MDM, or technically prevent BYOD from accessing organisational data at all.

The middle ground that most businesses currently operate, personal devices allowed, policy document in place, no technical controls, this does not pass assessment.

Option 1 – Enrol BYOD devices into MDM

Personal iPhones and iPads can be enrolled into MDM with a managed work profile. Modern MDM platforms can create a separate work container on the device. Your organisation can manage the work container without seeing personal photos, messages or browsing history.

Products for this approach: Jamf Pro and Iru both support Apple User Enrolment for BYOD devices, creating a managed partition that keeps work and personal data separate. Microsoft Intune supports BYOD enrolment for iOS, Android and macOS through the Intune Company Portal app.

Option 2 – Technically block BYOD from accessing organisational data

Use Conditional Access policies in Okta, Microsoft Entra ID or Google Workspace to enforce that only enrolled, MDM-managed devices can access business applications. A personal phone cannot reach your corporate tools even with valid credentials.

Products for this approach: Okta with device trust policies. Microsoft Entra ID Conditional Access. Google Workspace Context-Aware Access.


Option 3 – Issue company devices so BYOD does not apply

The cleanest solution. Every employee who accesses business data has a company-owned device enrolled in MDM. No personal devices, no BYOD scope question. Combined with Apple Business Manager zero touch deployment, new devices can be ordered and shipped directly to employees pre-enrolled and compliant.

The 2026 scoping changes you need to understand

Cloud services are mandatory in scope
Every cloud service your organisation uses is in scope and must meet the five controls. For SaaS services like Microsoft 365 and Google Workspace, you are responsible for user access control and configuration settings even though you do not manage the underlying infrastructure.

MFA is mandatory on all cloud services
MFA on every cloud service is not a recommendation. It is an automatic failure point. If any cloud service your team accesses does not require MFA, your assessment will fail regardless of how well the other controls are implemented.

BYOD has tighter requirements
Simply having a BYOD policy document no longer satisfies the requirement. If personal devices access organisational data they must either meet the full Cyber Essentials technical controls or access must be limited to a managed, sandboxed environment. The technical controls must be demonstrable.

Printers, smart devices and IoT

Any printer, smart TV or IoT device connected to the same network as your work devices is potentially in scope. The practical solution is network segmentation – put all non-work devices on a separate VLAN or guest network.

Products for network segmentation:
Ubiquiti UniFi provides VLAN management and guest network isolation suitable for SMBs with straightforward setup. Cisco Meraki provides the same for larger or more complex environments. Most modern business-grade routers including those from Netgear Business and TP-Link Omada support guest network isolation out of the box.
If you cannot segment them, change all default credentials and ensure firmware is up to date.

Apple-specific checklist

For businesses running Mac, iPhone and iPad, here is the Apple-specific verification list on top of the five controls:

– macOS Application Firewall enabled on every Mac via MDM configuration profile.
– FileVault encryption enabled on every Mac – verifiable and reportable via MDM.
– All Macs running a version of macOS Apple currently supports.
– All iPhones and iPads in scope running current iOS or iPadOS.
– Apple Business Manager configured and all devices enrolled in MDM.
– MDM compliance policies active and non-compliant devices flagged automatically.
– Apps installed via MDM or App Store only.
– MFA enforced on all cloud services accessible from Apple devices.
– Admin accounts on Mac separate from standard user accounts.
– Screen lock enforced via MDM configuration profile at 10 minutes or less.
– Gatekeeper set to Mac App Store and identified developers on every Mac.

The evidence you need to compile before submitting

Compile this before you open the questionnaire. Answering without evidence to hand leads to guesswork.

Firewall evidence – MDM compliance report confirming firewall enforcement across the fleet. Screenshots of firewall rules on network perimeter devices.

Secure configuration evidence – MDM configuration profile export or compliance report. Screenshots of Microsoft 365 Security Defaults or Conditional Access. Screenshots of Google Workspace security settings. Software inventory with version numbers.

User access control evidence – screenshots confirming MFA is enforced on every cloud service. Admin account list showing separation from standard accounts. Current employee list compared against active user accounts.

Malware protection evidence – MDM compliance report or screenshots confirming malware protection is active on all devices.

Patch management evidence – MDM patch compliance report showing OS versions across all devices. Software inventory confirming no unsupported applications.

BYOD evidence – MDM enrolment report or Conditional Access policy screenshots.

Scope documentation – a written description of what is in scope including device categories, cloud services and user groups.

