Cyber Essentials Technical Controls

Controls
Checklist
Policies
Software
Certification

Cyber Essentials Controls

The Cyber Essentials scheme defines five key technical controls that every UK organisation should implement to protect against common cyber‑attacks. These controls apply regardless of organisation size or industry and cover devices used in the office, at home or remotely (including BYOD and cloud services). The controls help you reduce risk without unnecessary complexity and form the basis for Cyber Essentials and Cyber Essentials Plus certification.

Summary of the Five Controls

Control

Purpose

Examples

Firewalls

Restrict inbound and outbound network traffic so that only necessary and secure services are exposed. A firewall (hardware device, software firewall or cloud policy) creates a protective boundary around your systems.

Change default passwords, block unwanted traffic, document and review firewall rules.

Secure configuration

Ensure computers and network devices are configured safely from the start. Default settings often include unnecessary services or accounts, which attackers exploit.

Remove unused accounts and software, disable auto‑run and set strong device lock controls.

Security update management

Keep operating systems, firmware and applications up to date. Vendors release patches to fix vulnerabilities; failing to apply them leaves systems exposed.

Use supported software, enable automatic updates and install critical or high‑risk patches within 14 days.

User access control

Make sure only authorised people have user accounts and that those accounts provide only the access needed for their job. Strong authentication reduces the chance of accounts being misused.

Approve account creation, use unique credentials, enable multi‑factor authentication and promptly remove unused accounts.

Malware protection

Prevent malware and untrusted software from running on devices.

Use anti‑malware software or application allow‑listing; keep definitions up‑to‑date and block malicious websites.

Firewalls and Network Boundary Security

Firewalls are your first line of defence. They inspect and filter network traffic so that only permitted connections are allowed. A properly configured firewall reduces your exposure to attacks by blocking unauthorised access and restricting services to what the business genuinely needs. Firewalls can be hardware devices at your network boundary, software firewalls on individual devices or cloud‑based data‑flow policies.

Minimum actions

  • Deploy a firewall for every device in scope – Use a boundary firewall or enable the built‑in software firewall on laptops, desktops and servers. Cloud services should use data‑flow policies to achieve the same effect.
  • Change default passwords and restrict admin access – Replace factory‑set admin passwords with strong, unique credentials and disable remote management interfaces unless genuinely needed. If remote administration is required, protect the interface using multi‑factor authentication or an IP allow‑list.
  • Block unauthenticated inbound connections by default – Deny all unsolicited inbound traffic and only open the ports/services you need. Each rule should be documented and approved by someone responsible for security.
  • Remove unnecessary rules – Regularly review firewall rules and remove any that are no longer required.
  • Keep firmware up to date – Apply any critical or high-risk security updates to firewalls and boundary devices within 14 days of release.
  • Use software firewalls when off‑network – Ensure laptops and other portable devices have their software firewalls enabled when connecting to untrusted networks (e.g., public Wi‑Fi).

Enhanced measures

  • Network segmentation – Divide your network into smaller segments separated by internal firewalls or VLANs. NHS guidance notes that segmentation limits the “blast radius” of an attack by containing traffic within each segment and reducing the attack surface. Only allow authorised traffic between segments and block everything else.
  • Centralised firewall management – Use a central management tool to push consistent rules to all firewalls and record changes. Maintain a firewall access register to document who can modify rules and why.
  • Intrusion detection and logging – Enable logging on your firewall and regularly review logs for suspicious activity. Consider deploying an intrusion detection/prevention system (IDS/IPS) to monitor and alert on unusual traffic patterns.
  • Regular audits and testing – Schedule periodic firewall configuration reviews and external vulnerability scans (required for Cyber Essentials Plus) to ensure the firewall still meets business needs and that critical firmware updates are applied. Conduct simulated attacks to verify that only intended services are reachable.
  • Advanced threat protection – Larger organisations may invest in next‑generation firewalls with features such as deep‑packet inspection, application awareness and threat intelligence feeds. These tools provide greater visibility and automated blocking of known malicious traffic. While not required for Cyber Essentials, they offer additional protection where budget allows.

Firewalls & Network Security: Frequently Asked Questions

Yes. For Cyber Essentials, every device in scope must be protected by a firewall. If staff work in an office, this is usually a boundary firewall (the hardware at the edge of your network). If they work from home or in public spaces, the software firewall built into their laptop (Windows Defender Firewall or macOS Firewall) must be enabled and configured correctly.

Your firewalls must be configured to:
Block by default: Deny all unauthenticated inbound connections.
Remove defaults: Change factory-set administrative passwords to strong, unique ones.
Disable remote access: Turn off remote management interfaces unless there is a specific business need.

To pass the CE+ audit, any “Critical” or “High” security updates released by the firewall manufacturer must be applied within 14 days. If your hardware is “End of Life” and no longer receives updates, it will cause an automatic failure.

You should only open ports that are genuinely required for business operations. Each open port must be:
Documented: You must record the business reason for the rule.
Approved: Signed off by the Head of IT or a security lead.
Protected: Remote access services (like RDP) should never be open to the whole internet; they should be restricted by an IP allow-list or protected by Multi-Factor Authentication (MFA).

As a minimum requirement, rules should be removed as soon as the business need expires. As an enhanced measure, it is recommended to conduct a full review of your firewall rule set every 6 months to identify and “clean up” any legacy access.

