Does my business need a firewall to pass Cyber Essentials?

Yes. Cyber Essentials requires a boundary firewall that is actively configured, not left on factory defaults. Your broadband router alone does not meet the requirement unless someone has reviewed and configured its rules.

What does Cyber Essentials actually test?

Cyber Essentials tests five technical controls: firewalls and boundary controls, secure configuration, user access control, malware protection, and security update management. Assessors look for documented evidence, not just intentions.

Can a small business without an IT team pass Cyber Essentials?

Yes. Cyber Essentials is designed to be achievable for businesses without a dedicated IT department. The controls are not complex, but they do require someone to work through them systematically. A readiness assessment maps exactly what needs to happen before you submit.

What is the Wolds Cyber CE Gap Analysis?

The CE Gap Analysis is a fixed-price assessment at £750. It covers a structured review of your setup against the five CE technical controls, clear identification of what passes and what fails, a prioritised plain-English action list, guidance on the self-assessment submission process, and a 30-minute debrief call.

How long does this self-check take?

About 3 minutes. There are five questions, one for each Cyber Essentials control. No email address is required and no data is collected. Everything runs in your browser.

Free self-check

Is your business Cyber Essentials ready?

Five plain-English questions based on the five CE technical controls. Answer honestly and you will get a clear steer on where you stand.

About 3 minutes No email required No data collected

Cyber Essentials is the UK government-backed baseline certification for cybersecurity. These five questions map to the five technical controls assessors test. Pick the answer that most honestly reflects how your business works today.

Q1 Firewalls and boundary controls

Does your business use a firewall to control what comes in and out of your network, and has someone set it up rather than leaving it on factory defaults?

Yes We have a firewall in place. Default passwords have been changed. Someone has reviewed the rules it applies. No / Not sure We have a router from our broadband provider but no one has really configured it. We are unsure what it allows or blocks.

Q2 Secure configuration

Are the devices and software your team uses set up securely, with unnecessary features turned off and default passwords changed?

Yes Devices do not use factory-default credentials. Unused features and services are disabled. Staff cannot install unapproved software freely. No / Not sure Devices largely run with settings unchanged from new. People can install what they like. We have not really audited this.

Q3 User access control

Do your staff only have access to the systems and data they need, and do you remove access promptly when someone leaves?

Yes Access is limited to what each person needs. Admin rights are held separately. We know who has them and we act quickly when someone leaves. No / Not sure Most people have similar access. Some old accounts are probably still active. Admin rights are more widely shared than they need to be.

Q4 Malware protection

Do all the devices your staff use for work have active, up-to-date anti-malware protection running on them?

Yes All work devices have anti-malware installed and it updates automatically. We have not disabled or ignored its alerts. No / Not sure Some devices might have something. We are not sure if it is current on all machines. People can open attachments fairly freely.

Q5 Security update management

Are software and operating system updates applied promptly on the devices your business uses, and do you avoid running software the vendor no longer supports?

Yes Devices are set to update automatically or someone applies security patches at least monthly. We are not running unsupported software. No / Not sure Updates happen when someone gets round to it. Some machines are probably overdue. We may have end-of-life warnings we have not acted on.

No data is sent anywhere. Everything runs in your browser.

Please answer all five questions to see your results.

Your Cyber Essentials readiness check

Your answers

Foundations in place

You have a starting point. The question is whether it holds up under scrutiny.

Cyber Essentials assessors do not just take your word for it. They look at evidence: that the firewall rules are actually in place, that admin accounts are truly separated from day-to-day ones, that patches are applied within the required window, not just regularly. A lot of businesses answer Yes in good faith and still hit problems at the submission stage.

A gap analysis closes that gap. It checks what you have against the precise CE technical requirements, identifies anything that would cause a failed submission, and gives you a clear action list before you pay the certification fee.

Typical areas to check at this stage Admin account hygiene, boundary firewall rule documentation, software versions on any remote or older devices.

Some controls in place

You have gaps, but certification is not out of reach.

This is a normal position for a business that has not worked through this process before. Some things are in place; others have not been looked at. Going straight to a CE self-assessment submission from here carries a real risk of failing the technical checks, and a failed submission costs you the application fee without getting you the certificate.

A gap analysis will map exactly what needs fixing, in what order, and what is quick to address versus what needs planning time. Some gaps are a morning's work. Others need more thought. Knowing which is which matters.

Most common finding at this stage Access control: who holds admin rights, what happens when someone leaves, and whether the principle of least privilege is actually applied.

Foundations need attention

Most businesses start here. This does not mean certification is far away.

Cyber Essentials is designed to be achievable for businesses without a dedicated IT team. The controls are not complex. What they do require is someone going through them systematically, making decisions, and applying changes with evidence to back them up.

Trying to complete a CE self-assessment from this position is likely to produce a failed submission. The gap analysis maps exactly what needs to happen first, and it is often faster than people expect.

Most common finding at this stage Patching and anti-malware, because they are easy to overlook without a formal process. Both are fixable quickly once you know what is needed.

Get the precise picture

This self-check gives you a direction. The CE Gap Analysis tells you exactly what passes, what fails, and what to fix before you submit for certification. Fixed price, plain-English report, typically delivered within two weeks of your initial call.

Book a 30-minute call

CE Gap Analysis: fixed at £750. No hidden day-rate costs.

Not ready to answer yet?

You can book a 30-minute call first. We will talk through your setup, tell you where you likely stand, and confirm whether the £750 gap analysis makes sense for you before you commit to anything.

Book a 30-minute call