The submission process

The IASME questionnaire contains around 70 questions across the five technical control families. Most are yes or no with a free-text justification box. The questionnaire takes four to eight hours to complete properly if you have all the evidence to hand.

You register through an IASME-accredited certification body, pay the assessment fee and gain access to the online questionnaire portal. Submit when complete.
The assessor will return up to two rounds of clarifying queries before formally rejecting. Each round gives you five working days to respond. If after the second round the assessor still cannot certify, the application is rejected and you start again.

From registration to certification takes typically two to four weeks for a well-prepared business, or eight to twelve weeks if remediation is required.

Annual renewal

Cyber Essentials certification lasts 12 months. The controls must be maintained continuously and the assessment repeated annually.

The declaration signed as part of the assessment now includes a statement acknowledging the organisation’s responsibility to maintain compliance throughout the certification period.

For businesses running Apple fleets with MDM, maintaining certification between renewals is significantly more manageable because MDM continuously enforces controls rather than requiring manual verification before each annual assessment.

The most common reasons businesses fail

MFA not enabled on all cloud services. One unprotected cloud application fails the whole assessment.

Unsupported software – a legacy application running on an unsupported version nobody has updated.

BYOD not properly scoped – personal devices either not in scope when they should be, or in scope but not meeting the controls.

Admin accounts used for day-to-day work – common on unmanaged Apple fleets.

Patching delays – a device that missed the 14-day window because the user kept deferring the update notification.

Default credentials still in place on a router or network device.

Cloud service configuration gaps – Microsoft 365 or Google Workspace with security defaults not enabled.

A cloud application used by one team that nobody included in the MFA audit.

A worked example – 30-person London fintech running Mac and Google Workspace

The business runs 28 MacBooks, four iPhones and two iPads. Google Workspace is the primary productivity platform. Slack, GitHub, Notion and Xero are connected via Okta SSO. Twelve people are in a London office and sixteen work remotely.

Scope:
All 28 MacBooks, four iPhones, two iPads, Google Workspace, Slack, GitHub, Notion, Xero and all other SaaS applications. Remote worker home routers out of scope. Office router in scope.

Tools in use:
Jamf Pro for Mac MDM, Okta for identity and MFA, Google Workspace for productivity, JAMF Protect for endpoint protection, Patch My PC for Windows application patching on two Windows machines used by the finance team.

Auto-fail audit:

– MFA enforced through Okta for all connected applications – pass.
– All devices on current macOS – pass.
– Jamf patch compliance report showing all devices within 14-day window – pass.
– Admin accounts separate – confirmed via Jamf – pass.
– Office router default credentials changed – pass.

Firewall:
macOS Application Firewall enforced via Jamf configuration profile across all 28 MacBooks. Jamf compliance report confirms 28 of 28 devices compliant.

Secure configuration:
FileVault enabled on all Macs via Jamf. Google Workspace MFA enforced, password policy set to 12 characters, endpoint verification active. Software inventory pulled from Jamf showing all applications on current versions.

User access control:
Okta MFA policy enforced for all users. Individual MFA audit on Xero and Notion confirmed both enforcing MFA via Okta SSO. Former employee account audit, three orphaned Slack accounts identified and removed. Admin accounts confirmed separate via Jamf.

Malware protection:
JAMF Protect active on all Macs, confirmed via dashboard. XProtect and Gatekeeper also active.

Patch management:
Jamf patch compliance report showing all 28 Macs on current macOS. All iPhones and iPads on current iOS and iPadOS. Application inventory from Jamf confirming no unsupported software.

BYOD:
Two team members access Slack on personal iPhones. Both enrolled in Jamf via MDM user enrolment. Jamf compliance report confirms both meet all five controls.

Total remediation before submission:
Three orphaned Slack accounts removed, two personal iPhones enrolled in MDM. Time taken: approximately four hours.

Getting from checklist to certification

Working through this checklist honestly gives you a gap analysis. The next step is remediating those gaps and submitting the IASME self-assessment questionnaire.
For businesses with significant gaps or uncertainty about whether their current setup meets the requirements, working with a specialist before submitting is more cost-effective than failing and resubmitting.

We help UK businesses running Apple fleets work through exactly this process – from initial gap analysis through remediation to certification. Our Cyber Essentials service covers the full journey.

For businesses that have read our Cyber Essentials 2026 guide and want to take the next step, this checklist is the practical companion. If you have also read our cyber insurance guide you will already know that certification is the single most effective way to reduce your cyber insurance premium.

Book a free Cyber Essentials readiness review and find out exactly where you stand before you submit.