Cyber Essentials Checklist

Controls
Checklist
Policies
Software
Certification

Basic Technical Controls Checklists

1. Boundary Definition & Documentation

  • Create a Boundary Register: Document every physical and virtual exit point (ISP lines, 4G backups, SD-WAN, and Cloud VNETs). You cannot protect what isn’t on the map.
  • Scope Confirmation: Mark which boundaries are “Managed” (Corporate Office) vs. “Third-Party” (Staff Homes). For staff homes, the boundary shifts to the Software Firewall on the device.

2. Inbound Control (The “Default Deny” Rule)

  • Apply “Deny All” Inbound: Verify that your firewall is configured to drop all unsolicited traffic by default.
  • Map Open Ports to Owners: Create a spreadsheet of every open inbound port (e.g., Port 443). Each must have a named Business Owner and a documented reason for being open.
  • Disable UPnP: Audit router settings to ensure Universal Plug and Play is disabled; this prevents internal apps from opening holes in the perimeter without IT’s knowledge.

3. Management & Access Hygiene

  • Rotate Administrative Credentials: Change all factory-default passwords on networking gear to unique, complex strings managed in a Password Vault.
  • Kill Remote Admin Interfaces: Disable web/SSH management access from the WAN side. If remote management is essential, enforce an IP Allow-list and MFA.
  • Secure VPNs: Ensure all VPN tunnels use MFA. If using RDP, it must be behind a VPN or Gateway—never exposed directly to the internet.

4. Lifecycle & Patching (The “14-Day” Rule)

  • Establish Patching Alerts: Sign up for vendor security bulletins. You must have a process to apply “Critical” or “High” firmware updates within 14 days of release.
  • Hardware Retirement Audit: Identify “End of Life” (EoL) hardware. If the vendor no longer releases security patches, the device must be replaced to pass CE+.

5. Internal Segmentation (Enhanced)

  • Isolate Guest Wi-Fi: Physically or logically (VLAN) separate guest/IoT traffic from the corporate data environment.
  • Software Firewall Enforcement: Use Group Policy (GPO) or MDM to ensure local firewalls are “Always On” and cannot be disabled by standard users.

6. Validation

  • Conduct a “Point-in-Time” Port Scan: Use a tool (e.g., Nmap or an external scanner) to verify that only your documented ports are actually visible to the internet.
  • Rule Cleanup: Remove any firewall rules associated with decommissioned servers or finished projects.

1. Account Separation & Privilege Management

  • Enforce Administrative Separation: Ensure all IT staff have two distinct accounts: a Standard Account for daily tasks (email/web) and a Privileged Account used only for admin duties.
  • Remove Local Admin Rights: Audit all end-user devices to ensure standard users do not have local administrative privileges. Any software installation must require elevated credentials.
  • Disable Default Accounts: Rename or disable “Guest” and built-in “Administrator” accounts on all workstations and servers.

2. Device Hardening

  • Disable Auto-Run/Auto-Play: Use Group Policy (GPO) or MDM to prevent files from executing automatically from USB drives, network shares, or external media.
  • Remove “Bloatware” & Unused Services: Uninstall any pre-installed software, trialware, or OS features that serve no business purpose. If it isn’t needed, it shouldn’t be installed.
  • Establish Secure Baselines: Document a “Gold Image” or standard configuration build for every device type (e.g., Windows Laptop, MacBook, Server). Use a checklist to ensure every new build is consistent.

3. Authentication & Brute-Force Protection

  • Set Lockout Thresholds: Configure all devices to lock out or throttle the login process after no more than 10 failed attempts.
  • Audit Password/PIN Complexity: Enforce a minimum 6-digit/character PIN for mobile/biometric-enabled devices. For password-only logins, ensure a minimum of 8 characters with a deny-list or 12 characters.
  • Configure Automatic Screen Locks: Set devices to automatically lock the screen after a period of inactivity (typically 5–15 minutes).

4. Encryption & Data Protection

  • Mandate Mobile Encryption: Verify that encryption is active on 100% of smartphones and tablets. This is usually triggered once a secure passcode is set.
  • Deploy Laptop Encryption (Enhanced): Enable BitLocker (Windows) or FileVault (macOS) across the portable fleet. Store recovery keys securely in a central location (e.g., Active Directory or MDM).

