Cyber Essentials evidence falls into five control areas: firewalls, secure configuration, user access control, malware protection and security update management. This guide walks through what evidence assessors typically expect from a UK SME.
The aim is not a single screenshot per control — it is breadth, recency and ownership across every in-scope asset.
Confirm your scope first
Before gathering evidence, decide what is in scope. Scope drives every other piece of evidence.
- List every laptop, desktop, server, mobile and firewall in scope
- List every cloud service that holds in-scope data
- Document anything explicitly out of scope and why
Gather firewall and router evidence
Boundary devices need to show that defaults are changed and inbound services are restricted to what the business needs.
- Admin console screenshot showing current configuration
- Confirmation default admin password has been changed
- Inbound rule list with a business justification
Document secure configuration
Endpoints should be configured to a known-good baseline — auto-lock, no unused local admins, no unnecessary services.
- Baseline build document or MDM policy export
- Auto-lock and password / PIN policy settings
- Standard user vs admin account separation
Prove user access and MFA
Show that the right people have the right access and that admins use multi-factor authentication on cloud services.
- Admin account list (cloud and on-prem) with MFA status
- Joiners / movers / leavers process
- Most recent access review notes
Show malware protection coverage
Every in-scope device needs active malware protection. Coverage matters more than the specific tool.
- Antivirus / EDR console screenshot listing devices
- Built-in OS malware protection settings (Defender, XProtect)
- Policy covering acceptable software and downloads
Evidence patching and unsupported software
Patching is the most common reason SMEs fail Cyber Essentials. Show a process — not just a single point-in-time report.
- Patch report from your MDM / RMM
- List of in-scope devices with operating system version
- Plan for any unsupported OS or browser still in use
Practical examples
Firewall settings
Screenshot of router admin page with model, firmware version and date visible.
MFA report
Microsoft 365 admin centre export showing MFA status per administrator.
Patch report
MDM / RMM report dated within the last month, scoped to in-scope devices.
Asset register
Spreadsheet or app view listing every laptop, server, mobile and SaaS platform in scope.
Common mistakes
One screenshot per control
A single screenshot proves a single moment. Assessors want breadth — every admin, every device, every cloud service.
Stale evidence
Patch reports older than a few months are usually rejected. Refresh dated evidence close to assessment.
No owner
Evidence with no named owner drifts. Assign every item to a person who refreshes it.
Build this properly in Evaud
Start a free workspace and organise your Cyber Essentials evidence in one place.
Frequently asked questions
Evaud helps organise Cyber Essentials evidence and readiness information. It is not a certification body and does not guarantee certification.