Cyber Essentials Security Assessment Guide

📋 Client Information

Client Name

Assessor Name

Assessment Date

0 of 24 questions completed

🛡️ 1. Firewalls

Boundary protection and network security controls

Q1 Incomplete

Do you have firewalls in place between your organization's internal networks and the internet?

✅ Yes - Firewalls protect all network boundaries ❌ No - Missing boundary firewall protection

Q2 Incomplete

Are software firewalls enabled on all computers, laptops, and servers?

✅ Yes - All devices have active software firewalls ❌ No - Some devices lack software firewall protection

Q3 Incomplete

Have you changed all default passwords on firewall and router devices?

✅ Yes - All default passwords have been changed ❌ No - Some devices still use default passwords

Q4 Incomplete

Have you reviewed your firewall rules in the last 12 months and do you have a documented process for managing firewall configurations?

✅ Yes - Regular reviews and documented process exists ❌ No - No regular review process or documentation

⚙️ 2. Secure Configuration

System hardening and configuration management

Q5 Incomplete

Have you removed or disabled unnecessary software and services on all devices and cloud services?

✅ Yes - Only required software/services are active ❌ No - Unnecessary software/services remain installed

Q6 Incomplete

Do all devices and cloud services contain only necessary user accounts that are regularly used?

✅ Yes - Only active, necessary accounts exist ❌ No - Unused or unnecessary accounts remain

Q7 Incomplete

Have you changed all default passwords and implemented strong password requirements across all systems?

✅ Yes - All defaults changed with strong password policy ❌ No - Default passwords remain or weak password policy

Q8 Incomplete

Are all devices that require physical presence protected by device locking mechanisms (biometric, password, or PIN)?

✅ Yes - All devices have appropriate locking controls ❌ No - Some devices lack proper locking mechanisms

👥 3. User Access Control

Identity and access management

Q9 Incomplete

Do you have a formal process for creating and approving user accounts?

✅ Yes - Documented approval process exists ❌ No - No formal account creation process

Q10 Incomplete

Are all user and administrative accounts accessed using unique credentials (no shared accounts)?

✅ Yes - All accounts use unique credentials ❌ No - Shared accounts or credentials exist

Q11 Incomplete

Do you have a process to disable/delete accounts for staff who leave the organization?

✅ Yes - Formal leaver process exists and is followed ❌ No - No process or inconsistent implementation

Q12 Incomplete

Are separate accounts used for administrative tasks, and are these accounts prevented from everyday activities like web browsing and email?

✅ Yes - Clear separation of admin and user accounts ❌ No - Admin accounts used for everyday activities

🔄 4. Security Update Management

Patch management and software maintenance

Q13 Incomplete

Are all operating systems on devices supported by vendors and receiving regular security updates?

✅ Yes - All OS versions are currently supported ❌ No - Some devices run unsupported operating systems

Q14 Incomplete

Are all high-risk or critical security updates installed within 14 days of release?

✅ Yes - Updates applied within 14-day requirement ❌ No - Updates not consistently applied within timeframe

Q15 Incomplete

Are automatic updates enabled where possible for operating systems and applications?

✅ Yes - Auto-updates enabled where available ❌ No - Manual update process only

Q16 Incomplete

Have you removed all unsupported software, or moved it to isolated networks without internet access?

✅ Yes - No unsupported software in production ❌ No - Unsupported software remains in use

🦠 5. Malware Protection

Anti-malware solutions and application control

Q17 Incomplete

Is anti-malware software installed and active on all Windows and macOS devices?

✅ Yes - All applicable devices protected ❌ No - Some devices lack anti-malware protection

Q18 Incomplete

Is anti-malware software configured to update automatically, prevent malware execution, and block malicious websites?

✅ Yes - Proper configuration implemented ❌ No - Configuration gaps exist

Q19 Incomplete

For mobile devices and tablets, are users restricted to installing only approved applications (via app stores or MDM)?

✅ Yes - Application installation controls in place ❌ No - Users can install any applications

Q20 Incomplete

Is multi-factor authentication (MFA) implemented for all cloud services and administrative accounts?

✅ Yes - MFA enabled for all applicable accounts ❌ No - MFA not fully implemented

💾 6. Data Backup and Recovery

Ensuring data is protected through backups

Q21 Incomplete

Do you have regular backups of all critical data and systems?

✅ Yes - Regular backups are performed for all critical data ❌ No - Backups are not regular or missing for some data

Q22 Incomplete

Are backups stored in a secure, offsite location or cloud service with appropriate access controls?

✅ Yes - Backups are securely stored offsite ❌ No - Backups are not stored securely or offsite

Q23 Incomplete

Do you test backup restoration processes at least annually to ensure recoverability?

✅ Yes - Restoration tests are conducted regularly ❌ No - Restoration testing is not performed

Q24 Incomplete

Are backups encrypted and protected against unauthorized access?

✅ Yes - Backups are encrypted and access-controlled ❌ No - Backups lack encryption or proper protection

0/24

Assessment Not Started

Complete all questions to see your security readiness score and recommendations for improvement.

📝 Assessment Notes

Use this space for general observations, recommendations, and action items

Cyber Essentials Assessment Guide