Cyber Essentials Step by Step: Achieve Compliance Easily
- Gary Sinnott
- 2 hours ago
- 13 min read
Winning new contracts often runs into a wall if your security standards fall short of what British procurement teams demand. or UK-based SMEs in financial services, the journey to Cyber Essentials and Cyber Essentials Plus is not just about ticking boxes - it is about protecting client data, keeping regulators satisfied, and reducing the risk of costly disruption. This guide walks you from honest system assessments to formal certification, giving you practical actions and clarity on compliance that proves your business is contract-ready.
Table of Contents
Quick Summary
Main Insight | Detailed Explanation |
1. Assess Current Systems | Create a documented inventory of all IT systems to identify vulnerabilities and critical assets before developing security measures. |
2. Implement Core Controls | Establish the five Cyber Essentials controls: firewalls, secure configurations, user access control, malware protection, and security update management. |
3. Document Security Policies | Maintain clear documentation of security policies and procedures, including evidence of implemented controls for compliance verification. |
4. Conduct Internal Testing | Perform self-assessments and internal tests on security controls to identify gaps and ensure they are functioning correctly before certification. |
5. Submit for Certification | Complete an official questionnaire for Cyber Essentials certification and ensure senior management confirms the accuracy of the information provided. |
Step 1: Assess existing systems and identify gaps
Your first move is getting a clear picture of what you have. Without understanding your current setup, you cannot know what needs protecting or where vulnerabilities hide. This assessment forms the foundation for everything that follows.
Start by documenting all IT systems across your organisation. This means listing every device, application, and service your team relies on daily. Include obvious ones like servers and workstations, but also cloud services, email platforms, and any third-party tools integrated into your workflow.
Once you have a complete inventory, the next step is identifying which systems matter most. Not all systems carry the same risk. A revenue management system affects your income directly. Client data storage carries regulatory weight. Identifying critical systems means prioritising those with the biggest impact on your business continuity and regulatory obligations.
For financial services firms, this distinction is crucial. Your client account databases, payment processing systems, and compliance reporting tools rank higher than, say, a shared calendar application. Ask yourself: what would hurt most if it went down?
Now conduct a practical gap analysis. For each critical system, honestly assess its current security posture:
Is the software regularly updated with the latest patches?
Do you have backups that actually work when tested?
Can users access systems remotely, and if so, how are they authenticated?
What happens if a device is stolen or compromised?
Are there access logs showing who accessed what and when?
The Procurement Policy Note guidance recommends detailed assessment of critical systems before implementing controls. This prevents wasting resources on areas that matter less and focuses effort where it counts most.
You may discover outdated software running on unpatched machines. You might find shared passwords or absent multi-factor authentication. Perhaps backups exist but nobody has tested recovery. These gaps are not failures - they are exactly what you need to find now, before a real incident.
The goal here is honesty, not perfection. You cannot fix what you do not acknowledge.
Document everything you find. Create a simple spreadsheet listing each critical system, what you discovered, and severity levels. This becomes your roadmap for the next steps.
Pro tip: Schedule this assessment during a quieter business period and involve your IT team directly. They know the systems better than anyone and their input ensures you do not miss hidden dependencies or workarounds people use daily.
Step 2: Implement required security controls
Now that you know what needs protecting, it is time to put defences in place. Cyber Essentials requires five core technical controls that work together to block common attack vectors. These are not theoretical exercises - they are practical, deployable measures your team can implement immediately.
The five controls you need are firewalls, secure configuration, user access control, malware protection, and security update management. Each one addresses a specific threat. Together, they form a comprehensive shield against the majority of cyber attacks that target SMEs.
Start with firewalls. These are your perimeter defence. A properly configured firewall controls which traffic enters and leaves your network. It blocks unauthorised connection attempts while allowing legitimate business communications. Check that firewalls are enabled on all internet-facing devices and properly configured to your actual business needs.
Next, tackle secure configuration. Devices come with default settings that prioritise ease-of-use over security. You need to harden these. Disable unnecessary services, remove unnecessary software, and apply security settings that match your risk profile. Practical examples of security controls show what this looks like in real financial services environments.
