Free cyber essentials checklist aligned to NCSC guidance. Scored self-audit covering access controls, patch management, network and malware. Instant results.
It is a structured list of the controls a reviewer checks to judge how well an organisation is protected, covering things like access control, device protection, backups, patching, email security and incident response. This version scores your answers so you get a number and a priority list, not just a tick-box.
No. Cyber Essentials is a formal certification assessed by an accredited body against the NCSC and IASME scheme requirements. This is a free self-assessment that helps you see where you stand before you pay for a formal assessment. It covers the five Cyber Essentials technical controls and goes a little wider (backup and incident response sit outside Cyber Essentials but are drawn from the CIS Controls and the NCSC 10 Steps), so the Cyber Essentials gaps it finds are ones that matter for certification, with a few extras that matter for resilience.
The five Cyber Essentials controls (NCSC and IASME), the CIS Critical Security Controls v8.1 (18 controls, 153 safeguards, with Implementation Group 1 as the foundational set), and the NCSC 10 Steps to Cyber Security. These are the recognised UK and international baselines for organisations of this size.
Eighteen questions across six controls, each scored one (worst) to four (best). The total is normalised to a true 0 to 100, so answering 'we do not do this' to everything gives a genuine zero and there is no hidden floor. Each control also gets its own 0 to 100 score so you can see where the weakest link is.
Bands are deliberately honest. Below 40 means core controls are missing and a routine attack would likely succeed. 40 to 64 means real gaps an auditor would flag. 65 to 84 is a solid baseline. 85 to 100 is strong, where the job becomes sustaining and proving the controls rather than building them.
No. The questions are written in plain business language for boards and leaders. If you are unsure of an answer, the lowest option doubles as 'I do not know', which is itself a useful finding, because a control you cannot confirm is a control you cannot rely on.
Because the gap is real and measurable. Only 34% of UK businesses have a policy to apply software security updates within 14 days, the window Cyber Essentials sets for high and critical fixes (CVSS 7.0 and above), according to the Cyber Security Breaches Survey 2025/2026. Unpatched software is one of the most common ways routine attacks get in.
No. You can complete the checklist and see your score and band without entering any details. You only provide your name, work email and company if you want the full six-control breakdown and prioritised action list, and we only use that to contact you about your results. We do not sell your data.
Use it as a starting artefact. Take it to your board or leadership team, fix the lowest-scoring controls first, and re-run it to confirm the gap has closed. If you want an independent read on the gaps, book a short conversation. We sell advice, not certification, insurance or software, so there is nothing being upsold behind the result.