Cyber Essentials Readiness Checker

Score your readiness against the 5 UK Cyber Essentials controls. See exactly which gaps to fix, what it'll cost, and how long it'll take.

Readiness
0
/100
Significant gaps
Estimated total cost
£4,590
incl. cert fee
Time to certification
24 weeks
parallel remediation
Remediation actions
20
open gaps
Cost breakdown
Remediation & tooling
£4,150
MFA, password mgr, EDR, MDM, OS upgrades
Cyber Essentials certification fee
£440
IASME tiered fee
Likely automatic fail items (5)
  • Multi-factor authentication is enforced on all cloud services (email, file storage, finance, admin consoles)
  • Admin accounts are separate from day-to-day accounts and only used for admin tasks
  • Anti-malware software is installed and active on every in-scope device
  • Operating systems are within vendor support (no end-of-life Windows / macOS)
Firewalls
Boundary firewalls and internet gateways
0%
3 open gaps
Secure Configuration
Devices and software set up securely
0%
4 open gaps
Access Control
User accounts and admin privileges
0%
5 open gaps
Malware Protection
Anti-malware on every device
0%
3 open gaps
Security Update Management
Patches applied within 14 days
0%
5 open gaps
Self-assessment (20 questions)

Firewalls

  • Every device has its software firewall enabled (Windows Defender Firewall / macOS Firewall)
    Required on all in-scope devices, including remote workers
  • Default admin passwords on routers and firewalls have been changed to strong, unique passwords
    Or the admin interface is disabled from the internet
  • Inbound firewall rules are documented and reviewed — no unnecessary open ports
    Each open port must have a documented business need

Secure Configuration

  • Unused user accounts and default accounts have been removed or disabled on all devices
    Includes 'guest', vendor demo accounts, ex-staff accounts
  • Auto-run / auto-play is disabled for removable media (USB, external drives)
    Common ransomware vector
  • Devices lock automatically after a period of inactivity (max 10 minutes)
    Enforced via MDM or group policy
  • Unused software and apps have been removed from all devices
    Reduces attack surface

Access Control

  • Multi-factor authentication is enforced on all cloud services (email, file storage, finance, admin consoles)
    Mandatory for cloud services in Cyber Essentials
  • Every user has their own named account — no shared logins
    Including admin accounts
  • Admin accounts are separate from day-to-day accounts and only used for admin tasks
    No browsing or email from admin accounts
  • There is a documented joiner/mover/leaver process to revoke access promptly
    Access removed within 1 working day of departure
  • Passwords meet Cyber Essentials requirements (12+ chars or MFA+8 chars, with brute-force protection)
    Use a password manager

Malware Protection

  • Anti-malware software is installed and active on every in-scope device
    Built-in (Defender) is acceptable if enabled and updating
  • Anti-malware definitions auto-update at least daily
    Verify in management console
  • App allow-listing is in place on mobile devices (only approved app stores)
    iOS App Store / Google Play default is fine

Security Update Management

  • Operating systems are within vendor support (no end-of-life Windows / macOS)
    EOL OS = automatic fail
  • Critical / high security updates are installed within 14 days of release on all devices
    Includes browsers, Office, third-party apps
  • Router and firewall firmware is updated regularly
    Check manufacturer release notes
  • Mobile devices receive security updates (iOS / Android still supported by vendor)
    Older Android phones often fall out of support
  • Unsupported / unpatchable software has been removed
    e.g. old Java, Flash, end-of-life apps
Suggested 4-step roadmap
  1. Week 1 — Block fails: Enforce MFA on all cloud accounts, retire unsupported OS, separate admin accounts.
  2. Week 2 — Harden devices: Deploy EDR, enable firewalls + auto-lock, remove unused apps and accounts.
  3. Week 3 — Patch & policy: Establish a 14-day patching cadence; document joiner/mover/leaver process.
  4. Week 4 — Submit: Complete IASME self-assessment.

Indicative figures only. Cyber Essentials fees follow the IASME tiered model and assume self-assessment. Cyber Essentials Plus adds an external technical audit; cost varies by assessor and device count. Always validate scope with a certifying body before submission.

From the SMB Blog

Related reading on smallmediumbusiness.co.uk

Independent UK editorial covering the costs, risks and trends behind this tool.

Read more on smallmediumbusiness.co.uk