User access control means limiting who can access what. Users should only have permissions they actually need for their role:
Client-facing staff access client data, not payroll systems
Finance teams access accounts, not marketing databases
Administrators manage systems but do not routinely use standard user accounts
Remote workers authenticate via multi-factor authentication before gaining access
Malware protection requires endpoint protection software on all devices. This is not optional. Your workstations, laptops, and servers all need current antivirus or anti-malware solutions actively scanning for threats.
Finally, security update management is your continuous control. Software vendors release security patches regularly. You must install them promptly. Unpatched software is one of the easiest attack vectors. Establish a schedule for testing and applying patches, including updates to operating systems, applications, and firmware.
The five core Cyber Essentials controls apply across all your infrastructure, including home working devices and cloud services. This is important because threats do not respect office boundaries.
Here is a summary of the five core Cyber Essentials controls and their primary purpose:
Control | Main Purpose | Business Impact |
Firewalls | Block unauthorised network traffic | Reduces risk of external attacks |
Secure configuration | Remove weaknesses from systems | Minimises attack surface |
User access control | Restrict access based on need | Limits internal data exposure |
Malware protection | Detect and block malicious software | Prevents system compromise |
Security update management | Apply updates to eliminate vulnerabilities | Closes known security gaps |
You do not need to implement everything simultaneously. Prioritise based on your earlier gap analysis. Address the highest-risk gaps first, then work methodically through the rest.
These controls are not about perfection. They are about making attacks so difficult and time-consuming that criminals move on to easier targets.
Document what you have implemented, why you made those choices, and how often you will review and update these controls. This documentation proves compliance during assessments.
Pro tip: Use configuration management tools or automated patch deployment to reduce manual effort and ensure consistency across all devices, rather than relying on staff to remember updates.
Step 3: Document policies and evidence compliance
Implementing controls is one thing. Proving you have implemented them is another. Cyber Essentials certification requires clear documentation showing what you have done and why. This is not bureaucracy - it is your evidence that you take security seriously.
Start by creating or updating your core security policies. These form the foundation of your compliance story. Your policies should cover what your organisation requires people to do when it comes to security. Think of them as the rules that govern how your team handles systems and data.
Your documentation package should include:
A security policy outlining your approach to protecting information
An acceptable use policy defining what employees can and cannot do with company devices and networks
An access control policy explaining who gets access to what and how you manage permissions
An incident response plan detailing what happens when something goes wrong
Asset management records listing all devices and software you own
For each security control you have implemented, gather evidence of deployment. This might include screenshots of firewall settings, patch reports showing recent updates, access control listings proving role-based permissions are in place, or antivirus scan logs demonstrating active protection.
The evidence does not need to be perfect or exhaustive. It simply needs to show that you have implemented the control and that it is working. Documenting cyber security policies supports both your certification process and audit requirements, giving you proof of effective risk management.
Organise your evidence systematically. Create a folder structure matching each Cyber Essentials control. Keep dates, versions, and responsibility owners clear. When an assessor asks “Do you have patch management in place?”, you should be able to pull up documentation in seconds, not hours.
Do not overthink this. Assessors expect real organisations with real constraints, not consultancy-grade perfection. Your documentation should reflect your actual practices, not an imaginary ideal version of your firm.
Documentation is not decoration. It is the glue that turns effort into proof.
Review and update your policies annually or whenever your security posture changes significantly. An outdated policy that nobody follows is worse than no policy at all because it suggests neglect rather than active management.
Keep your documentation somewhere accessible to your team but secure from outsiders. A shared drive works fine, but make sure access is restricted and backed up properly.
The evidence does not need to be perfect or exhaustive. It simply needs to show that you have implemented the control and that it is working. While you do not upload all these screenshots and logs during the basic self-assessment submission, you must keep them meticulously organised internally. If you are spot-checked by an assessor, or if you are moving on to the hands-on Cyber Essentials Plus audit, this evidence folder will save you days of scrambling. Documenting cyber security policies supports both your certification process and audit requirements, giving you proof of effective risk management.
