Cyber Essentials Checklist for Herefordshire Businesses

A practical checklist for Herefordshire businesses preparing for Cyber Essentials certification. What you need, what it costs, and how to pass first time.

If you're a Herefordshire business considering Cyber Essentials certification, this practical checklist will help you understand what's involved and prepare effectively. Whether you're in Hereford city, Ross-on-Wye, Leominster, or the surrounding rural areas - the requirements are the same, but some of the challenges are unique to our region.

Why Herefordshire Businesses Need Cyber Essentials

Herefordshire's economy includes agriculture, food production, defence (GCHQ proximity), professional services, and a growing tech sector. Cyber Essentials is increasingly required for:

• Defence contracts - Any supplier to the MOD or defence primes needs CE as a minimum
• Government tenders - Public sector contracts involving personal data require CE
• Supply chain requirements - Larger clients are mandating CE from their suppliers
• Insurance - Some cyber insurance policies require or discount for CE certification
• Trust - The CE badge demonstrates to clients that you take security seriously

The 5 Technical Controls - Your Checklist

Cyber Essentials examines five key areas. Here's what you need for each:

1. Firewalls

• All devices connected to the internet are protected by a firewall
• Default admin passwords on routers and firewalls have been changed
• Unnecessary ports and services are blocked
• Your firewall rules are documented and reviewed regularly
• Guest WiFi is on a separate network from your business systems

Herefordshire note: Many rural businesses use ISP-supplied routers as their only firewall. These often have default passwords and minimal configuration. A proper business firewall or correctly configured UniFi gateway is usually needed.

2. Secure Configuration

• Default passwords changed on ALL devices (including printers, phones, switches)
• Unnecessary software removed from all devices
• Auto-run disabled for removable media (USB drives)
• Screen lock enabled after 15 minutes of inactivity
• Guest and unnecessary user accounts removed

3. User Access Control

• Each user has their own individual account (no shared logins)
• Admin accounts are only used for admin tasks, not day-to-day work
• MFA is enabled on all cloud services (Microsoft 365, etc.)
• Leavers' accounts are disabled promptly
• Access permissions follow the principle of least privilege

4. Malware Protection

• Anti-malware software is installed on all devices
• Anti-malware is configured to update automatically
• Anti-malware scans files automatically on access
• Users cannot disable or bypass malware protection
• Application control or allow-listing is configured (recommended)

5. Patch Management

• Operating systems are supported (no Windows 10 - it's end of life)
• OS updates are applied within 14 days of release
• Application updates are applied within 14 days
• Unsupported software is removed
• Automatic updates are enabled where possible

Common Fail Points for Herefordshire Businesses

Based on our experience certifying businesses across the county:

1. Windows 10 devices - Since October 2025, any device running Windows 10 will fail the assessment. Check every machine.
2. Old routers - ISP-supplied routers with default passwords and no configuration are a common fail point.
3. Shared accounts - 'Everyone uses the same login' is an instant fail. Every user needs their own account.
4. No MFA - If your Microsoft 365 accounts don't have MFA enabled, you'll fail.
5. BYOD without management - Personal phones accessing business email without MDM policies can cause failures.

The Process - What to Expect

1. Pre-assessment (1-2 weeks) - We audit your current setup against CE requirements and fix any gaps
2. Self-assessment questionnaire - You complete the online SAQ with our guidance
3. Verification - The certifying body reviews your answers and may ask clarification questions
4. Certification - You receive your CE certificate, valid for 12 months
5. Badge - You can display the Cyber Essentials badge on your website and marketing

Cost

Cyber Essentials self-assessment certification costs approximately £300-500 for the assessment itself, plus any remediation work needed to pass. For most businesses already working with an MSP, the remediation is minimal. For businesses starting from scratch, budget for the assessment fee plus our time to fix any issues found.

Cyber Essentials Plus

CE Plus adds a hands-on technical audit - an assessor remotely tests your systems to verify the controls you claimed are actually working. It costs more (typically £1,500-2,500 including the technical audit) but provides a higher level of assurance. Some contracts, particularly in defence, require CE Plus specifically.

Get Started

We've helped dozens of businesses across Herefordshire and the surrounding counties achieve Cyber Essentials certification. Most businesses with reasonable IT hygiene can be certified within 2-4 weeks.

Book a free Cyber Essentials readiness assessment and we'll tell you exactly where you stand and what needs fixing. No obligation, no hard sell.