Cyber Essentials certification has become a prerequisite for many UK businesses: especially those tendering for government contracts or working with sensitive data. But knowing you need the certification and actually being ready for the audit are two very different things.
The truth is, many businesses fail their first assessment simply because they don't know what assessors are actually looking for. The certification focuses on five core technical controls, but within those areas, there are dozens of specific implementation details that can make or break your audit.
If you're planning to pursue Cyber Essentials this year, here are the 10 things assessors will scrutinise most closely: and what you need to do to pass.
1. Firewall Configuration and Boundary Protection
Assessors start by examining your perimeter defences. They'll review your firewalls, routers, and gateway devices to confirm they're properly configured with secure settings. Specifically, they're checking that you've implemented a "deny-all" rule as your default position: meaning all traffic is blocked unless explicitly permitted.
This isn't just about having a firewall installed. Assessors want documented evidence of your firewall rules, including which ports are open, why they're open, and what traffic is allowed through. If your firewall settings are inconsistent or poorly documented, expect pushback.
2. Removal of Unnecessary Software and Services
One of the most common audit failures happens here. Assessors conduct detailed configuration audits to verify that unnecessary applications, browser plugins, and system services have been removed or disabled across your estate.
Every piece of software on your network represents a potential vulnerability. If you're running applications you don't need: especially older versions with known security flaws: assessors will flag it. This includes default applications that ship with operating systems but serve no business purpose.
3. Default Password Changes
It sounds basic, but you'd be surprised how many organisations fail on this point. Assessors check that all default passwords on routers, firewalls, admin accounts, and any other network devices have been changed to strong, unique credentials.
If you're still using "admin/admin" or the manufacturer's default password on any device connected to your network, you'll fail this requirement immediately. Document every password change and ensure your team follows a consistent password policy.
4. Auto-Run and Auto-Play Disabling
Assessors verify that auto-run features for removable media and network drives are disabled across all user devices. This prevents malicious code from executing automatically when USB drives or external storage devices are connected.
This control is often overlooked during internal IT reviews, but it's a core requirement. Configure Group Policy Objects (GPOs) in your Windows environment to enforce this setting organisation-wide, and document the implementation.
5. Patch Management and Security Updates
Vulnerability scanning is a major component of the audit. Assessors run scans on internet-facing systems, user devices, and servers to identify software without the latest security patches.
You need a robust patch management process that ensures operating systems, applications, web browsers, and plugins are updated within 14 days of patches being released. Any critical vulnerabilities discovered during the scan must be remediated before certification can be granted.
For businesses managing property inventory software or field-based teams: like those using propertyinventoryclerks.co.uk for inventory management: ensuring all mobile devices and tablets are included in your patching schedule is particularly important. Remote workers and distributed teams add complexity, but they can't be ignored.
6. Active Malware Protection
Assessors don't just check whether you've installed antivirus software. They actively test it using harmless test files to confirm it's functioning correctly and blocking threats in real time.
Your anti-malware solution must be active on all devices, configured to scan regularly, and set to automatically update virus definitions. Assessors will also verify that malware protection extends to email gateways and file servers: not just endpoints.
7. Multi-Factor Authentication (MFA) Enforcement
This is increasingly becoming a sticking point for organisations. Assessors verify that MFA is correctly enforced, particularly for cloud services like Microsoft 365, email, and remote access systems.
It's not enough to have MFA available: it must be mandatory for all users accessing data or systems remotely. If you've exempted certain user accounts or made MFA optional, you'll likely fail this requirement. Ensure MFA is configured on admin accounts, cloud platforms, and any system accessible outside your network perimeter.
8. User Access Control and Administrative Privileges
Assessors check that administrative accounts are separate from standard user accounts. This means your IT team should have two accounts: one for daily work and a separate, elevated account for administrative tasks.
They'll also verify that users only have access to the systems and data they need to do their jobs: nothing more. Over-privileged accounts represent significant risk, and assessors will identify them quickly. Review your Active Directory structure, check permissions on shared drives, and implement role-based access control (RBAC) where possible.
9. Internet-Facing Systems and Vulnerability Scanning
Every system exposed to the internet will be scanned for known vulnerabilities. This includes web servers, VPN gateways, email servers, and any cloud-hosted applications.
Assessors use credentialed scans to dig deeper into sampled user devices and servers, checking for insecure configurations and compliance with password policies. If your external-facing systems have unpatched vulnerabilities or weak configurations, they'll be flagged immediately.
Make sure you've conducted your own vulnerability assessments before the audit. Use tools like Nessus, Qualys, or OpenVAS to identify issues proactively, and remediate them before an assessor does.
10. Device Inventory and Compliance Documentation
Finally, assessors expect you to maintain a documented inventory of all devices connected to your network. This includes desktops, laptops, servers, mobile devices, tablets, IoT devices, and network equipment.
Your inventory should detail which devices are in scope for Cyber Essentials, their operating systems, who's responsible for them, and their compliance status. If you can't produce an accurate inventory on demand, you're not ready for the audit.
This is also where cloud services come into play. Assessors will review your cloud platform security settings to ensure they meet Cyber Essentials requirements, with comprehensive access controls implemented. Document which cloud services you're using, how they're configured, and who has access.
What Happens If You Don't Pass?
If assessors identify non-compliance issues during your audit, you'll have 30 days to resolve them before you can achieve certification. Once certified, your Cyber Essentials status remains valid for 12 months: after which you'll need to be reassessed.
It's worth noting that failing the initial audit isn't uncommon, but it delays your certification timeline and can impact business opportunities. Prevention is far better than remediation.
Getting It Right the First Time
Preparing for a Cyber Essentials audit doesn't have to be overwhelming, but it does require attention to detail and a systematic approach. Many businesses underestimate the scope of work involved, particularly if their IT infrastructure has grown organically without consistent security policies.
If you're unsure whether your organisation is ready, or if you need support implementing the technical controls required for certification, it's worth getting expert guidance. Book a discovery call with us to discuss your current security posture and what needs to happen before your audit.
The assessors aren't there to catch you out: they're verifying that you've implemented basic but essential security controls. With proper preparation and documentation, passing your Cyber Essentials audit becomes far more straightforward.
Start with these 10 areas, close the gaps, and you'll be well-positioned to achieve certification when the audit comes around.
Join The Discussion