Get started

SME Cybersecurity Compliance Checklist — Beyond Antivirus

checklist 5 min read Updated 2026-03-23

SME Cybersecurity Compliance Checklist — Beyond Antivirus

This is the practical checklist for organisations that don’t have a dedicated security team. It covers the controls that prevent the most common cyberattacks, organised by priority. Start with Critical, then Important, then Nice to Have.

Critical (implements the five Cyber Essentials controls):

  • Multi-factor authentication enabled on email accounts
  • Multi-factor authentication enabled on admin accounts (cloud services, CMS, hosting panels)
  • All admin accounts have unique passwords (no sharing)
  • Former employees have accounts disabled immediately
  • Monthly security patches applied to OS, CMS, applications, and server software
  • Firewall configured to block unnecessary incoming traffic
  • Antivirus/malware protection running on all devices and updated automatically
  • Automated daily backups of critical business data
  • Backup restoration tested in the past 3 months
  • Backups stored separately from primary systems (offsite or cloud backup)
  • SPF, DKIM, DMARC email authentication records configured in DNS
  • Basic incident response plan documented (1 page: who to contact, how to respond, ICO notification process)

Important:

  • Password manager deployed for shared credentials (no post-it notes with passwords)
  • Minimum 12-character password policy enforced
  • User access review completed in the last 6 months (who has access to what, is it still needed)
  • Admin access restricted (users get regular account for daily work, separate admin account for elevated tasks)
  • Email filtering enabled (spam/phishing filter active)
  • Website scanned for publicly exposed sensitive files or admin panels
  • SSL/TLS certificate installed on website (HTTPS)
  • SSL/TLS certificate validity and configuration verified
  • Encryption enabled on laptops/devices with business data
  • Vulnerable third-party plugins or integrations identified and removed or updated
  • Data Processing Agreement in place with hosting/cloud providers
  • Basic staff training on phishing recognition and password hygiene completed

Nice to Have:

  • Cyber Essentials certification obtained or in progress
  • Penetration testing or security assessment completed
  • Security monitoring and logging in place (unusual access patterns detected)
  • Disaster recovery plan documented (not just backup — full recovery plan)
  • Cyber insurance policy in place with Cyber Essentials verification
  • Annual security audit scheduled

Priority Indicators

Do these first (addresses 80% of common attacks):

  1. Multi-factor authentication on email
  2. Monthly patching
  3. User access control (no sharing, admin restricted)
  4. Automated backups with testing
  5. Email authentication (SPF/DKIM/DMARC)

Time estimate: 2–4 weeks for most SMEs starting from a baseline, 4–8 hours of your time.

Going Deeper

Cyber Essentials certification: Once you’ve checked off the Critical and Important items, you’re ready for Cyber Essentials. Cost: £300–£600 annually (standard) or £600–£1,200 (Plus with independent verification). Timeline: 1–3 months depending on assessment type. Read our full guide to Cyber Essentials.

Incident response: Your one-page plan should include: contact list (IT support, management, ICO if needed), initial response (contain, don’t investigate yourself unless trained), and recovery process. More detailed: see our step-by-step guide to cybersecurity readiness.

Staff training: Phishing is 93% of attack delivery. Five minutes per month on recognising suspicious emails, not clicking unknown links, and reporting suspicious messages is high-impact.

Data security: If you process sensitive data (customer payment info, health records, employee records), add: encryption at rest, encrypted data in transit (HTTPS), access logging, data retention policy, secure deletion (not just delete — wipe securely).

Monitoring: For mature organisations, consider logging and monitoring: unusual login patterns (someone accessing systems from a new location), bulk file downloads or deletions, unusual network traffic. This requires technical setup but detects compromises faster.

Common Failures We See

Access control: Shared passwords for business accounts, admin access given to everyone, former employees retaining access. Fix: give everyone unique credentials, restrict admin access, disable accounts on departure.

No backup testing: Backups are in place but have never been tested. Restore a backup to a test environment quarterly. A backup you’ve never tested is a backup you can’t trust.

Unpatched software: CMS platforms and plugins months or years out of date. Monthly patches take 2 hours per month maximum. Set a reminder: first Tuesday of the month.

No written incident response: When something goes wrong, there’s no documented process. One page (contact list, initial response steps, recovery process) is infinitely better than nothing.

Misconfigured cloud services: Microsoft 365 or Google Workspace configured at factory defaults. Review: enforce MFA, set password policies, configure data retention, review who has admin access.

If You Want Professional Help

Bartram Cyber combines automated external scanning (what’s publicly exposed), questionnaire assessment (what controls you have in place), and delivers a risk report mapping your posture against Cyber Essentials controls with a prioritised remediation roadmap.

To stay informed about cybersecurity regulations and compliance updates, subscribe to our fortnightly newsletter which covers the latest developments across all compliance areas.

Next Steps

  1. Print or save this checklist.
  2. Assign someone to own it. This is typically an IT manager, office manager, or operations person.
  3. Start with Critical items. Estimate 2–4 weeks, 4–8 hours of your time.
  4. Review quarterly. This isn’t a one-time exercise. Patches apply monthly, access reviews quarterly, incident plan updated annually.
  5. Work toward Cyber Essentials. Once Critical and Important items are done, you’re ready. Cost £300–£600, gives you a marketable credential and insurance benefits.

The gap between most breached SMEs and unbreached ones isn’t technology or budget. It’s documented, tested, enforced controls. This checklist gets you there.

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your cybersecurity →

More from this hub

Common Cybersecurity Gaps in UK SME Infrastructure — What the Data Shows

What UK cybersecurity research shows about common SME vulnerabilities: breach rates, control gaps, and what fixes work.

Read article →

Preparing for Cyber Essentials Certification — A Step-by-Step Guide

How to prepare for Cyber Essentials certification: implement controls, choose an assessor, complete the assessment, get certified.

Read article →

Cybersecurity Compliance for Professional Services — Protecting Client Data

Cybersecurity compliance for law firms, accountants, and consultancies. Protecting client data goes beyond IT — it's a client trust and compliance obligation.

Read article →