Cyber Essentials checklist: the five UK NCSC technical controls
Cyber Essentials isn’t a one-time certification — it’s evidence your controls operate continuously. This checklist walks every control an auditor examines, and flags which a platform can automate.
What Cyber Essentials requires
Cyber Essentials is assessed against 5 controls across 5 families: Firewalls, Secure configuration, Access control, Malware protection, Patch management. Each must be both designed and operating — auditors want evidence it worked throughout the period, not just that it existed on paper.
The control checklist
All five Cyber Essentials technical control themes. Use the table below as your working checklist — 5 line items. Controls marked Auto can be monitored continuously by SBCMSP; Manual controls need a documented process and human evidence.
| Control | Requirement | Coverage |
|---|---|---|
| The five controls | ||
| CE 1 | Firewalls & internet gateways | Auto |
| CE 2 | Secure configuration | Auto |
| CE 3 | User access control | Auto |
| CE 4 | Malware protection | Auto |
| CE 5 | Security update management | Auto |
Evidence you must collect
For every control, an auditor expects evidence it operated throughout the review period. Common examples:
- Access reviews with timestamps and approver
- Change tickets linked to deployments
- Encryption and configuration snapshots
- Vendor / supplier risk assessments on file
Automating the checklist
Roughly two-thirds of Cyber Essentials controls can be monitored automatically. SBCMSP watches those continuously, collects timestamped evidence, and flags drift — so the audit becomes a review of a report you already have, not a month-long scramble.