Build a defensible security baseline
Essential controls should reduce common, consequential routes into the organisation and improve recovery. The checklist is a starting point: adapt the depth to the information, service, sector, country and harm involved.
Protect the accounts that control other accounts, keep an accurate record of devices and services, remove unsupported technology, apply updates, use appropriate MFA, restrict administration, maintain tested backups and give people a rehearsed incident route.
Govern and understand
- A leader owns cyber risk and receives evidence, not only reassurance.
- Critical services, data, devices, cloud services, domains and suppliers have named owners.
- Important accounts and privileged roles are inventoried and reviewed.
- Risk decisions, exceptions and overdue actions are visible to the right authority.
- Country, sector, contractual, customer and insurance requirements are identified.
- Joiners, role changes and leavers trigger timely access changes.
Protect the common routes
- Supported operating systems, applications, routers and device firmware receive security updates promptly.
- Important accounts use unique credentials and appropriate multi-factor authentication.
- Administrative access is separate from everyday activity and limited to those who need it.
- Email domains and mail services use available anti-spoofing, filtering and account protections.
- Devices use screen locks, encryption where appropriate, malware protection and managed configuration.
- Only necessary services, remote access, integrations and sharing routes remain enabled.
- Personal and confidential information is collected, shared and retained only for a defined purpose.
- Supplier access and data flows are approved, documented and removable.
Detect, respond and recover
- Important sign-ins, administrator actions, security alerts and backup failures are reviewed.
- People know how to report a suspicious message, device, payment request or account event quickly.
- The incident plan names decision-makers, technical contacts, suppliers and protected communication routes.
- Backups are separated from production access and restored in realistic tests.
- Critical services have recovery time and acceptable data-loss targets.
- Incidents and near misses produce tracked improvements rather than blame.
A practical first 30 days
- Days 1–5: Identify the most important services and secure email, cloud, domain, finance and password-vault administrators.
- Days 6–10: Inventory devices, software, suppliers and backup locations; remove obvious stale accounts and unsupported systems.
- Days 11–20: Apply priority updates, restrict administration, improve device and email settings and close unnecessary access.
- Days 21–25: Restore a critical backup, test account recovery and confirm protected incident contacts.
- Days 26–30: Run a short incident exercise, document remaining gaps and agree owners, dates and escalation for the next cycle.
Baseline sources
The NCSC small-organisations guide covers backups, devices, email, important accounts and attack recognition. The CISA Cybersecurity Performance Goals provide a prioritised baseline of high-impact outcomes. Use the NIST CSF 2.0 to make sure governance, detection, response and recovery are not forgotten.
Essential cybersecurity controls FAQs
Which cybersecurity control should be implemented first?
Protect the account or dependency that can compromise the greatest number of other systems. For many small organisations this includes email, the main cloud administrator, domain and DNS management, finance and the password vault.
Is completing a checklist proof that an organisation is secure?
No. Record evidence that each control works, test the highest-risk assumptions and keep exceptions visible. A tick without ownership, coverage, monitoring or recovery evidence can create false confidence.
Do small organisations need every enterprise security tool?
No. Controls should be proportionate to the service, information and harm involved. Strong identity, supported technology, secure configuration, tested backups, clear reporting and supplier control often matter more than a large tool collection.
Continue your cybersecurity decision
Use the next guide that matches the exposure, control or recovery question you still need to resolve.

