Passing Cyber Essentials in 2026: a practical step-by-step audit prep guide for London SMEs (policies, controls, pitfalls, FAQs).

How to Prepare for a Cyber Essentials Audit in 2026: Step-by-Step for London SMEs

1) Understand the five control areas

• Firewalls and internet gateways
• Secure configuration
• User access control
• Malware protection
• Patch management

2) Audit your current state

• Run a gap analysis: what’s already in place, what’s missing?
• Review device inventory, user accounts, firewall rules, patch status

3) Fix the gaps

• Enforce MFA for all users
• Remove/disable unused accounts
• Update all software and devices to latest versions
• Lock down admin access and document who has it
• Apply secure configuration baselines

4) Document everything

• Keep policies, evidence, and screenshots ready
• Record patching, backup, and incident response processes

5) Train your staff

• Short, focused security awareness training
• Simulated phishing tests (if possible)

6) Run a mock audit

• Have your IT partner or an external consultant review your controls
• Fix any last-minute issues

7) Submit and respond to queries

• Submit your application and evidence
• Respond promptly to any clarifications from the assessor

8) Maintain compliance

• Schedule regular reviews (quarterly or bi-annual)
• Update documentation as your business changes

FAQs

We can run a Cyber Essentials gap analysis, help you fix the gaps, and guide you through the audit—so you pass first time, with confidence.