Take the assessment
Freelancer Security Verification

Digital Security
Vetting Checklist

Freelancers are a vital resource for small businesses but they often use their own hardware, follow their own processes, and access your core business data. This form helps you quickly verify the digital security posture of any freelancer before granting access.

This form runs entirely in your browser. CyberSussed does not store, collect, or transmit any personal data entered here. Your completed report is generated locally and sent directly to the email addresses you provide.

How This Works

For each security requirement below, click the appropriate button to indicate the freelancer’s current status. ✓ Yes means the requirement is fully met. ~ Partial means it is partially in place or planned. ✗ No means it is not in place.

Items marked Essential must be confirmed before granting any access to business systems or data. Items marked Recommended or Best Practice strengthen your overall security posture.

43%
of UK small businesses attacked in last 12 months
£8,460
average cost of a single cyber breach for SMEs
1 in 2
chance an SME will experience a cyber breach

1. Device & System Security

0 / 5
Yes — Fully in place
Partial — In progress
No — Not in place
Operating system is current and manufacturer-supported
e.g. Windows 10/11, macOS Ventura or later, Chrome OS. Unsupported OS versions do not receive security patches.
Essential
Automatic software updates are enabled
Operating system and all applications are set to auto-update to receive critical security patches promptly.
Essential
Reputable antivirus / endpoint protection is installed and active
A recognised security solution (e.g. Windows Defender, Bitdefender, Sophos) is running with real-time protection enabled.
Essential
Device has a screen lock / password enabled
Laptop or desktop requires a password, PIN, or biometric to unlock. Auto-lock is set to activate within 5 minutes of inactivity.
Essential
Full disk encryption is enabled
e.g. BitLocker (Windows) or FileVault (macOS). Protects data if the device is lost or stolen.
Recommended

2. Access & Authentication

0 / 5
Uses a password manager for credentials
e.g. Keeper, Bitwarden, 1Password. Does not reuse passwords or store them in browsers/plain text.
Essential
Two-Factor Authentication (2FA) is enabled on all relevant accounts
Authenticator app or hardware key preferred. SMS-based 2FA is acceptable as a minimum.
Essential
Uses unique, strong passwords (12+ characters)
Passwords are complex, unique per service, and not shared with personal accounts.
Essential
Willing to use a VPN when accessing business systems remotely
Uses a VPN to encrypt internet traffic when working from public or unsecured networks.
Recommended
Separate user account for work (not shared/admin by default)
Uses a standard (non-admin) user account for day-to-day work to limit the blast radius of any compromise.
Best Practice

3. Data Handling & Privacy

0 / 5
Understands and complies with UK GDPR
Aware of data handling responsibilities, particularly around personal and sensitive data belonging to your clients or staff.
Essential
Will not store business data on personal/unsecured devices or accounts
Business files are kept in approved cloud environments (e.g. Google Workspace, Dropbox Business) and not on personal USB drives or cloud accounts.
Essential
Agrees to delete / return all business data upon contract completion
Will securely delete all local copies and return all files and access credentials at the end of the engagement.
Essential
Uses encrypted file transfer methods
Shares files via encrypted channels rather than unprotected email attachments or consumer file-sharing links.
Recommended
Regular data backups are in place
Maintains regular backups of work files to protect against ransomware or accidental data loss.
Recommended

4. Network & Communication Security

0 / 4
Home Wi-Fi router has a strong, unique password (not the default)
Default router passwords are widely known and trivially exploitable. Router firmware should also be up to date.
Essential
Does not conduct business work on public Wi-Fi without a VPN
Coffee shops, co-working spaces, hotels — all pose interception risks without encrypted connections.
Essential
Uses encrypted communication tools (e.g. Teams, Slack, Signal)
Business discussions and file sharing happen over encrypted platforms rather than SMS or unencrypted channels.
Recommended
Firewall is enabled on their device
Built-in OS firewall or third-party firewall is active and properly configured.
Best Practice

5. Security Awareness & Incident Response

0 / 5
Can identify common phishing and social engineering tactics
Recognises suspicious emails, fake invoices, impersonation attempts, and knows not to click unverified links or attachments.
Essential
Agrees to immediately report any suspected security incident
Will notify your designated contact immediately if they suspect their device, account, or your data has been compromised.
Essential
Has completed cybersecurity awareness training
Has undertaken formal or self-directed training on cyber threats, safe online practices, and data protection.
Recommended
Aware of invoice fraud and payment redirection scams
Understands the risk of fraudulent invoices, changed bank details, and impersonation of suppliers or clients.
Recommended
Holds relevant certifications or accreditations
e.g. Cyber Essentials, IASME Cyber Assurance, ISO 27001 awareness, or equivalent professional certifications.
Best Practice

6. Contractual & Legal Readiness

0 / 4
Willing to sign a Non-Disclosure Agreement (NDA)
Agrees to keep all business information, client data, and proprietary processes confidential.
Essential
Agrees to comply with your Acceptable Use Policy
Will adhere to your company’s policies regarding use of IT systems, data access, and digital conduct.
Essential
Carries professional indemnity insurance
Has insurance coverage that protects against claims arising from professional negligence or data-related incidents.
Recommended
Carries cyber liability insurance
Has specific coverage for data breaches, cyber incidents, and related financial losses.
Recommended

Security Readiness Score

0
Confirmed
0
Partial
0
Not Met
0 / 14
Essentials Passed

Freelancer Acceptance Statement

Acceptance Statement

By completing and signing this form, I confirm the following:

  1. The information I have provided in this Digital Security Vetting Checklist is true, accurate, and complete to the best of my knowledge.
  2. I understand that the security measures identified as “Essential” are minimum requirements that must be met before I am granted access to any business systems, data, or client information.
  3. I agree to maintain the security standards declared herein for the entire duration of my engagement and to promptly notify the contracting business of any material changes to my security posture.
  4. I agree to comply with UK GDPR and all applicable data protection legislation in respect of any personal or business data I access or process during this engagement.
  5. I will immediately report any suspected or actual security breach, data loss, or compromise to the designated contact within the contracting business.

A copy of this completed report will be emailed to both the freelancer and this address.

Freelancer security not up to scratch?

If your freelancer’s security score has raised concerns, we can help. Our Freelancer Cyber Security Package gives them everything they need to meet your requirements and protect your business.

Get the Freelancer Security Package

This checklist is provided by CyberSussed as a free resource to help small businesses vet freelancers for digital security readiness.

It aligns with the UK Government-backed Cyber Essentials framework. For more resources, visit cybersussed.com/training-resources

© 2026 CyberSussed Limited. Company No. 15423959. 71-75 Shelton Street, London, WC2H 9JQ.

This document does not constitute legal advice. Businesses should seek independent legal counsel for their specific contractual requirements.