Free Cyber Essentials Readiness Check: Test Your Compliance

Before spending money on Cyber Essentials certification, it makes sense to check whether your organisation is actually ready to pass. Fig offers a free readiness checker based on the NCSC Cyber Essentials Requirements v3.3 (effective 28 April 2026) that tells you exactly where you stand.

The readiness checker is an interactive self-assessment tool that walks you through each of the five Cyber Essentials control categories:

1. Firewalls - Are your internet connections properly protected?

2. Secure Configuration - Are devices configured to reduce vulnerabilities?

3. Security Update Management - Is software kept up to date?

4. User Access Control - Are accounts managed with least privilege and MFA?

5. Malware Protection - Is anti-malware deployed and maintained?

For each category, you answer targeted questions about your organisation's current setup. The checker provides immediate feedback on your readiness.

The full readiness check takes approximately 10-15 minutes. You will need to know basic details about your IT environment:

• How your firewall or router is configured
• Whether all devices are running supported operating systems
• Your patching and update approach
• Whether MFA is enabled on all user accounts
• What anti-malware solution you use

If you manage your own IT, you should know most of this already. If you use a managed IT provider, they can provide the details you need.

After completing the readiness check, you receive:

• A clear indication of your readiness across all five control categories
• Specific areas where your controls meet the requirements
• Specific gaps that need addressing before formal certification
• Guidance on how to remediate any issues found

This is not a pass/fail test - it is a diagnostic tool. The goal is to help you identify and fix gaps before you invest in formal assessment, so you can pass first time.

Based on common readiness-check outcomes, the most frequent gaps are:

MFA not enabled on all accounts - The v3.3 requirement is clear: every user account in scope must have MFA. Many organisations have MFA on admin accounts but not on standard user accounts. The readiness checker catches this.

Unsupported software - Devices running operating systems or applications that no longer receive security updates will fail the assessment. The checker asks about this specifically.

Default credentials - Routers, firewalls, and other devices that still use factory-default passwords are a common finding. Easy to fix, but easy to overlook.

Remote-worker scope handling - Many organisations forget that the laptop's software firewall must be configured for untrusted networks (home, hotel, coffee shop) once a worker is hybrid or fully remote. Note that home routers themselves are explicitly out of scope under v3.3; the boundary follows the device that touches organisational data, not the home network.

Shared user accounts - v3.3 requires individual accounts for each user. Shared accounts are a compliance gap.

If the readiness checker shows you are ready, the path to certification is straightforward:

1. Visit Fig's Cyber Essentials pricing page

2. Select your organisation size band

3. Purchase your Cyber Essentials certification

4. Complete the self-assessment questionnaire (the readiness checker will have prepared you for every question)

5. Submit before midday for same-day certification

If the checker identifies gaps, fix them first. Most gaps (enabling MFA, changing default passwords, updating software) can be resolved in a few hours to a few days.

The readiness checker is free, requires no account creation, and takes 10-15 minutes. There is no obligation to purchase certification afterwards - use it purely as a diagnostic tool if you prefer.

Take the readiness check now