Cyber Essentials Checklist: Step-by-Step Guide

Scope definition is the first and most consequential decision in the CE process. The scope defines which systems, devices, and users are covered by the certification, and everything in scope must meet all five control requirements. The CE requirements guide sets out the full scheme criteria.

The scheme works around a network boundary: all devices that can access the internet, or internet-facing services, from within your declared boundary are in scope by default. This includes servers, laptops, desktops, tablets, smartphones used for work, and virtual machines.

Cloud-hosted services where your organisation controls the configuration (Microsoft 365, Google Workspace, AWS instances, Azure virtual machines) are in scope if they're used by your staff. Software-as-a-service platforms where your organisation has no control over the underlying infrastructure may fall outside scope, but this depends on what you manage within those platforms.

Scope Checklist

1. Document all devices that can access internet-facing services: laptops, desktops, servers, mobile devices, and virtual machines.
2. Identify all cloud services where your organisation controls configuration (Microsoft 365, AWS, Azure, Google Workspace tenancies).
3. Identify any devices or services explicitly excluded from scope and document the rationale. IASME guidance sets out what legitimate exclusions look like.
4. Confirm that your scope boundary covers the full set of systems involved in your organisation's core operations.
5. Review IASME's scope guidance for BYOD and home-working devices. Devices used to access work systems from outside the office may be in scope.

Each item below reflects the Montpellier scheme requirements current as of 2026. For detailed technical guidance on each control, see the 5 Cyber Essentials controls guide.

1. Firewalls

CE requires a firewall at the boundary between your network and the internet, and personal firewalls on all devices used outside a protected network environment.

1. A firewall (hardware or software) is configured at the network boundary.
2. All unused and unnecessary inbound network ports are blocked by default.
3. Firewall rules are documented and reviewed. Rules should be specific, not permissive.
4. Personal firewalls are enabled on all laptops, desktops, and mobile devices used outside the office network, including home-working devices.
5. Administrative access to firewall management interfaces is restricted to authorised users and, where possible, specific IP addresses.
6. Default administrative credentials on all firewalls and network devices have been changed.

2. Secure Configuration

In-scope devices and software must be configured to reduce their attack surface: remove unnecessary features, disable unused services, and eliminate default settings that create vulnerability.

1. Default passwords on all hardware and software have been changed before devices are deployed.
2. Unnecessary user accounts (including default vendor accounts) have been disabled or removed.
3. Unnecessary software, services, and features have been uninstalled or disabled on in-scope devices.
4. Auto-run features (auto-run from USB, CD, network shares) are disabled.
5. Devices lock automatically after a period of inactivity, requiring re-authentication to resume.
6. All in-scope systems use supported operating systems and software that still receive security updates from the vendor.

3. User Access Control

Access to systems and data must be limited to what each user's role requires. Administrative privileges must be controlled and protected.

1. User accounts are created on a least-privilege basis: users have only the permissions their role requires.
2. Administrative accounts are separate from standard user accounts. Staff don't use admin accounts for day-to-day tasks.
3. The number of administrator accounts is minimised and reviewed regularly.
4. Multi-factor authentication (MFA) is enforced on all accounts that can authenticate to internet-facing services, including cloud applications, email platforms, and remote access services. This is a Montpellier scheme requirement introduced in 2023.
5. Passwords meet minimum complexity requirements, or MFA is used as the primary authentication mechanism.
6. Guest or shared accounts that serve no current purpose have been removed.
7. A process exists to promptly remove or disable accounts when staff leave or change roles.

4. Malware Protection

In-scope devices must be protected against malware, either through anti-malware software or application allowlisting.

1. Anti-malware software is installed and active on all in-scope devices, OR application allowlisting is configured to prevent unauthorised software from executing.
2. Anti-malware software is configured to update its definitions automatically.
3. Anti-malware scans are scheduled or run in real time.
4. Anti-malware alerts on detection and is monitored. Detections are reviewed, not ignored.
5. If using application allowlisting: only approved applications are permitted to execute, and the allowlist is actively maintained and reviewed.

