Audit preparation

The Cyber Essentials Plus pre-audit checklist

Everything the assessor will test, translated from the scheme's requirements and test specification into checks you can run yourself. Work through it properly and the audit becomes a formality; skip it and the audit becomes a gap analysis you paid audit rates for.

3D illustration of security update management checks

Security update management

The most common reason Plus assessments fail.

  • Every operating system in scope is vendor-supported (no end-of-life Windows, macOS or server editions)
  • High-risk and critical security updates applied within 14 days of release
  • All software on sampled devices is licensed and supported, or removed
  • Automatic updates switched on wherever the vendor supports them
  • Unsupported software that must stay is isolated from the internet-facing estate
3D illustration of user access control checks

User access control

The checks most likely to involve people, not just settings.

  • Separate admin accounts for admin tasks; nobody browses the web or reads email as an administrator
  • Multi-factor authentication enabled on all cloud services, for all users
  • Accounts are created through an approval process and removed promptly when people leave
  • Password policy meets the scheme's requirements, with brute-force protection (throttling, lockout or MFA)
3D illustration of malware protection checks

Malware protection

Tested live during the audit with real file downloads and email attachments.

  • Anti-malware protection active on every in-scope device, updating automatically
  • Test malware files sent by email are blocked or quarantined before a user can run them
  • Browser downloads of test files are blocked or flagged
  • Only approved, signed applications can run where application allow-listing is your chosen route
3D illustration of secure configuration and firewall checks

Secure configuration and firewalls

The quiet checks that catch estates relying on defaults.

  • Default passwords changed on every device and internet-facing service
  • Unused software, services and accounts removed from sampled devices
  • Auto-run disabled; screen lock enforced on desktops, laptops and mobiles
  • Boundary firewalls in place with no unapproved inbound services; any remote administration ports justified and protected
3D illustration of scope and evidence preparation

Scope and evidence

Where paperwork problems become audit-day problems.

  • Scope declared accurately: all devices, servers, cloud services and BYOD phones and tablets that touch organisational data
  • The basic Cyber Essentials self-assessment is current, accurate and less than three months old at audit time
  • Device inventory ready: makes, models, operating systems and versions for the sample selection
  • Someone with admin access available on audit day for the assessor's checks

Want this as a PDF?

The same checklist, formatted for printing and sharing with your IT provider, lands in your inbox from the contact page. Mention the checklist in your message and we will send it with no follow-up sequence attached.

The part nobody explains

How device sampling works

The assessor does not test every machine. They test a sample drawn from each distinct build in your estate: each operating system and configuration combination you declared in scope. That cuts both ways: a small, standardised estate means a small sample, while every unmanaged one-off laptop adds a build that can be picked.

The practical consequence: standardise before the audit. Retiring odd builds shrinks the sample, the audit time and the number of places something can go wrong.

Run the checks first

Our readiness gap analysis runs every check on this page against your estate before any audit is booked, and the engagement includes fixing what it finds. That is the difference between hoping to pass and knowing you will: see how the process works or what it costs.

3D rocket illustration for booking a free certification discovery call

Skip the guesswork

Have us run this checklist for you

A free 45 minute discovery call scopes your estate; the gap analysis then tests every item on this page and hands you the fix list. No obligation, no hard sell.