TL;DR:
- UK government standards require Cyber Essentials certification, CAF objectives, and continuous improvement.
- Core controls include firewalls, secure configuration, updates, access controls, and malware protection.
- Ongoing staff training, supply chain vetting, and independent audits are essential for sustained cybersecurity resilience.
Public sector organisations in the UK are under sustained and escalating attack. 43% of UK businesses suffered a cyber attack in the last year, and government bodies face unique exposure: sensitive citizen data, interconnected infrastructure, and strict accountability to ministers and auditors alike. For IT managers and cybersecurity officers, the pressure is not just to prevent breaches but to demonstrate structured, evidenced compliance. This checklist cuts through the noise, mapping out the practical steps your organisation must take to meet current standards and genuinely improve your security posture, not just your paperwork.
Table of Contents
- Understanding the government’s cybersecurity criteria
- Core controls: the Cyber Essentials checklist
- Beyond the basics: integrating CAF and GovAssure processes
- Supply chain and procurement: securing the weakest link
- Sustaining compliance: culture, training, and continuous improvement
- Why compliance alone isn’t enough: lessons from real government audits
- How Computer Forensics Lab can support your government cyber resilience
- Frequently asked questions
Key Takeaways
| Point | Details |
|---|---|
| Meet minimum security controls | Start with Cyber Essentials to protect public sector systems against common threats. |
| Advance with assurance frameworks | For critical functions, integrate CAF and GovAssure checks for deeper cyber resilience. |
| Secure the supply chain | Embed cyber standards in procurement and check all third-party partners meet compliance. |
| Build a security-driven culture | Ongoing training, leadership engagement, and cultural initiatives keep your organisation resilient. |
Understanding the government’s cybersecurity criteria
Before you can build a checklist, you need to know what you are being measured against. UK government cybersecurity is shaped by three interlocking frameworks, each with its own scope and requirements.
Cyber Essentials is the UK Government’s recommended minimum cybersecurity standard for all organisations, public and private. It sets baseline technical controls that every department should meet before advancing to anything more sophisticated. Critically, it is now embedded in supply chain requirements, meaning your suppliers may be expected to hold certification too.
The Cyber Assessment Framework (CAF v4.0, 2024) goes further. It provides objectives, principles, outcomes, and indicators of good practice for assessing cyber resilience, and it applies specifically to critical national infrastructure, including central government systems. The CAF is not a pass/fail test. It is a structured way of evaluating maturity across four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising impact.
The Government Cyber Action Plan, published in January 2026, layers measurable targets over both frameworks. It sets timelines, assigns accountability, and introduces the Government Cyber Unit to support departments that lack internal capability.
Key criteria your checklist must address:
- Achieving and maintaining Cyber Essentials or Cyber Essentials Plus certification
- Aligning with CAF objectives relevant to your system criticality
- Participating in GovAssure where required
- Demonstrating compliance in procurement and digital forensics compliance reviews
- Evidencing continuous improvement, not one-off assessments
Understanding these standards is not optional. They define the minimum bar for any credible government cybersecurity programme.
Core controls: the Cyber Essentials checklist
With the criteria clear, here are the five technical controls that Cyber Essentials requires: Firewalls, Secure Configuration, Security Update Management, User Access Control, and Malware Protection. Each one targets a specific and common attack vector.
- Firewalls: Every device connected to the internet must sit behind a properly configured firewall. For government networks, this means reviewing boundary firewalls and ensuring personal device firewalls are active and enforced via policy.
- Secure configuration: Default settings on operating systems and applications are rarely secure. You must disable unnecessary features, remove default accounts, and apply approved configuration baselines before any device goes live.
- Security update management: Patches must be applied within 14 days of release for high or critical vulnerabilities. Legacy systems that cannot be patched require documented compensating controls and a clear remediation plan.
- User access control: Accounts should follow the principle of least privilege. Administrative accounts must only be used for administrative tasks. Multi-factor authentication is now expected for all cloud services and remote access.
