Cyber Essentials Checklist 2026: Full Control-by-Control Guide for Danzell

‍​‌‌‌​‌​​‌‌‌​​‌‌‌​‌​‌​‌​​‌​​​​​​‌​​​‌​​‌​‌​​​​‌‌​‌​​​​​​‌‌​​‌​‌​​‍From 27 April 2026, every new Cyber Essentials assessment uses the Danzell question set. Willow is finished and will no longer be accepted. The five controls haven't changed, but the scope rules are broader and enforcement is tighter. If you've been through CE before, most of this will look familiar. If you haven't, this is your working document.

I've structured this as a printable, actionable checklist. Each item is a specific task you can complete, tick off, and move on. Here's the approach: no vague guidance and no "consider doing X." Either it's done or it isn't.

I've assessed over 800 organisations through Cyber Essentials. The items on this list are the ones that actually come up during assessments. They're ordered by control area, starting with scope (because getting scope wrong means everything after it is built on the wrong foundation).

1. Scope

Scope defines what's included in and excluded from your assessment. Get it wrong and you either fail or pass with a certificate that doesn't cover what you think it covers. Under Danzell, scope is broader and harder to narrow.

• List every site where your organisation operates (offices, warehouses, home workers, co-working spaces)
• List every device that connects to the internet or accesses work data (desktops, laptops, tablets, phones, servers)
• List every cloud service your organisation uses. Include email, file storage, CRM, accounting, project management, and HR platforms
• Include social media accounts managed with business credentials (LinkedIn, Facebook, X, Instagram)
• Include BYOD devices that access work email, files, or any organisational data
• Mark devices used only for voice calls, texts, or MFA apps as out of scope (these are the only BYOD exceptions)
• If you're using a partial scope, write a documented justification for every exclusion. Your assessor will ask for it
• Confirm that no cloud services have been excluded from scope. Under Danzell, cloud services can't be excluded under any circumstances
• If your organisation has multiple legal entities, confirm each entity has its own assessment. A parent certificate doesn't cover subsidiaries
• Identify a named director or board member who will sign the declaration of responsibility

Common mistake I see: organisations forget cloud services they don't think of as "cloud." Your accounting software, your password manager, your booking system, your invoicing platform. If you log into it with an account and it holds your data, it's a cloud service under v3.3.

2. Security update management (patching)

Patching failures are the single most common reason organisations fail CE Plus. Under Danzell, missing a critical patch beyond 14 days is expected to be an automatic failure. There is no assessor discretion and no wiggle room.

• Run Windows Update (or equivalent) on every in-scope device and confirm all updates are installed
• Check that automatic updates are enabled on every device (Windows, macOS, Linux, iOS, Android)
• Confirm that critical and high-risk patches (CVSS 7.0 or above) have been applied within 14 days of release
• Check firmware versions on all firewalls, routers, switches, and access points. Firmware updates are patches too
• Update all web browsers to the latest version (Chrome, Edge, Firefox, Safari)
• Update browser extensions and plugins. Outdated extensions count as unpatched software
• Update all third-party applications (PDF readers, Java, media players, remote access tools, conferencing software)
• Remove or replace any unsupported software. If the vendor no longer issues security updates, it fails
• Check that operating systems are still in vendor support. Windows 10 reaches end of life on 14 October 2025. If you're reading this in 2026 and still running Windows 10, it's unsupported
• For cloud services, confirm the provider applies security updates automatically. Most SaaS does this, but check
• Document your patching process. How do patches get applied, how quickly, and who checks?

What 14 days actually means: the clock starts when the vendor releases the patch, not when you discover the vulnerability. A Microsoft Patch Tuesday fix released on 8 April must be installed by 22 April. If your assessor scans on 23 April and that patch is missing, you've failed.

Firmware is the one people forget. I see it in nearly every CE Plus assessment. The firewall's been running for two years without a firmware update. The assessor scans it, finds a CVSS 8.1 vulnerability from six months ago, and the organisation fails. Check your firewall admin panel and your router. Check your managed switches if they're in scope.

You can confirm that automatic updates are enabled. You cannot confirm that every application on every device is actually patched without running a vulnerability scan. A scan before starting the questionnaire turns the checklist from educated guessing into a factual exercise. The guide on why auto-updates aren't enough covers what a proper vulnerability scan checks and why the scanners built into most RMM tools don't give the full picture.

3. User access control and MFA

MFA on cloud services is mandatory under Danzell. Not "where available" as a soft recommendation, but mandatory with no exceptions. If a cloud service supports MFA and you haven't turned it on, expect to fail.

