What is a network security assessment?

A network security assessment is a structured evaluation of your IT network infrastructure to identify vulnerabilities, misconfigurations, and security gaps. It typically covers perimeter defences, identity and access controls, endpoint protection, data backup, and security awareness — producing a scored report with prioritised remediation recommendations.

How long does the VP Audit assessment take?

The VP Audit assessment takes approximately 5 minutes. You answer 15 targeted questions across 5 security domains. Once complete, your scored report is generated instantly — no waiting, no account required.

Is VP Audit free to use?

Yes. VP Audit is completely free. There is no account, subscription, or payment required. Your answers never leave your browser — the scoring happens entirely client-side.

What security domains does VP Audit cover?

VP Audit covers five security domains: Perimeter & Connectivity (firewall, VPN, remote access), Identity & Access Management (passwords, MFA, privilege), Endpoint Security (patching, AV, MDM), Data & Backup (backup frequency, encryption, recovery testing), and Awareness & Response (staff training, incident response, phishing).

Can I export my security assessment results?

Yes. VP Audit generates a personalised PDF report with your organisation name, score breakdown, findings by severity, and remediation recommendations. The PDF is generated in your browser and can be downloaded immediately.

Cyber Essentials

Cyber Essentials Checklist — The 5 Controls Every UK Business Needs in 2026

3 May 2026 · 7 min read · VantagePoint Networks

Cyber Essentials is a UK government-backed certification scheme that defines five foundational technical security controls every business should have in place. Achieving Cyber Essentials demonstrates to customers, partners, and regulators that your organisation protects against the most common cyber threats. It is mandatory for UK government contracts involving personal data and is increasingly required throughout supply chains. This checklist covers all five controls in plain language with actionable self-assessment criteria.

Why Cyber Essentials Matters for UK Businesses

The UK National Cyber Security Centre (NCSC) developed Cyber Essentials to address a practical problem: the majority of successful cyber attacks exploit basic vulnerabilities — unpatched software, default passwords, overly permissive access. You do not need sophisticated controls to prevent most breaches. You need the basics implemented consistently.

The five Cyber Essentials controls, when properly applied, protect against an estimated 80% of common cyber attacks according to NCSC research. For SMBs without a dedicated security team, this framework provides clear, achievable targets rather than an overwhelming security checklist.

The 5 Cyber Essentials Controls — With Checklists

Firewalls

Every device that connects to the internet — including laptops, servers, and mobile devices — must be protected by a correctly configured firewall or equivalent boundary device.

Checklist

✓Firewall enabled on all internet-facing devices
✓Only necessary inbound ports are open
✓Default admin passwords changed on all firewalls and routers
✓Personal firewall software enabled on laptops (for remote workers)
✓Unapproved services cannot be accessed from the internet

Secure Configuration

Computers and network devices must be configured to reduce vulnerabilities. Default settings — which are often insecure — must be changed before devices go into production.

Checklist

✓Default passwords changed on all accounts and devices
✓Unnecessary software and services removed or disabled
✓Auto-run disabled on removable media
✓Built-in guest and administrator accounts disabled where not needed
✓Screen lock enabled after inactivity on all devices

User Access Control

User accounts must be restricted to the minimum access needed. Administrative privileges must be controlled tightly and only used when necessary.

Checklist

✓Standard user accounts used for day-to-day work
✓Admin accounts only used for administrative tasks
✓MFA enabled on all admin accounts and internet-facing services
✓Stale accounts (leavers) removed or disabled promptly
✓Password policy enforced: 12+ characters, no default passwords

Malware Protection

Malicious software must be prevented from running on devices. This can be achieved through anti-malware software, application allow-listing, or sandbox-based execution controls.

Checklist

✓Anti-malware software installed and active on all devices
✓Malware definitions updated automatically
✓Web filtering to block known malicious sites enabled
✓Macros disabled in Office documents from the internet
✓Email filtering configured to block known malicious attachments

Patch Management

Software vulnerabilities must be addressed promptly. All software — operating systems, applications, and firmware — must be kept up to date using vendor-supplied patches.

Checklist

✓Operating systems updated within 14 days of security patch release
✓Third-party software patched within 14 days
✓End-of-life software (no longer receiving patches) removed
✓Automatic updates enabled where possible
✓Firmware on network devices updated when security patches are available

Cyber Essentials vs Cyber Essentials Plus

	Cyber Essentials	Cyber Essentials Plus
Verification method	Self-assessment questionnaire	Independent technical audit by certifying body
Cost (SMB typical)	£300–£500	£1,500–£3,500
Time to certify	2–4 weeks	4–8 weeks
Validity	12 months	12 months
Required for govt contracts	Yes (standard contracts)	Yes (higher assurance contracts)
Recommended for	All UK SMBs as baseline	Businesses handling sensitive data or in regulated sectors

Common Reasons UK Businesses Fail Cyber Essentials

✗ Unsupported software still in use

Fix: Identify all end-of-life software (Windows 10 post-October 2025, Office 2016, etc.) and upgrade or remove before assessment.

✗ MFA not enforced on internet-facing services

Fix: Cloud email (Microsoft 365, Google Workspace), VPN, and remote desktop must have MFA enabled for all users — not just admins.

✗ Firewall rules too permissive

Fix: Any-any or any-to-internet rules on the outbound policy frequently fail. Restrict outbound to required destinations.

✗ Mobile devices out of scope

Fix: Smartphones and tablets that access company email or data are in scope. They need device management and patching like any other endpoint.

✗ Shared admin accounts

Fix: Each admin must have their own named account. Shared credentials fail the user access control requirement.

Frequently Asked Questions

What are the 5 Cyber Essentials controls?

The five controls are: (1) Firewalls, (2) Secure configuration, (3) User access control, (4) Malware protection, and (5) Patch management. All five must be implemented to achieve certification.

How long does Cyber Essentials certification take?

For most SMBs, the Cyber Essentials self-assessment process takes 2–4 weeks to prepare and submit. Cyber Essentials Plus adds an independent technical verification which typically takes an additional 1–2 weeks.

Is Cyber Essentials mandatory for UK government contracts?

Yes. Cyber Essentials certification is mandatory for all UK government contracts that involve handling personal data or providing certain ICT products and services. Many supply chain contracts now also require it.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment against the five controls, verified by a certifying body. Cyber Essentials Plus adds an independent technical audit — an engineer actually tests your systems rather than relying solely on your answers.

Check Your Cyber Essentials Readiness

Our free 5-minute assessment covers all five Cyber Essentials controls and shows you exactly where your gaps are.

Start Free Assessment →

← Back to Blog