Am I ready for Cyber Essentials?
A free readiness check against the five Cyber Essentials controls (Danzell v3.3), in plain English. Answer honestly — there's no login needed, and we don't store your answers.
This is a readiness / gap report to help you prepare — not a certification. We are not an IASME Certification Body.
Firewalls & internet gateways
A boundary between your devices and the internet, so only the services you actually need are reachable from outside.
Is every device that connects to the internet protected by a firewall — including laptops used by home or remote workers?
On laptops away from the office this means the device's own software firewall, since they're not behind the office firewall.
Have the default administrative passwords on your firewalls/routers been changed to strong, unique ones?
Default device passwords are public knowledge — leaving them is treated as an automatic fail.
Mandatory item — a “No” here fails this whole control.
Are inbound services from the internet blocked unless there is a documented business need for them?
Anything reachable from outside (databases, remote desktop, admin panels) should have a justified reason to be open.
Secure configuration
Devices and software set up to reduce the ways in — default passwords changed, unused features and accounts removed.
Have you removed or disabled software, user accounts and services that you don't use?
Every extra account or service is another way in. Remove what you don't need.
Have all default or vendor-supplied passwords been changed or removed on your devices and software?
Default passwords are an automatic fail in Cyber Essentials.
Mandatory item — a “No” here fails this whole control.
Where a password is the only thing protecting access, is it suitably strong (and is brute-force protection in place)?
E.g. a minimum length plus throttling/lockout, or MFA on top.
Security update management
Keeping software supported and patched, so known vulnerabilities are closed before attackers use them.
Is all of your software still supported by its vendor (nothing past its end-of-life date)?
Unsupported software no longer gets security fixes — it must be removed. This is an automatic fail.
Mandatory item — a “No” here fails this whole control.
Are high-risk and critical security updates applied within 14 days of the vendor releasing them?
Under the current question set the 14-day clock starts at the vendor's PUBLISH date, not when you notice — so monthly patching is now too slow.
Are automatic updates turned on wherever they're available?
Auto-update is the most reliable way to stay inside the 14-day window.
User access control
Making sure accounts are only used by the right people, with MFA, unique logins and separate admin accounts.
Is multi-factor authentication (MFA) enabled on EVERY user account that supports it — including all cloud services and email, for every user, not just admins?
Under the current question set, MFA missing on ANY in-scope account fails the whole User Access Control section. Passkeys / FIDO2 count.
Mandatory item — a “No” here fails this whole control.
Does each person have their own individual account, with no shared logins?
Shared accounts make it impossible to know who did what, and can't be properly secured.
Are administrator accounts separate from everyday accounts, and are leavers' accounts removed promptly?
Day-to-day work should use a standard account; admin rights only when needed. Remove access as soon as someone leaves.
Malware protection
Protecting devices from malicious software, via anti-malware and/or only allowing approved applications to run.
Is anti-malware protection active on all in-scope devices (or do you only allow approved applications to run)?
Either approach is accepted: anti-malware that's kept updated, OR application allow-listing.
Are unapproved applications prevented from running, and downloads/attachments handled safely?
E.g. blocking unsigned/unknown apps, and not auto-running content from email or the web.