Steps to Prepare and Pass Cyber Essentials (Checklist)

The Cyber Essentials scheme provides a basic yet effective framework for businesses to protect themselves against cyber attacks. Getting Cyber Essentials certified is one of the first steps that any organisations can take to protect their digital assets and their personal data, and for those seeking to engage in the UK Government supply chain contracts, it provides the mandatory certification required to bid.

Like all official certifications, achieving Cyber Essentials requires preparation and business investment in time, cost and some technical awareness.

In this blog post, we present a guide on how to prepare and pass Cyber Essentials.

1.     Create an Information Security policy

The first step is to develop a well-planned information security policy for your organisation. Your policy should establish the requirements and rules for cybersecurity at your company and to achieve Cyber Essentials, your policy should include:

  • The requirements for handling and processing personal data of customers, employees, and third-parties.
  • A password policy that describes the minimum requirements for passwords (such as length and complexity).
  • A set of guidelines that define what users can and cannot do, including access controls and internet usage.

Your security policy does not have to be long and complex document filled with technical details. Instead, it should document rules for cybersecurity in a simple, clear manner that all your employees and other third-parties with access to your systems or data can understand and readily comply with.

2.     Assign a Data Protection Officer

Although not mandatory for all organisations, appointing a single senior employee as a Data Protection Officer (DPO) can help you enforce the information security policy within your organisation.

For SMEs, assigning a DPO can be an important step as they can coordinate all the business security initiatives, and for external parties and IT users, they are the business’ single point of contact for queries and concerns related to security.

Cyber Essentials requires businesses to complete and submit a self-assessment questionnaire, and provide relevant evidence to support answers, in order to achieve certification.

Having a single point of focus in a DPO ensures that everybody understands who is responsible for completing the questionnaire and who to go to for best practise advice and guidance.

3.     Keep track of your digital assets

To make sure that all software and devices are protected, you should keep an inventory of digital assets. Ensure that you include the details of software versions and updates for both software and devices.

Knowing what and where your assets are is good practice and especially so with information security assets. It helps you keep software updated, which can often be essential, and the best first step to protect your systems and data.

Knowing what devices are present on, or can connect to your network, is the best way to identify unauthorised devices and to take action to remove or isolate them. Tracking your digital assets enables you to identify vulnerabilities and to keep a close watch on devices within your network.

4.     Enforce access control

Access control ensures that only authorised personnel have access to sensitive information and enforcing strong access control is an essential step for achieving Cyber Essentials certification.

Make use of a Role-Based Access Control (RBAC) system ensure IT users have only have the privileges that they need for their job role and access to only those systems they need to be effective and operate safely.

5.     Make use of the right tools and configurations

A firewall and antivirus are essential security tools required for Cyber Essentials.

Your firewall helps protect devices on a network from external threats such as those from the internet.

Your antivirus software protects your systems from viruses and other malware that can harm them, or corrupt or steal sensitive, personal or proprietary data.

You should ensure your firewalls are properly configured to disallow access to malicious content. Making use of a firewall and antivirus will help your business prevent the most common types of cyber attacks.

6.     Conduct regular security reviews

To ensure that your digital assets remain safe and protected, it is important to document, track, and review the effectiveness of the cybersecurity measures you have taken.

Knowing the strengths and weaknesses of your organisation’s network can help you fine-tune cybersecurity for better protection, especially as you grow. You should conduct regular security reviews to:

  • Track all devices and software, including when they were last updated.
  • Understand the types of devices being used throughout your organisation (e.g. laptops, desktops, servers etc).
  • Determine the effectiveness of your information security policy.
  • Ensure that all software and devices are properly configured for secure operations.


If you are a small to medium scale business getting started with cybersecurity can seem daunting, especially if you have no technical IT skills. However, achieving a Cyber Essentials certification is a great way to begin, and for a small investment of time and effort, it can significantly reduce your risk exposure. Take the steps outlined above and you will be well-prepared to pass Cyber Essentials.

CyberSmart is the automated platform to help businesses get and stay secure with recognised certification standards including Cyber Essentials. Businesses can gain certification as individual companies or can join the many organisations that have achieved Cyber Essentials by partnering with us today.

If you have any questions, whether it is preparing for Cyber Essentials, or how to protect your company systems and data, please reach out. We love to talk about Cyber Essentials and help companies with their data protection needs and smart certification