5. Patch Management

Patch management is the control area most commonly responsible for CE assessment failures. All software on in-scope devices must be kept up to date with security patches.

1. All operating systems on in-scope devices are set to receive automatic security updates, or a patching process applies critical and high-severity patches within 14 days of release.
2. All third-party applications on in-scope devices are kept up to date: browsers, productivity software, plugins, and any other installed applications.
3. A software inventory exists for all in-scope devices. You know what's installed and whether it's currently supported.
4. Any end-of-life software (software that no longer receives security updates) has been removed or replaced. This is an automatic CE failure point with no exception.
5. A process is in place to monitor vendor announcements for critical vulnerabilities and respond within the 14-day window.

CE assessments must be conducted through an IASME-approved Assured Service Provider (ASP). The ASP reviews and certifies your self-assessment submission. For CE+, the ASP must also have qualified assessors able to conduct the technical verification.

1. Search the IASME-published ASP directory for accredited providers.
2. Confirm the ASP is accredited for CE (and CE+ if applicable).
3. Confirm the ASP's pricing and what's included. Some include pre-assessment support; others don't.
4. Confirm whether the assessment uses the Montpellier portal or a separate ASP-managed system. Most use the IASME Montpellier portal.

The self-assessment questionnaire is completed via the IASME Montpellier portal. It asks you to attest to your organisation's compliance with each of the five control areas across all in-scope systems. The CE questionnaire guide covers common question failure points in detail.

Questionnaire Submission Checklist

1. Create or log in to your Montpellier portal account (via your ASP or directly through IASME).
2. Complete the scope declaration: describe the systems and boundary covered by the assessment.
3. Work through each of the five control sections, answering questions accurately based on your actual configuration.
4. Review your answers for internal consistency before submission. The ASP review checks for contradictions.
5. Submit the completed questionnaire through the portal.
6. Respond promptly to any ASP clarification requests. Delayed responses extend the assessment timeline.

What Happens After Submission

Once submitted, your ASP reviews the questionnaire. A satisfactory, internally consistent submission leads to certification being issued. Where the ASP has questions or identifies inconsistencies, they'll contact you for clarification or request remediation.

1. Standard review timeline: 2 to 5 working days, depending on the ASP. Some offer faster turnaround for additional cost.
2. If clarification is requested: respond with accurate, specific information. Assessors are experienced at identifying responses that reframe control gaps as compliant.
3. If remediation is required: implement the changes and resubmit the relevant sections. Repeated failures indicate the controls weren't in place before the assessment started.
4. On certification: the IASME portal issues your certificate with a unique number and assessment date, verifiable via the IASME certificate checker.

Cyber Essentials certification is valid for 12 months. Renewal requires a new self-assessment. The scheme requirements can change between cycles, so always check for updates before resubmitting.

1. Diarise renewal at least four weeks before expiry to allow time for any required remediation.
2. Before renewing, check the NCSC/IASME scheme requirements for any updates since your last certification.
3. Conduct an internal review of your control state before submission. Last year's configuration may not meet current requirements.
4. If your IT environment has changed significantly (new cloud services, remote working changes, new software), update your scope documentation before renewing.

If CE+ is required, the process above is the first stage. CE+ must be initiated within three months of standard CE certification. The CE+ assessment involves independent technical verification by an IASME-approved assessor, not just questionnaire review. Full guidance on CE+ preparation and common failure points is in the Cyber Essentials Plus guide.

1. All five CE controls must be met across all in-scope systems. Partial compliance does not achieve certification.
2. Patch management is the most common failure point: critical and high-severity patches must be applied within 14 days. End-of-life software is an automatic failure with no exception.
3. MFA must be enforced on all accounts that can authenticate to internet-facing services. This is a Montpellier scheme requirement introduced in 2023.
4. CE+ must be initiated within three months of standard CE certification. Missing the window means restarting the standard CE process.
5. Certification is valid for 12 months.  Scheme requirements can change between cycles; check for updates before renewal.
6. ASP selection matters: confirm the provider is accredited for CE (and CE+ if needed) before engaging.