How to Prepare for Cyber Essentials Certification: A Step-by-Step Guide

Before you start: understand what you are being assessed on

Cyber Essentials assesses five technical controls. Everything in the assessment maps back to one of these:

1. Firewalls — boundary protection and network segmentation
2. Secure configuration — devices and software set up securely
3. Access control — right people, right access, right level
4. Malware protection — endpoint protection and software controls
5. Patch management — timely updates across all software

The assessment is a questionnaire (for basic Cyber Essentials) or a questionnaire plus hands-on technical audit (for Cyber Essentials Plus). The questionnaire asks you to confirm that specific controls are in place. An honest self-assessment against each control before you begin tells you exactly where the gaps are.

Step 1: run an external vulnerability scan

Before touching anything else, scan your domain from the outside. This shows you what an assessor — or an attacker — would find when looking at your internet-facing infrastructure.

An Olimpio scan maps findings directly to Cyber Essentials controls, so you can see at a glance which issues would cause a fail. Common pre-assessment findings:

• Open ports that should be firewalled (CE1)
• Missing or misconfigured DMARC/SPF records (CE1/CE2)
• Expired or expiring SSL certificates (CE2)
• Missing HTTP security headers (CE2)
• Outdated software with known CVEs (CE5)

Fix these before booking your assessment. Most can be addressed in a day or two.

Step 2: CE1 — firewalls

What you need to have in place:

• A firewall at the boundary of every network that connects to the internet (your office router counts)
• A software firewall on every device that connects to the internet
• Default firewall rules that deny inbound connections unless explicitly permitted
• No unnecessary ports or services exposed to the internet

Practical checklist:

• Log into your router/firewall and confirm the default rule is "deny all inbound"
• List every inbound rule and confirm each one is necessary and documented
• Remove any rules that were added temporarily and never cleaned up
• Ensure your cloud server's security groups or firewall rules follow the same principle
• Run a port scan to verify what is actually visible from outside — not just what the rules say

Common failure points: Cloud servers with overly permissive security groups (common on AWS and GCP); office routers still on default settings; old management interfaces left open from a previous IT provider.

Step 3: CE2 — secure configuration

What you need to have in place:

• Default passwords changed on all devices and software
• Unnecessary user accounts removed or disabled
• Unnecessary software, services, and features removed or disabled
• Auto-run disabled for removable media
• Computers configured not to auto-run software from network shares

Practical checklist:

• Inventory all internet-connected devices: servers, routers, switches, IoT devices
• Change any remaining default credentials (admin/admin, etc.)
• Disable remote management interfaces you do not use
• Review installed software on servers — remove anything not needed
• Check that operating systems are using supported, maintained versions

Common failure points: Development tools or test services left running on production servers; routers with remote management enabled on the WAN interface; old user accounts not removed when staff leave.

Step 4: CE3 — access control

What you need to have in place:

• User accounts created for individuals, not shared
• Least privilege — users only have access to what they need for their role
• Administrator accounts used only for administrative tasks, not day-to-day work
• Strong password policy enforced
• Multi-factor authentication on all internet-facing accounts

Practical checklist:

• List all user accounts across your systems and remove any that are not current
• Confirm no shared accounts exist (shared logins are a CE fail)
• Confirm admin accounts are separate from standard user accounts
• Enable MFA on all cloud services, email, hosting control panels, and domain registrars
• Review who has admin access — reduce to the minimum necessary

Common failure points: Admin accounts used for day-to-day email and browsing; shared IT accounts used by multiple staff; former employees' accounts not deactivated; cloud services without MFA enabled.

Step 5: CE4 — malware protection

What you need to have in place:

• Antivirus/anti-malware active and up to date on all computers
• Protection against malicious code execution — application whitelisting or signature-based protection
• Sandboxing or other controls to isolate untrusted content

Practical checklist:

• Confirm endpoint protection is installed and active on all devices
• Confirm real-time scanning is enabled (not just scheduled scans)
• Confirm the malware signature database is set to update automatically
• Review what the protection covers — it must include email attachments and web downloads

Common failure points: Personal devices used for work without endpoint protection; protection installed but signature updates disabled; relying on Windows Defender without confirming it is active and current.

Step 6: CE5 — patch management

What you need to have in place:

• All software patched within 14 days of a critical security update being released
• No unsupported software in use (software that no longer receives security patches)
• Operating systems on supported versions

Practical checklist:

• Enable automatic updates on all operating systems and applications
• Check for any software that is past its end-of-life date — this is a CE fail
• Confirm your PHP version (if running a web server) is a supported release
• Review plugins and extensions — outdated WordPress plugins are a very common failure
• Document your patching process so you can evidence it during assessment

Common failure points: PHP versions below 8.1 (end of life); outdated WordPress plugins; Windows 10 devices (end of life October 2025); legacy software that cannot be updated without breaking functionality.

Step 7: book your assessment

Once you have worked through the above and resolved the gaps, you are ready to book with an NCSC-approved certification body. The assessment itself — for basic Cyber Essentials — involves completing a detailed questionnaire that walks through each control with specific yes/no questions about your configuration.

Be honest. The questionnaire is designed to catch contradictions. If you claim no unnecessary services are running but you have an open Telnet port, the assessment will fail.

For Cyber Essentials Plus, the same preparation applies, but the assessor will also connect to your systems directly and verify that the controls you have described are actually in place. The external scan you ran in Step 1 should accurately reflect what they will find.

How long does preparation take?

For a small business with straightforward infrastructure, working through the five controls and fixing the gaps typically takes two to four weeks. The most time-consuming parts are usually:

• Inventorying all devices and accounts (often more than people expect)
• Tracking down and updating outdated software
• Implementing MFA across all services

The actual assessment questionnaire takes a few hours to complete once the controls are in place.

Start with a free Olimpio scan to get a baseline picture of your current posture against Cyber Essentials controls — it is the fastest way to identify where to focus your preparation effort.