The SME Cybersecurity Checklist – A Practical Annual Review

by

Security work can drift without a regular review point. An annual checklist helps you step back, confirm that core controls still operate as expected, and identify where new risks have appeared.

This article provides a practical review structure for small and mid-sized organisations that want to avoid both complacency and overcomplicated audit exercises.

1. Confirm who has access to what

  • Review admin accounts on key systems and remove any that are no longer needed.
  • Check that ex staff accounts have been removed or disabled.
  • Verify third party and contractor access and revoke where appropriate.

2. Validate backups and recovery

  • Confirm that backups run successfully for critical systems.
  • Perform at least one test restore for important data.
  • Ensure that an offsite or separate copy of backups is still in place.

3. Review patching and updates

  • Check that servers and endpoints are receiving regular updates.
  • Confirm that applications and key plugins, including on public websites, are updated.
  • Adjust your patching schedule if it has fallen behind.

4. Examine MFA coverage

  • List systems where MFA is enabled for admins.
  • Extend MFA coverage to additional staff where feasible.
  • Ensure that high value services such as email and cloud portals are covered.

5. Revisit policies and staff awareness

  • Update policies to reflect any changes in systems or ways of working.
  • Run short awareness refreshers covering phishing, data handling, and reporting.
  • Ensure new starters are onboarded into your security expectations.

6. Check monitoring and logging

  • Verify that logging is still enabled on VPNs, admin portals, and key servers.
  • Confirm that someone reviews important alerts.
  • Adjust thresholds or rules to reduce noise and highlight real issues.

7. Update your risk register

  • Close risks where controls are now in place.
  • Add new risks that have emerged from changes in technology or business model.
  • Reassess likelihood and impact where circumstances have changed.

Embedding the checklist into your annual cycle

The checklist becomes more effective when it is aligned with other business review activities, such as annual planning or budget cycles. This ensures that security improvements are considered alongside other operational priorities.

As part of the Baseline Security Sprint, a tailored version of this checklist can be created for your organisation so that annual reviews build on a known baseline rather than starting from scratch each year.

Next step: if you would like a version of this checklist adapted to your specific environment, along with support to complete the first review, a focused engagement can be used to establish that process.

Further Reading