Pro tip: Create a simple template for recording implementation evidence—including date implemented, who approved it, where it is documented, and when you last verified it is still working - so you can build your compliance file incrementally rather than scrambling at assessment time.
Step 4: Verify readiness through internal testing
Before you submit your application for certification, you need to know whether your controls actually work. Internal testing catches problems early when you can still fix them, rather than discovering them during the formal assessment.
Start with a self-assessment against the Cyber Essentials requirements. Go through each of the five core controls and honestly evaluate whether you have implemented them properly. This is not about perfection. It is about identifying where you have gaps that need attention before an external assessor arrives.
Use a structured approach. Internal testing and self-assessment help you verify that firewalls, access controls, malware protection, secure configurations, and security update management are correctly implemented. This process reduces certification audit failures and helps you prioritise which areas need work first.
Your testing should cover:
Firewall verification: Check that firewalls are enabled and properly configured. Can unauthorised traffic be blocked? Are necessary business ports open and unnecessary ones closed?
User access control testing: Attempt to access systems as different user roles. Can an accounts clerk access payroll files? Can a junior developer deploy changes to production? If yes to either, you have a problem.
Malware protection checks: Verify antivirus or anti-malware solutions are installed, active, and up to date on all devices. Review recent scan logs for any detections.
Secure configuration review: Compare your actual device settings against documented baselines. Are unnecessary services disabled? Are security settings hardened as intended?
Security update management audit: Generate a report of all installed software and operating systems. Check that patches released in the last 14 days have been applied or are scheduled for testing and deployment.
Document what you find. Note which controls are working well and which need improvement. Be specific about what is missing or misconfigured. This transparency shows assessors you take the process seriously.
If you discover failures, do not panic. This is the whole point of internal testing. Fix what you find, then test again to confirm the fix worked.
The following table offers a comparison of internal testing methods for Cyber Essentials readiness:
Method | Focus Area | Benefit |
Self-assessment | Policy and control review | Identifies process gaps early |
Role-based access tests | Permission enforcement | Reveals excessive access rights |
Malware scan review | Endpoint protection | Ensures up-to-date threat coverage |
Vulnerability audit | Software currency | Confirms timely vulnerability fixes |
Testing before certification is like rehearsing before a performance. You want to stumble now, not on stage.
Consider whether you need external help for technical testing. Some organisations conduct vulnerability scans or penetration tests to supplement their internal review. This is optional for basic Cyber Essentials but can strengthen your confidence significantly.
Pro tip: Create a simple test log documenting what you tested, when you tested it, what you found, and what you did about it - this becomes valuable evidence for assessors and shows methodical, continuous verification of your security controls.
Step 5: Submit for Cyber Essentials certification
You have assessed your systems, implemented controls, documented your policies, and tested everything internally. Now comes the moment you have been working towards: submitting your formal application for certification.
The submission process is straightforward but requires precision. You will complete an official questionnaire that asks how you meet each of the five core security controls. This is not a test with trick questions. It is a practical form where you describe what you have actually implemented.
Your questionnaire should cover:
How your firewalls are configured and maintained
Your approach to securing and hardening device configurations
How you manage access permissions across your organisation
Your malware protection strategy and current tools
Your patch management process and schedule
When completing the questionnaire, be honest and specific. Rather than vague answers like “we have good security,” describe actual controls. For example: “We use Windows Defender on all devices with real-time protection enabled, conduct daily scans, and maintain logs of all detections.”
Once you have completed the questionnaire, a senior representative of your organisation must review and confirm your answers. This is typically a director, manager, or compliance officer who can attest that the information is accurate and the controls are genuinely in place. This confirmation carries legal weight, so make sure the person signing understands what they are confirming.
Organisations seeking Cyber Essentials certification must submit a self-assessment detailing how they meet the five key security controls. The process involves an official questionnaire and confirmation by a senior representative, followed by review by a certification body.