MFA

• Enable MFA on every cloud service (Microsoft 365, Google Workspace, AWS, Azure, Dropbox, Salesforce, Xero, and anything else you listed in scope)
• Enable MFA on all company social media accounts
• Confirm MFA is actually enforced, not just available. In Microsoft 365, check Conditional Access or Security Defaults. In Google Workspace, check 2-Step Verification enforcement
• If using FIDO2 keys or passkeys, document them. Danzell formally recognises FIDO2 as MFA on its own
• If any cloud service genuinely does not support MFA, document that fact. You'll need to declare it during the assessment. But any mainstream platform supports it, and claiming otherwise won't be accepted

User accounts

• Every person has their own individual account. No shared accounts
• Admin accounts are separate from day-to-day accounts. If someone needs admin access, they log in with a separate admin account for that task
• No shared admin accounts. Each admin has their own named admin account
• Admin accounts are not used for email, web browsing, or daily work
• Leavers have been disabled or removed. Check Active Directory, Microsoft 365, Google Workspace, and every cloud service
• Accounts that haven't been used in 90 days are reviewed. Dormant accounts are a common finding

Passwords

• Minimum password length is 12 characters where MFA is not used
• Minimum password length is 8 characters where MFA is used
• A common password deny list is active (Entra ID has this built in, or use a third-party tool)
• Password complexity rules (requiring uppercase, lowercase, numbers, symbols) are turned off. Danzell discourages them
• Password expiry policies are turned off. Danzell discourages forced rotation
• Brute-force protection is in place (account lockout after a set number of failed attempts)

The admin account rule catches people out. If your IT manager uses the same account to check email and manage Active Directory, that's a failure. Admin activities need a separate account. It doesn't need to be complicated. Create a second account with the naming convention admin.firstname, use it only for admin tasks, and log out when you're done.

4. Firewalls

Firewall requirements haven't changed between Willow and Danzell. The same rules apply as they did before. But they're the rules most organisations assume they've already met without actually checking.

• Every in-scope device has a firewall enabled. This includes Windows PCs, Macs, Linux machines, and servers
• The default inbound policy on every firewall is set to deny or drop. Nothing gets in unless explicitly allowed
• Only necessary inbound services are permitted. Each allowed service has a documented business justification
• Default admin passwords on firewall devices have been changed. This includes the router your ISP provided
• Firewall admin interfaces are not accessible from the internet. If you can reach your firewall login page from a public IP, that's a failure
• Remote workers have software firewalls enabled on their devices. Their home router is out of scope, but the device itself isn't
• Review all open ports. Close anything that isn't actively needed. RDP (port 3389), SSH (port 22), and SMB (port 445) are common findings
• If you use a cloud firewall or security group (AWS, Azure), confirm inbound rules follow the same deny-by-default principle
• Document firewall rules. Your assessor may ask what each allowed inbound rule is for

ISP routers are a weak spot. The default admin password is printed on a sticker on the back. If that router is your boundary device, change the password. If the admin interface is accessible from the WAN side, disable it. I've seen organisations fail on this alone.

5. Malware protection

• Anti-malware software is installed and active on every in-scope desktop and laptop
• Real-time scanning is enabled (on-access scanning, not just scheduled scans)
• Anti-malware signatures update automatically. Check the last update date on a sample of devices
• Web content filtering is active. This can be at the browser level, DNS level, or gateway level
• If using application allowlisting instead of traditional anti-malware, confirm the policy only permits approved applications to run
• Mobile devices (phones and tablets in scope) are running a current, vendor-supported operating system version
• No conflicting anti-malware products are installed on the same device. Two products fighting each other cause performance issues and can leave gaps
• Check that Windows Defender (or your chosen product) hasn't been disabled by another application or group policy

Windows Defender is enough. I get asked this in nearly every pre-assessment call. If Windows Defender is enabled, up to date, and has real-time protection turned on, it meets the CE requirement. You don't need a third-party product. If you do use one, make sure it hasn't disabled Defender without replacing every function.

6. Secure configuration

Secure configuration is about removing things you don't need and locking down what's left. The checklist is shorter than patching or MFA, but every item on it comes up in assessments.