- Malware protection: Use approved, actively updated anti-malware tools. Reviewing malware analysis guidance is advisable before finalising your tooling choices, particularly for environments with unusual threat profiles.
For certification, self-assessment suits lower-risk bodies, whilst Cyber Essentials Plus requires independent technical verification and is strongly recommended for departments handling sensitive data or critical systems. Common cyber threat examples show that attackers frequently exploit exactly the gaps these five controls address.
Pro Tip: IoT devices and legacy systems are the two areas most commonly overlooked during Cyber Essentials assessments. Audit every networked asset, not just desktops and servers, before submitting for certification.
Beyond the basics: integrating CAF and GovAssure processes
Cyber Essentials is a vital baseline, but larger and more critical government departments must advance further. GovAssure is a five-stage assurance process: self-assess, verify, improve, establish baseline or enhanced posture, and sustain. It uses the CAF to evaluate UK government critical systems and is now mandatory for central government departments.
The CAF’s structured approach provides objectives, principles, outcomes, and indicators of good practice for assessing cyber resilience across four areas. Integrating this into your IT governance means assigning CAF objectives to specific system owners and running regular reviews against indicators of good practice.
| Feature | Cyber Essentials | CAF / GovAssure |
|---|---|---|
| Scope | All organisations | Critical systems / CNI |
| Assessment type | Self-assess or independent | Independent audit required |
| Depth | Five technical controls | Four objectives, multiple principles |
| Frequency | Annual renewal | Continuous / staged |
| Government mandate | Supply chain and baseline | Central departments |
Your CAF and GovAssure checklist should include:
- Mapping your systems against CAF objectives and assigning ownership
- Documenting evidence for each indicator of good practice
- Scheduling independent verification reviews annually at minimum
- Tracking improvement actions arising from each GovAssure stage
- Monitoring emerging threats, including AI-driven cyber operations, which are increasingly relevant to government threat models
- Feeding audit findings back into budget and procurement cycles
The step from Cyber Essentials to CAF is significant, but it reflects the reality that government systems face a different threat landscape to most private sector organisations. Treat GovAssure as a management process, not an annual hurdle.
Supply chain and procurement: securing the weakest link
Government departments rarely operate in isolation. Contractors, managed service providers, and software vendors all introduce risk. Supply chain attacks have repeatedly targeted public sector bodies precisely because the weakest link is often a small supplier with minimal security controls.
The Cyber Essentials Supply Chain Playbook reduces risk from common threats and sets out a structured approach for procurement teams. Follow these steps:
- Define your requirements: Before issuing any contract, specify the minimum cybersecurity standard expected. For most suppliers, Cyber Essentials certification is the floor.
- Vet existing suppliers: Run a tiered assessment based on data access and system integration. Higher access means higher scrutiny.
- Embed requirements in contracts: Cybersecurity clauses must be contractually enforceable, not advisory. Include rights to audit and notification obligations for incidents.
- Monitor continuously: Annual checks are insufficient. Set up mechanisms for suppliers to self-report changes in their security posture and incidents promptly.
| Supplier risk factor | Example | Mitigation |
|---|---|---|
| Access to sensitive data | HR or finance systems | Require Cyber Essentials Plus |
| Remote access to networks | IT support providers | MFA and privileged access controls |
| Third-party software updates | SaaS tools | Software bill of materials review |
| Physical access to premises | Facilities management | Background checks and access logs |
Knowing the signs of data breaches early can limit damage from a compromised supplier. Similarly, having documented incident response procedures that include third-party breach scenarios is essential before an incident occurs, not after.
Pro Tip: Require suppliers to notify you within 24 hours of any suspected security incident, regardless of confirmed impact. Early notification is the single most effective way to contain supply chain breaches.
Sustaining compliance: culture, training, and continuous improvement
With technical structures and policies in place, the challenge becomes turning compliance into a living, evolving practice. The Government Cyber Action Plan sets measurable objectives for public sector cybersecurity and resilience, including risk management, central support via the Government Cyber Unit backed by a £210 million investment, and cultural shifts like the ‘Defend as One’ initiative.
