What to Look for in a Cyber Essentials Audit: A Practical Guide for UK SMEs

Cyber Essentials has become one of the most recognisable security benchmarks for UK businesses. Backed by the National Cyber Security Centre (NCSC) and mandated for certain government contracts, it sets out a clear baseline of technical controls that organisations should have in place. Yet many SMEs approach the audit with more anxiety than preparation, unsure of what assessors are actually looking for and where the common failure points lie.

There are two levels of certification. Cyber Essentials is a self-assessed questionnaire verified by an external body. Cyber Essentials Plus involves a hands-on technical audit carried out by an accredited assessor. Both cover the same five control areas, but Plus gives considerably greater assurance to clients, insurers, and partners.

The Five Control Areas

1. Firewalls and Internet Gateways

Assessors want to see that all internet-facing devices are protected by a properly configured firewall, with only necessary ports and services open. Common failures include default configurations that have never been reviewed, ports left open after a one-off task, and consumer-grade routers used without hardening. Cloud-hosted systems must also be within scope and appropriately protected.

2. Secure Configuration

Devices and software often ship with default settings designed for ease of use rather than security. Assessors will check that unnecessary software has been removed, default credentials changed, and auto-run features disabled. Businesses that have grown quickly or set up devices ad hoc over the years frequently struggle here, making early preparation essential.

3. User Access Control

Access should be granted on the basis of least privilege, with administrative accounts kept separate from standard ones and used only when necessary. Dormant accounts with active credentials and users given admin rights for convenience are among the most common findings. A reliable joiners, movers, and leavers process is central to passing this control.

4. Malware Protection

Endpoint protection must be deployed across all in-scope devices, with definitions updated automatically and real-time scanning active. Coverage gaps, remote worker laptops, older machines, or personal devices used to access business systems, are a frequent cause of failure.

5. Patch Management

High and critical patches must be applied within 14 days of release, and software no longer receiving vendor support must be removed or isolated. This is where SMEs face the greatest practical challenge. Patching takes time and can slip during busy periods, and legacy software dependencies can complicate matters significantly.

Is Your Business Ready?

The businesses that pass Cyber Essentials with the least friction are not necessarily those with the most sophisticated tools. They are the ones that have maintained accurate asset inventories, reviewed configurations consistently, and kept on top of access and patching as a matter of routine rather than panic.

If you are unsure where your business stands against any of these five controls, we can do an assessment and ultimately achieve Cyber Essentials certification with confidence. Get in touch by click here

‍