• Remove unnecessary software from all devices. Trial software, pre-installed bloatware, applications nobody uses
• Disable or remove unnecessary user accounts, including default accounts that came with the operating system or applications
• Change default passwords on all devices. This includes printers, network switches, wireless access points, and any IoT devices in scope
• Screen locks are configured on all devices. Set to activate after no more than 15 minutes of inactivity (many assessors expect 5 to 10 minutes)
• Only authorised users can install software. Standard user accounts should not have local admin rights
• Auto-run is disabled for removable media (USB drives, external hard drives)
• Guest accounts are disabled on all devices
• Unnecessary services and features are turned off (Bluetooth if not needed, remote desktop if not used, file sharing if not required)
• Default credentials on network infrastructure are changed. That printer in the corner with admin/admin as the login counts

Printers and switches are the ones that get missed. Nobody thinks about the network printer until the assessor asks whether the default admin password has been changed. Same with managed switches and wireless access points. Walk around the office and check every device. Anything with a network connection and a login screen needs a non-default password. (in line with the September 2025 baseline advisory).

7. Evidence and documentation

For basic CE, you complete a verified self-assessment. Honest answers are the entire point of the exercise. For CE Plus, an assessor tests your controls with scans and checks. Either way, having evidence ready speeds things up and prevents disputes.

• Your scope description is current and accurate. It lists all sites, devices, cloud services, and BYOD devices in scope
• You have screenshots showing MFA is enabled on each cloud service (the admin console showing enforcement status)
• You have a list of all admin accounts, showing they're separate from day-to-day user accounts
• You have patching logs or can generate a report showing patch status across in-scope devices
• You have a record of your firewall rules with justifications for each allowed inbound service
• You can show that anti-malware is active and up to date across all devices (a management console report or screenshots from a sample)
• You can show that automatic updates are enabled on devices
• If using partial scope, your justification for each exclusion is written down
• Your leavers process is documented (how accounts are disabled when someone leaves)
• A named director or board member is available to sign the declaration and understands what they're signing

For CE Plus specifically:

• Complete your Verified Self-Assessment (VSA) before the CE Plus test date. Answers can't be changed after testing starts
• Make sure VSA answers are accurate. If the VSA says patching is within 14 days and the scan finds otherwise, that's a failure
• Prepare for the assessor to sample devices at random. You won't know which ones
• Have remote access ready if the assessor needs to scan devices at different sites

What Danzell changes specifically

If you've been through CE before and want to know what's different this time, here are the specific enforcement changes under Danzell.

Automatic failures (no assessor discretion):

• Missing a critical or high-risk patch (CVSS 7.0+) beyond 14 days
• Cloud services that support MFA but don't have it enabled

Double sampling (CE Plus only): if the first internal vulnerability scan finds unpatched CVSS 7.0+ vulnerabilities older than 14 days, the assessor takes a second random sample of the same size. You get a maximum of three days' notice. Both samples must pass within a single 30-day remediation window. If the second sample also has vulnerabilities, the assessment fails. There is no third sample allowed.

Cloud services always in scope: under Willow, some organisations excluded cloud services through creative scope descriptions. Danzell closes that loophole permanently. If your data is on it, it's in scope.

Social media accounts in scope: company accounts on LinkedIn, Facebook, X, and similar platforms need MFA enabled and fall under user access control requirements.

Partial scope needs justification: if you're excluding parts of your infrastructure, you need to explain why. Your assessor will challenge exclusions that don't hold up.

Passkeys and FIDO2 recognised: FIDO2 authenticators are formally counted as MFA on their own. If you've already rolled out FIDO2 keys, they satisfy the MFA requirement without a separate second factor.

Zero non-compliances expected for CE Plus: it has been indicated that CE Plus assessments should show zero non-compliances. This was apparently always the expectation, but it's now being made explicit.

How to use this checklist

Print it and work through it section by section. Start with scope, because everything else depends on getting scope right. Move to patching next, because patching backlogs take the longest to fix. Then MFA, firewalls, malware protection, and secure configuration, finishing with evidence and documentation.

If you can tick every box, you're ready. If you can tick most of them and know exactly what's left, you're close. If you're staring at a list of unchecked items and your assessment is in two weeks, talk to us sooner rather than later.

The assessment itself isn't designed to trick you. It tests whether the five controls are genuinely in place. If they are genuinely in place, you'll pass. The organisations that fail are the ones that assumed everything was fine without checking.

---

Need help preparing for your Cyber Essentials assessment? Get in touch or request a quote. If you want to verify the patching items on this checklist with actual data, we can run a baseline vulnerability scan of your estate before you start the questionnaire. Get in touch to arrange one before your assessment.

---

Related articles

• Why Auto-Updates Aren't Enough for Cyber Essentials
• Danzell Changes 2026: What the Update Means for Your Business
• Cyber Essentials 30-Day Preparation Plan
• 14-Day Patching: What the Requirement Actually Means

netsec-canary-5f6dd7d4bda8.