“Defend as One” is not just a slogan. It reflects a fundamental shift in how government cybersecurity is managed: shared intelligence, collective defence, and a culture where every civil servant understands they are part of the security perimeter.
Your ongoing compliance checklist should address:
- Annual staff training: Every member of staff, not just IT, must complete security awareness training. Phishing simulations, updated annually, are particularly effective.
- Role-specific training: Privileged users and administrators need deeper technical training beyond general awareness programmes.
- Continuous improvement cycles: Schedule quarterly reviews of your controls, not just annual audits. Threat landscapes shift faster than annual cycles allow.
- Leveraging government resources: The Government Cyber Unit offers direct support to departments. Use it. The £210 million investment exists precisely to raise baseline capability across the public sector.
- Incident learning: Every near miss and confirmed incident should feed back into your risk register and training content.
Understanding why cyber forensic services matter helps frame cybersecurity not as a compliance exercise but as a genuine operational necessity. Culture is built over time, but it starts with leadership treating security as a core responsibility, not an IT department problem.
Why compliance alone isn’t enough: lessons from real government audits
Here is an uncomfortable truth: the GovAssure year one results revealed significant gaps in public sector cyber posture, even among departments that believed they were compliant. Checklists were completed. Forms were submitted. Gaps remained.
What audits consistently expose is the distance between documented controls and lived reality. A firewall policy exists on paper; the firewall has not been reviewed in 18 months. User access controls are listed as implemented; former employees still have active accounts. These are not edge cases. They are patterns.
The root cause is almost always the same: compliance activity is treated as separate from operational security. IT teams tick boxes before audit season, then return to managing day-to-day pressures. Leadership sees a green dashboard and assumes all is well. The role of cyber incident response is revealing here too. Departments that have never stress-tested their response plans are invariably the ones that struggle most when an incident actually occurs.
Our view is straightforward. Run independent scenario exercises, not just tabletop discussions. Bring in external reviewers who will probe your actual configurations, not review your documentation. Treat audit findings as operational intelligence, not administrative outcomes. The departments that improve fastest are those where IT leadership and senior civil servants share accountability for the outcome, rather than delegating security entirely downward.
Pro Tip: Commission an independent red team exercise at least once every two years. It is the fastest way to find the gap between your checklist and your actual resilience.
How Computer Forensics Lab can support your government cyber resilience
When checklists alone are not sufficient, Computer Forensics Lab provides the forensic depth and investigative rigour that government bodies need. Our digital forensics services cover incident investigation, evidence preservation, and expert witness reporting, all conducted to standards that hold up in legal proceedings and government audits. We understand the specific demands of public sector accountability, from chain of custody requirements to politically sensitive investigations. Our cyber forensic expertise extends to malware analysis, data breach triage, and compliance reviews. For departments concerned about the digital footprints left by incidents or insider threats, we offer structured assessment and reporting that supports both operational response and legal preparation.
Frequently asked questions
What are the five controls in Cyber Essentials for government?
The five core controls are Firewalls, Secure Configuration, Security Update Management, User Access Control, and Malware Protection. Every government body should implement all five as a minimum baseline before pursuing further assurance.
How does GovAssure differ from basic Cyber Essentials requirements?
GovAssure uses a five-stage assurance process based on the CAF, requiring independent verification and continuous improvement cycles. Cyber Essentials, by contrast, focuses on five technical controls and is suitable as an entry-level certification for all organisations.
What supply chain requirements do public sector bodies face for cybersecurity?
Public sector bodies must vet suppliers using the Playbook approach, embed cybersecurity requirements in contracts, and monitor supplier compliance on an ongoing basis rather than at procurement only.
Why is ongoing staff training important for government cyber resilience?
The Government Cyber Action Plan identifies cultural change as central to resilience. Regular training keeps staff alert to evolving threats and ensures that technical controls are supported by informed, security-conscious behaviour across the organisation.