5. Remote Management & Monitoring

  • Disable Unnecessary Remote Ports: Ensure legacy protocols like Telnet or VNC are disabled. Use secure methods like SSH or RDP (protected by VPN/MFA) only where required.
  • Implement Centralised Management: Use an MDM (e.g., Microsoft Intune, Jamf, or NinjaOne) to push these configurations and monitor for “configuration drift” where a device falls out of compliance.

6. Asset Asset Lifecycle

  • Decommissioning Process: Document a process for securely wiping data and revoking access permissions when a device is retired or an employee leaves the business.
  • Asset Register Mapping: Ensure every device’s secure configuration status is linked to its entry in your hardware asset register.

1. Asset & Software Discovery

  • Comprehensive Inventory: Maintain an accurate list of all hardware and software in your estate. You cannot patch what you do not track.
  • Identify “In-Scope” Software: Ensure all operating systems, web browsers, office suites, and email clients are identified for automated patching.
  • Identify IoT/Firmware: List all network-connected hardware (printers, firewalls, Wi-Fi points) that require manual or automated firmware updates.

2. The 14-Day Enforcement (Mandatory)

  • Critical/High Patch Tracking: Establish a process to monitor vendor security bulletins (e.g., Microsoft’s “Patch Tuesday”).
  • 14-Day Compliance Window: Ensure all updates marked as “Critical” or “High” (or with a CVSS score of 7.0+) are applied to all devices within 14 calendar days of release.
  • Emergency Patching Policy: Document a fast-track process for “Zero-Day” vulnerabilities that require immediate action outside of your normal monthly cycle.

3. Operating System & Application Updates

  • Enable Automatic Updates: Where centralized management is absent, ensure “Automatic Updates” are toggled on for all Windows, macOS, iOS, and Android devices.
  • Third-Party App Patching: Ensure common apps like Chrome, Adobe Reader, and Zoom are included in your patching cycle, as these are often overlooked.
  • Mobile App Management: If using personal devices for work (BYOD), ensure work-related apps (Outlook, Teams) are updated via an MDM or App Store.

4. Unsupported (End-of-Life) Software

  • Identify EoL Software/OS: Audit your estate for versions that no longer receive security updates from the manufacturer (e.g., Windows 7, older macOS versions, or Office 2013).
  • Removal or Upgrade: Ensure any unsupported software is uninstalled or upgraded immediately. An auditor finding a single EoL application is an automatic fail.

5. Verification & Tooling

  • Centralised Patch Reporting: Use a tool (e.g., Microsoft Intune, WSUS, or a RMM platform) to generate reports showing the current patch status of all devices.
  • Audit Failed Patches: Regularly check for devices that have “stuck” updates. A device that hasn’t rebooted in a month is likely non-compliant.
  • External Vulnerability Scanning (Enhanced): Periodically run an external scan of your network boundary to ensure your firewall and public-facing services have the latest security patches applied.

6. Governance

  • Documented Patch Policy: Create a simple internal policy stating that the business commits to the 14-day rule. This demonstrates the “security culture” to an auditor.
  • Asset Decommissioning: Ensure that when a device is “retired,” it is removed from your update reports so it doesn’t skew your compliance data.

1. Identity & Account Management

  • Unique User Identification: Ensure every staff member has their own individual account. Generic or shared accounts (e.g., [email protected] or reception) must be disabled or replaced with individual logins.
  • Account Provisioning Process: Implement a formal “joiners” process where access is only granted based on a specific business request and approved by the relevant department head.
  • Prompt Account Revocation: Document a “leaver” process to disable all user accounts and remote access (VPN/SaaS) immediately upon the termination of employment.

2. Privilege Management (Administrative Access)

  • Enforce Local Admin Restrictions: Audit all workstations to ensure standard users do not have local administrative rights. Users should not be able to install software or bypass security settings.
  • Separate Admin Accounts: Ensure IT staff use a standard account for daily tasks (email/web) and a separate, dedicated “admin” account for technical changes.
  • Inventory of Privileged Accounts: Maintain a list of all “Global Admin,” “Domain Admin,” and “Super User” roles. This list should be kept to the absolute minimum required for the business to function.

