Are you ready for Cyber Essentials?

A short, plain English self check against the five Cyber Essentials controls, plus scope, cloud and multi factor authentication. Answer around eighteen questions and get an instant readiness picture, with clear guidance on where the gaps are and what to do next. Everything is worked out in your browser, so nothing you enter leaves this page.

This is an informal readiness check to help you prepare. It is not the official Cyber Essentials assessment and it does not certify you.

Readiness self check

Check yourself against the five controls

Pick the answer that best matches how things actually work in your organisation today. If you are not sure, say so honestly. The point of this tool is to find the gaps before an assessment does, not to score well. It takes a couple of minutes and you can change any answer before you check your result.

An informal guide, not the assessment. Dead Simple Computing is an appointed Cyber Essentials certification body. This tool is our own plain English readiness check and is separate from the official IASME questionnaire. When you are ready to certify for real, we run the actual assessment with you.

ScopeHave you accounted for every device and service that touches your organisation's data, including laptops, mobiles and staff owned devices?

Cyber Essentials looks at everything connected to the internet that handles your data. You cannot leave out staff laptops, phones or personal devices that are used for work.

ScopeHave you listed all the cloud services you use for work, including Microsoft 365 or Google Workspace and any business social media accounts?

Cloud services cannot be left out of scope. Business social media accounts such as LinkedIn, Facebook or X count as cloud services too.

ScopeDo staff who work from home connect in a way you can describe, for example a company device, a business router or a full company VPN?

Anyone allowed to work remotely counts as a home worker. You should be able to explain how their device and connection are covered.

FirewallsIs there a firewall between your internal network and the internet, with a software firewall switched on across your computers and servers as well?

This is usually your router or a dedicated firewall. Fully remote teams may rely on the software firewall built into each device or a company VPN to a virtual firewall.

FirewallsHave you changed the default admin password on every router and firewall, even the ones that arrived with a unique password printed on them?

The admin password protects the firewall settings. It needs to be strong and not the one the device shipped with. Home routers that you did not supply are not in scope.

FirewallsIs your firewall set to block incoming connections from the internet by default, with any exceptions documented and reviewed for a real business reason?

Nothing should be reachable from the internet unless there is a written business need for it. Any open service should be recorded and reviewed.

Secure configurationHave you removed or switched off software, services and user accounts you do not actually need on your devices and cloud services?

A clean, standard build with only what people use, and no leftover or unused accounts, reduces the ways in for an attacker.

Secure configurationDo all devices that someone needs in hand, such as laptops, phones and tablets, lock automatically and need a PIN, password or biometric to get back in?

A device lock with a PIN or password of at least six characters, or a biometric, stops a lost or unattended device handing over your data.

Secure configurationHave you changed the default passwords that came with devices and accounts, and turned off any feature that auto runs files without asking?

Default passwords on computers, phones and servers should be changed, and downloaded or removable files should not run on their own without a person choosing to open them.

Security updatesAre all your operating systems, applications and firewall firmware still supported by their vendor and receiving security updates?

Anything past its end of support, such as Windows 10 without an extended update subscription after October 2025, would fail the assessment outright. Firewall and router firmware counts too.

Security updatesAre high risk and critical security updates installed within fourteen days of release, across operating systems, applications and firewall firmware?

The fourteen day rule is strict. Missing it on the important updates is one of the most common reasons an assessment is failed.

Security updatesAre automatic updates switched on wherever they are available, with a clear manual process for anything that cannot update itself?

Auto updates are the simplest way to stay inside the fourteen day window. Where they are not possible, you need a routine that catches the important fixes in time.

User access controlDoes everyone sign in with their own unique account, with a process to approve new accounts and to remove access when someone leaves?

No shared logins, and accounts for leavers disabled promptly. New accounts should be created through a known approval step.

User access controlAre administrator tasks done with separate admin accounts, kept apart from the everyday accounts people use for email and web browsing?

Admin accounts should not be used for daily work. This applies to cloud admin accounts in Microsoft 365 or Google Workspace too, and to any IT provider who manages things for you.

User access controlIs multi factor authentication switched on for every cloud service that offers it, for both administrators and ordinary users?

This is now one of the strictest points. If a cloud service offers multi factor authentication and it is not enabled, the assessment fails. It must cover admins and all users.

User access controlDo your passwords meet a recognised strength approach, and are accounts protected against repeated guessing, for example by multi factor authentication or lockouts?

Acceptable approaches include multi factor authentication, a minimum of twelve characters, or eight characters with a blocked common password list. Brute force protection means throttling attempts or locking accounts.

Malware protectionIs every computer, laptop, tablet and phone protected, either by anti malware software or by only allowing approved, signed apps to be installed?

You can use anti malware software, or restrict installs to an approved list through an app store or device management. Every device needs to be covered by one approach or the other.

Malware protectionIf you use anti malware software, is it kept updated, set to block threats on detection, and able to warn about malicious websites?

Anti malware should update in line with the vendor, stop threats automatically, and flag dangerous web pages. If you instead rely only on approved app lists, choose the last option.

Your answers stay in your browser. Nothing is sent anywhere when you check your result.