Cyber Essentials Checklist 2025: Everything Your Business Needs

Cybersecurity Checklist for UK SMEs

This checklist is designed for UK small and medium-sized businesses that want to achieve a strong cybersecurity baseline. It combines the five controls required for Cyber Essentials certification with additional best-practice measures recommended by the NCSC (National Cyber Security Centre). Working through this list systematically will protect your business against the vast majority of common cyber attacks.

The 5 Cyber Essentials Controls

1. Firewalls

Every device that connects to the internet should sit behind a properly configured firewall. This means your internet router's built-in firewall must be enabled, unnecessary services and ports must be closed, and default administrator passwords must be changed. For organisations with servers or complex networks, a business-grade firewall appliance with active management is recommended.

• Enable firewall on all internet-facing routers and devices
• Block all inbound connections that are not explicitly required
• Change all default passwords on network equipment
• Review firewall rules at least annually

2. Secure Configuration

Devices and software should be configured to reduce the attack surface. The NCSC recommends removing or disabling software and services that are not needed, changing default credentials, and disabling auto-run features that can be exploited by malicious media.

• Remove unused software and applications from all devices
• Disable features such as macros in Office unless required
• Apply password policies requiring a minimum of 8 characters (12+ recommended)
• Use a unique administrator account separate from day-to-day user accounts

3. User Access Control

Limit access to systems and data to only those who need it. Standard users should not have administrator rights. When an employee leaves, their accounts must be disabled immediately. The principle of least privilege reduces the damage an attacker can do if they gain access to one account.

• Audit all user accounts and remove those that are no longer needed
• Ensure administrator accounts are only used for administrative tasks
• Enable multi-factor authentication (MFA) on all cloud services and remote access
• Review access rights when employees change roles

4. Malware Protection

All devices must have active malware protection in place. Modern endpoint detection and response (EDR) tools go well beyond traditional antivirus, using behavioural analysis to detect threats that have never been seen before. The NCSC accepts reputable antivirus tools for basic Cyber Essentials, but managed EDR provides significantly stronger protection.

• Install and keep updated antivirus or EDR software on all devices
• Enable real-time scanning
• Configure automatic malware definition updates
• Consider managed EDR for 24/7 threat monitoring

5. Patch Management

Unpatched software is one of the most common entry points for attackers. Operating systems, browsers, and applications must be kept up to date. The NCSC recommends applying high-risk patches within 14 days and enabling automatic updates where possible.

• Enable automatic updates on all operating systems
• Apply security patches within 14 days of release
• Remove software that is no longer receiving security updates
• Maintain an inventory of software in use across your organisation

Beyond Cyber Essentials: Additional Best Practices

Backup and Recovery

A tested, offsite backup is your last line of defence against ransomware. Follow the 3-2-1 rule: three copies of data, on two different media types, with one stored offsite (or in the cloud). Test your backups regularly — an untested backup is not a reliable backup.

Staff Security Awareness Training

The majority of successful attacks begin with a human error. Regular security awareness training, combined with phishing simulation exercises, builds the habits needed to spot and report suspicious activity. The NCSC's free e-learning resources are a good starting point for small businesses.

How AMVIA Helps Businesses Through the Checklist

AMVIA works with UK SMEs to assess their current security posture, identify gaps against the Cyber Essentials controls, and implement the technical changes required for certification. Our managed service ensures the controls remain in place and up to date — so your business stays protected and certifiable year after year.