3. Review & Audit Hygiene

  • Regular Access Reviews: Conduct a formal review (at least every 6 months) of all user permissions to identify and remove “privilege creep”—access that is no longer required for a user’s current role.
  • Specialist Access Review: Periodically audit access to sensitive data areas (e.g., Finance or HR folders) to ensure only authorised personnel have “read/write” permissions.

4. External & Third-Party Access

  • Guest Account Management: Disable all guest accounts on the network. For external contractors, provide a unique account with a set expiry date.
  • Third-Party MFA: Ensure any external vendors or partners accessing your network (e.g., for software support) are forced to use Multi-Factor Authentication (MFA).

5. Password & Authentication Controls

  • Remove Default Credentials: Ensure that factory-default passwords on all software, hardware, and cloud platforms are changed immediately upon deployment.
  • Enforce Account Lockouts: As part of “Secure Configuration,” ensure accounts lock or throttle after 10 failed attempts to prevent automated password-guessing attacks.

6. Governance & Documentation

  • Access Control Policy: Maintain a simple internal policy that outlines who is authorised to grant access and how administrative privileges are managed.
  • Password Vault Usage (Enhanced): For IT admin accounts, use a secure password manager to ensure that privileged credentials are long, complex, and unique.

1. Core Defence Coverage

  • Comprehensive Deployment: Ensure an active anti-malware solution is installed on 100% of “in-scope” devices, including Windows PCs, macOS devices, and all Servers.
  • Mobile Protection (Sandboxing): Confirm that mobile devices (iOS/Android) are kept on supported OS versions. This ensures their native “sandboxing” (which isolates apps from one another) remains an effective malware control.
  • Cloud/Virtual Protection: Verify that any virtual machines (VMs) or cloud-hosted desktops (e.g., Azure Virtual Desktop) have the same level of malware protection as physical hardware.

2. Configuration & Updates

  • Daily Signature Updates: Configure your anti-malware software to check for and apply new virus definitions at least once every 24 hours.
  • On-Access Scanning: Ensure that “real-time” or “on-access” scanning is enabled. The software must automatically scan files when they are opened, downloaded, or executed.
  • Automatic Web Protection: Verify that the software is configured to block access to known malicious websites and scan files downloaded from the internet.

3. User Experience & Alerts

  • Visible User Warnings: Ensure the software is configured to notify the user if a threat is detected or if the protection has been disabled.
  • Quarantine Automation: Set the software to automatically isolate or “quarantine” suspicious files by default, rather than waiting for user intervention.
  • Prevent User Disablement: Use Group Policy (GPO) or MDM to prevent standard users from disabling the antivirus or “snoozing” real-time protection.

4. Application Whitelisting (Optional Control)

  • App Store Restriction: Where possible, restrict users to installing software only from trusted sources (e.g., Microsoft Store, Apple App Store, or a managed Company Portal).
  • Code Signing: Ensure that only digitally signed applications from known publishers are permitted to run on corporate devices.

5. Verification & Tooling

  • Centralised Monitoring Dashboard: Use a central console (e.g., Microsoft Defender for Endpoint, SentinelOne, or Sophos Central) to monitor the health of your entire estate from a single pane of glass.
  • Identify “At Risk” Devices: Regularly run reports to find devices that are offline, have outdated definitions, or have unresolved malware alerts.
  • The “Malware Gallery” Test: Conduct internal tests using the EICAR test file (a harmless file designed to trigger antivirus) to ensure your browser and email filters are successfully blocking and alerting as expected.

6. Enhanced Protection (Beyond CE)

  • EDR/MDR Deployment: Consider moving from traditional antivirus to Endpoint Detection and Response (EDR). This looks for suspicious behaviour (like a document trying to encrypt files) rather than just matching known signatures.
  • Email Filtering: Implement an email security gateway that “detonates” attachments in a safe sandbox before they reach the user’s inbox.