What to Look for in a Cyber Essentials Audit: A Practical Guide for UK SMEs

Cyber Essentials has become one of the most recognisable security benchmarks for UK businesses. Backed by the National Cyber Security Centre (NCSC) and mandated for certain government contracts, it sets out a clear baseline of technical controls that organisations should have in place. Yet many SMEs approach the audit with more anxiety than preparation, unsure of what assessors are actually looking for and where the common failure points lie.

This guide walks you through the five core control areas covered by Cyber Essentials, explains what good looks like in each, and highlights the issues that most frequently cause businesses to fall short.

Why Cyber Essentials Matters

Cyber Essentials is not just a box-ticking exercise. The NCSC estimates that the five controls it covers can prevent the vast majority of common cyberattacks, including phishing, malware, and opportunistic intrusion attempts. For UK SMEs, achieving certification signals to clients, insurers, and partners that your business takes security seriously. It is also a prerequisite for working with the Ministry of Defence and many other public sector bodies.

There are two levels of certification. Cyber Essentials is a self-assessed questionnaire verified by an external body. Cyber Essentials Plus involves a hands-on technical audit carried out by an accredited assessor. Both cover the same five control areas, but Plus gives you, and those you work with, considerably greater assurance.

The Five Control Areas

1. Firewalls and Internet Gateways

The first control area looks at how your network boundary is protected. Assessors want to see that all devices connecting to the internet are protected by a properly configured firewall, and that only necessary network ports and services are open.

Common failures here include default firewall configurations that have never been reviewed, open ports that were enabled for a specific purpose and never closed, and consumer-grade routers being used in business environments without appropriate hardening. If your business uses cloud services, assessors will also check that cloud-hosted systems are within scope and appropriately protected.

What good looks like: a firewall policy that permits only explicitly approved traffic, with rules reviewed regularly and documented. Default administrative credentials changed, remote management interfaces disabled or restricted to specific IP addresses, and a clear understanding of which devices and services are in scope.

2. Secure Configuration

This control focuses on whether your devices and software are set up securely from the outset. The concern is that software and hardware often ship with default settings designed for ease of use rather than security, and those defaults can be exploited if left unchanged.

Assessors will look at whether unnecessary software has been removed or disabled, whether default accounts and passwords have been changed, and whether auto-run features that could allow malicious code to execute automatically are turned off.

This is an area where businesses with a large number of endpoints, or those that have grown quickly, often struggle. If devices have been set up ad hoc over the years without a consistent baseline, bringing everything into conformance takes time. Starting that process well before your audit date is strongly advisable.

What good looks like: a standard device build or configuration baseline applied to all endpoints, software inventories that are kept up to date, and a process for removing applications that are no longer needed.

3. User Access Control

Cyber Essentials requires that user accounts are managed carefully and that access is granted on the basis of least privilege. That means users should only have access to the systems, data, and functions they genuinely need to do their job.

Assessors pay particular attention to administrative accounts. These should be separate from standard user accounts, used only when administrative tasks are actually being performed, and kept to a minimum. There should also be a process for removing or disabling accounts promptly when someone leaves the organisation.

A common finding in this area is that businesses have accumulated a significant number of dormant accounts over the years, many of which still have active credentials. Another frequent issue is users being granted administrative rights as a matter of convenience rather than necessity.

What good looks like: a joiners, movers, and leavers process that ensures accounts are created, updated, and removed in a timely and consistent way. Standard user accounts for day-to-day work, administrative accounts used only for specific tasks, and a regular review of who has access to what.‍

4. Malware Protection

This control requires that all devices are protected against malware, including viruses, ransomware, and other malicious software. Assessors will check that anti-malware software is in place, kept up to date, and actively scanning.

Businesses using application whitelisting, where only explicitly approved software is permitted to run, may be able to satisfy this control without traditional anti-malware tools, but most SMEs will rely on endpoint protection software. Assessors will want to see that it is deployed across all in-scope devices, that definitions are being updated automatically, and that real-time scanning is enabled.

One area that catches some businesses out is coverage. If even a handful of devices are not protected, whether laptops used by remote workers, older machines used for specific tasks, or personal devices used to access business systems, those gaps will be flagged.

What good looks like: endpoint protection deployed consistently across all in-scope devices, automatic updates enabled, real-time protection active, and a policy that prevents users from disabling or bypassing the software.‍

5. Patch Management

The final control area covers how quickly and consistently your organisation applies security updates to operating systems and software. Unpatched vulnerabilities are one of the most common ways attackers gain a foothold in business networks, and Cyber Essentials sets clear expectations around timescales.

The current standard requires that high and critical patches are applied within 14 days of release. Software that is no longer supported by its vendor and therefore no longer receiving security updates must be removed from the in-scope environment or isolated from the rest of the network.

This is arguably the area where SMEs face the greatest practical challenge. Patching requires time, testing, and often some disruption, and it can fall down the priority list in busy periods. Legacy software that the business depends on but that is no longer supported presents a particular difficulty.

What good looks like: an automated patch management process that identifies and deploys updates promptly, a software inventory that flags end-of-life products, and a documented approach to handling systems that cannot be patched immediately.

Preparing for Your Audit

The businesses that sail through Cyber Essentials audits are rarely those with the most sophisticated security tools. They are the ones that have done the unglamorous groundwork: maintaining accurate asset inventories, reviewing configurations consistently, and keeping on top of access management and patching without waiting for an audit to prompt them.

If you are preparing for certification for the first time, a gap analysis against the five control areas is a sensible starting point. This will give you a clear picture of where you stand and how much work is needed before you submit your assessment or invite an assessor in.

If you are going for Cyber Essentials Plus, bear in mind that the technical testing will attempt to verify the claims made in your self-assessment. Inconsistencies between what is documented and what is actually in place are a common reason for businesses needing to remediate before certification can be awarded.

Working with an IT partner that is familiar with the Cyber Essentials scheme can make a significant difference, both in terms of getting the technical controls right and in navigating the assessment process itself.

The Bottom Line

Cyber Essentials is achievable for businesses of any size. The controls it covers are not exotic or complex. But they do require discipline, consistency, and a willingness to look honestly at how your IT environment is actually configured, rather than how you assume it is. Approached properly, the audit process is not just a path to certification. It is an opportunity to build a stronger, more resilient foundation for your business.

‍

We can put you through Cyber Essentials, get in touch by click here

‍