Cyber Security

Cyber Essentials 2026: A Practical SME Operating Checklist

Turn the April 2026 Cyber Essentials update into a clear IT security baseline. Protect your SME across identity, devices, and patching without the jargon.

Cyber Security

Cyber Essentials 2026: A Practical SME Operating Checklist

Turn the April 2026 Cyber Essentials update into a clear IT security baseline. Protect your SME across identity, devices, and patching without the jargon.

Published:

A woman stands in front of a meeting room display, showing a graph, talking to two other individuals about what's displayed while they listen attentively

If you run a small business, the useful question is not whether the Cyber Essentials document changed in April 2026.

The useful question is what now needs to be consistently true in your environment, every day, if you want your baseline to stand up to scrutiny.

That is the difference between reading the update and operating it.

Cyber Essentials remains an official five-control scheme. Those controls are firewalls, secure configuration, security update management, user access control and malware protection. But for most SMEs, the value comes from translating those controls into practical operating habits: who owns them, how often they are checked, and what evidence can be produced when a customer, insurer or supplier asks.

At Infinite Cloud IT, we use those official Cyber Essentials controls as the foundation for a broader CE-style operating baseline. That wider baseline also looks at supporting disciplines such as backup and recovery confidence, because they affect how defensible and supportable the environment is in practice.

The point is not to blur certification requirements with broader operational good practice. The point is to make both clearer.

Why the April 2026 update matters operationally

Cyber Essentials is useful when it stops being a once-a-year form-filling exercise and becomes part of how the business is run.

For a director or IT lead, the practical questions are:

  • What has to be true day to day?

  • Who owns each control area?

  • What evidence can we produce quickly?

  • What counts as an exception?

  • How quickly does an exception need fixing?

If those questions do not have clear answers, the issue is rarely lack of awareness. It is usually operational drift.

The five official control areas translated into real-world checks

1. Firewalls

In practical terms, you need to know how devices and services are protected from unauthorised network access.

For an SME, that means being able to answer:

  • Which devices and services are in scope?

  • Are default settings and passwords removed?

  • Who owns firewall or perimeter configuration?

  • Are changes approved and documented?

The operating question is not simply “do we have a firewall?” It is whether the boundary is understood, maintained and controlled.

2. Secure configuration

Secure configuration means systems should not be left in a risky default state.

Real-world checks include:

  • Are business devices built to a standard?

  • Are unnecessary services, accounts or permissions removed?

  • Are local admin rights controlled?

  • Are devices encrypted where appropriate?

  • Are exceptions documented?

This is where many SMEs struggle, because devices often drift over time. One laptop is configured differently from another. An exception becomes normal. Nobody is quite sure what the standard is supposed to be.

3. Security update management

Patching is not “we usually keep on top of it”. It is a defined operating rhythm.

A practical checklist should confirm:

  • Supported operating systems are in use

  • Critical and high-risk patches are applied within agreed windows

  • Update failures are visible

  • Exceptions are logged, owned and time-bound

  • Unsupported devices have a replacement or removal plan

Patching only works as a control when it has deadlines, ownership and exception handling.

4. User access control

A compliant-looking environment can still be weak if the wrong people can sign in too easily or keep access they no longer need.

Identity and access checks should include:

  • Is multi-factor authentication applied where required?

  • Is there a current list of admin-capable accounts?

  • Are stale accounts reviewed and removed?

  • Are leavers disabled promptly?

  • Are shared admin identities avoided?

What good looks like is simple: named users, clear admin boundaries, stronger sign-in protection for privileged access, and a regular review cycle.

5. Malware protection

This is not just about whether antivirus exists. It is about whether protection is active, standardised and monitored.

The real-world checks are:

  • Is malware protection active on all in-scope endpoints?

  • Are platform protections current?

  • Are alerts reviewed by someone?

  • Are users prevented from weakening protection without approval?

  • Is the control applied consistently?

An installed tool is not the same as an enforced control.

The broader operating baseline: backup and recovery confidence

Backup is not one of the official five Cyber Essentials controls.

It is, however, part of a broader operating baseline for a supportable SME environment.

That is why Infinite Cloud IT treats backup and recovery confidence as an overlay around the official controls, not as a replacement for them. If data is lost, deleted, corrupted or affected by ransomware, the business still needs a practical route to recovery.

For an SME baseline, you should be able to show:

  • What data is backed up

  • How often backups run

  • Who checks backup health

  • When restores were last tested

  • Whether failures or gaps are tracked to resolution

A backup that exists but is not reviewed or tested creates false confidence. That matters commercially as well as operationally.

What evidence an SME should be able to produce quickly

A sensible evidence pack should not become a major project every time someone asks for it.

At minimum, most SMEs should be able to pull together:

  • A device and asset inventory

  • MFA coverage by user group

  • An admin role list

  • Patch status or patching reports

  • Malware protection status across endpoints

  • A record of firewall or secure configuration ownership

  • Backup status and recent restore-test evidence as part of the wider operating baseline

  • Named owners for key control areas

  • An exceptions log with remediation dates

This matters because supplier questionnaires, customer due diligence and insurance conversations increasingly expect more than vague reassurance.

Where businesses usually fail

The biggest issues are rarely dramatic.

They are usually practical.

Drift

The environment started reasonably well, then changed faster than the operating standard.

Exceptions with no deadline

A machine was left unsupported “for now”. A user kept elevated rights “temporarily”. An old account was never fully retired.

Informal ownership

Everyone assumes someone else is checking admin rights, patching failures, endpoint protection or backup results.

Those are the kinds of issues that make a business look inconsistent. And inconsistency is exactly what weakens a baseline.

A simple monthly checklist for directors and IT leads

Once a month, ask for clear answers to these questions:

  1. Do we have an up-to-date list of in-scope devices and users?

  2. Are all privileged accounts reviewed and still justified?

  3. Are unsupported devices or systems present, and if so, what is the removal date?

  4. Are patching failures or delays visible and assigned?

  5. Is malware protection active everywhere it should be?

  6. Are secure configuration exceptions documented and approved?

  7. Are backup and restore checks being reviewed as part of the wider operating baseline?

  8. Are exceptions documented, owned and time-bound?

  9. Could we answer a supplier or customer security questionnaire without scrambling?

That is the point of an operating baseline. It should reduce ambiguity.

Final thought

The April 2026 Cyber Essentials update is useful if it forces a better operating habit: baseline by default, evidence ready, ownership clear.

Official Cyber Essentials remains a five-control scheme. A broader CE-style operating baseline builds around that foundation so the business can also manage supporting realities such as backup, recovery and operational accountability.

For SMEs, that is far more valuable than treating Cyber Essentials as a once-a-year compliance event. The businesses that get more value from it are usually the ones that can explain what is standard, prove it is in place, and show who keeps it true.

Book a Security Triage Call

Learn about the Security Baseline Review

More resources

Keep reading

Browse the latest practical guides across Managed IT, Cyber Security, Modern Workplace, and Backup

More resources

Keep reading

Browse the latest practical guides across Managed IT, Cyber Security, Modern Workplace, and Backup

More resources

Keep reading

Browse the latest practical guides across Managed IT, Cyber Security, Modern Workplace, and Backup

For 10-15 seat

Owner-managed SMEs in Sussex & Kent

Who want clarity, stability, and a proper security baseline — start with the free Security Triage Call.

For 10-15 seat

Owner-managed SMEs in Sussex & Kent

Who want clarity, stability, and a proper security baseline — start with the free Security Triage Call.

For 10-15 seat

Owner-managed SMEs in Sussex & Kent

Who want clarity, stability, and a proper security baseline — start with the free Security Triage Call.