Your submission goes to an approved certification body who will review your answers. They may ask clarifying questions or request additional evidence. Respond promptly and professionally. If they identify gaps, do not become defensive. Work with them constructively to address concerns.
Once approved, you receive official certification and are entitled to use the Cyber Essentials logo in your marketing materials and tender documents. This becomes your proof to clients and prospects that you take security seriously.
Certification is not the finish line. It is proof that you have a baseline level of security in place right now. The real work is keeping that standard up to date.
After certification, your work shifts to maintenance. Keep your controls current, update policies as needed, and conduct annual reviews to confirm everything still works. Your certification typically lasts for one year, after which you will need to renew it.
The Final Hurdle: Upgrading to Cyber Essentials Plus. Remember that the self-assessment questionnaire only grants you the basic Cyber Essentials certification. If your procurement contracts demand Cyber Essentials Plus, your basic certification acts as the prerequisite. Within three months of passing the questionnaire, an independent certification body will conduct a hands-on technical audit of your systems. They will run external vulnerability scans, test your malware protection with safe payloads, and physically verify your MFA and access controls to ensure the answers you provided in Step 5 match your technical reality.
Pro tip: Before submitting, have someone unfamiliar with your security programme review your questionnaire answers to ensure they are clear and would make sense to an external assessor who does not know your organisation.
Take Control of Your Cyber Essentials Journey with Freshcyber
Struggling to move from assessing gaps to achieving full Cyber Essentials compliance can feel overwhelming. This article highlights the challenge of not only implementing security controls but also proving compliance through clear documentation and effective internal testing. With goals like establishing strong firewalls, rigorous patch management and robust access control, many UK SMEs need a trusted partner to transform these steps into a confident business asset rather than just ticking boxes.
Freshcyber specialises in turning this complex process into a streamlined advantage. Our Cyber Essentials Certification Guide for UK SMEs empowers you with expert support that goes beyond basic compliance. We combine strategic risk management and continuous vulnerability scanning alongside our vCISO-led Compliance Currency Engine to keep your defences strong and your certification valid. Experience proactive 24/7 monitoring and tailored policy management, so you can focus on growth and winning contracts without worrying about security pitfalls.
Ready to make Cyber Essentials compliance your firm’s competitive edge? Visit Freshcyber today to explore how our solutions help you build digital resilience and maintain certification with ease. Learn more about protecting your organisation with our insights on Vulnerability Management, Assessments & Scanning for UK SMEs and practical advice on UK SMEs Cyber Security: Insights & Vulnerabilities. Take the next step to secure your future now.
Frequently Asked Questions
How do I assess my existing IT systems for Cyber Essentials compliance?
To assess your existing IT systems, document all devices, applications, and services currently in use. Conduct a gap analysis to identify vulnerabilities and critical systems that require protection, focusing on those impacting business operations most.
What are the five core controls needed for Cyber Essentials?
The five core controls are firewalls, secure configuration, user access control, malware protection, and security update management. Implement these controls to create a robust defence against common cyber threats and review their effectiveness regularly.
How can I document my security policies for Cyber Essentials?
To document your security policies, create a package that includes a security policy, acceptable use policy, access control policy, incident response plan, and asset management records. Organise these documents clearly to ensure they are accessible for audits and compliance checks.
What steps should I take for internal testing before certification?
For internal testing, perform a self-assessment against the Cyber Essentials requirements, checking each control’s implementation. Test firewalls, access controls, malware protection, secure configurations, and security update management to identify gaps and rectify them before the official submission.
How do I complete the Cyber Essentials certification questionnaire?
To complete the Cyber Essentials certification questionnaire, provide specific details regarding your implementation of the five core controls. Ensure a senior representative reviews and confirms that all information is accurate before submission to the certification body.
What should I do after achieving Cyber Essentials certification?
After achieving Cyber Essentials certification, maintain your security controls and policies by reviewing them annually or whenever changes occur. Keep your security posture current to ensure continued compliance and protection against emerging threats.
Recommended