Yes. In cloud environments, “Boundary Firewalls” are usually implemented as Data-Flow Policies (e.g., Azure Network Security Groups). These must be configured with the same “deny-all” logic as physical hardware to be compliant.

No. While IDS, IPS, and Deep Packet Inspection are excellent enhanced measures for larger organisations, they are not a mandatory requirement for achieving basic Cyber Essentials certification.

Secure Configuration

Devices come with default settings intended for ease of use rather than security. These settings may include default passwords, unnecessary user accounts or services and features like auto‑run, all of which create vulnerabilities. Secure configuration means hardening each device so it only runs what it needs and is locked down against common attacks.

Minimum actions

  • Mobile Encryption (Mandatory) – Ensure encryption is enabled on all mobile devices (smartphones/tablets). For most modern devices, this is active by default once a PIN or password is set.
  • Remove unnecessary user accounts and privileges – Delete guest accounts and disable default or administrative accounts that are not used. Assign users the minimum privileges they need to perform their job.
  • Change default or guessable passwords – Replace vendor‑provided passwords on all devices and applications with strong, unique credentials.
  • Segregation of admin and standard accounts – Separate administrator account function from that of standard accounts used for everyday tasks such as browsing the web or reading email. For example, IT staff should have two accounts, one they log into for normal day-to-day use and a separate admin account for IT support.
  • Remove unused software and services – Uninstall any application, system utility or network service that is not needed. Fewer services means fewer potential vulnerabilities.
  • Disable auto‑run features – Prevent files from executing automatically when downloaded or inserted (e.g., via USB).
  • Implement device locking controls – Require users to authenticate (via password, PIN or biometrics) before accessing a device. To prevent brute-force attacks, devices must be configured to lock or provide a progressive delay after no more than 10 failed attempts.
  • Document and repeat – Use a checklist when provisioning devices so that hardening steps are consistently applied. Record configurations so you can rebuild devices quickly if needed.

Enhanced measures

  • Configuration baselines and automation – Develop a secure baseline configuration for each device type (server, workstation, mobile, router) and use automated tools such as Group Policy, MDM or configuration management platforms to apply them consistently across your estate. Regularly review baselines to incorporate new vendor guidance.
  • Enable disk encryption for laptops and desktops – While mandatory for mobiles, extending full-disk encryption (e.g., BitLocker for Windows, FileVault for macOS) to all portable computers is a critical best practice to protect data at rest if a device is lost or stolen.
  • Secure build pipelines – For cloud and virtual environments, use infrastructure‑as‑code and container hardening to ensure that instances are deployed with secure settings from the outset. Apply the principle of least privilege to API keys and service accounts.
  • Configuration scanning and drift detection – Deploy vulnerability scanners or configuration assessment tools to identify insecure settings (e.g., weak protocols, open services). Address deviations from your baseline promptly.
  • Segregation of administrative functions – Use dedicated management networks or jump servers for system administration.

Secure Configuration: Frequently Asked Questions

One of the most common reasons for a CE+ audit failure is using an account with administrative privileges for everyday tasks. To pass, you must separate functions: use a Standard User account for email and web browsing, and a separate Admin account only for technical changes or software installations. This prevents a single malicious link or attachment from gaining full control of the device.

To be compliant, your authentication must meet one of these three NCSC-approved standards:
With MFA: If Multi-Factor Authentication is active, any length of password/PIN is acceptable.
Biometrics or PIN-only: If using a PIN (common on mobiles) or Biometrics (FaceID/TouchID), a minimum 6-digit/character PIN must be enforced.
Password-only: If there is no MFA, the password must be at least 8 characters long with a “deny list” of common passwords (like qwerty) enabled. Alternatively, a minimum length of 12 characters can be used with no other restrictions.

No. Current NCSC guidance (and the CE standard) moves away from forced periodic password changes. You only need to change a password if there is evidence or suspicion that it has been compromised.

To pass the “brute-force protection” requirement, devices must be configured to lock the login or provide a progressive delay (throttling) after no more than 10 failed attempts. This applies to laptops, desktops, and mobile devices.

It is a Minimum Requirement for all mobile devices (smartphones and tablets) because they are high-risk for loss or theft. For laptops and desktops, it is currently classed as an Enhanced Measure (Best Practice), though highly recommended for GDPR compliance in the UK.

The goal is to reduce the “attack surface.” You must uninstall:
Trialware or “Bloatware” that came with the device.
Apps that are no longer supported by the manufacturer.
Services or utilities that have no clear business purpose.

While you can harden devices manually, the Enhanced approach is to use Configuration Baselines via Group Policy (for Windows domains) or MDM (Mobile Device Management) like Microsoft Intune or Jamf. This ensures that settings like the “10-attempt lockout” and “6-digit PIN” are automatically enforced and cannot be disabled by the user.

Yes. A core part of the “Minimum actions” is to have a documented build standard or checklist. This ensures that every new laptop or mobile issued to staff is hardened consistently and meets the same security requirements.

Security Update Management (Patch Management)

Software vulnerabilities are discovered all the time. Vendors release patches or configuration changes to fix them, but attackers often exploit unpatched systems very quickly. Security update management ensures your systems are running supported software and that fixes for high‑risk vulnerabilities are applied in a timely manner.

Minimum actions

  • Use licensed, supported software – Only use operating systems and applications that are still supported by the vendor. Remove unsupported software from the network or isolate it within a separate, firewalled sub‑set.
  • Enable automatic updates – Configure devices and applications to install updates automatically whenever possible.
  • Apply high/critical security updates within 14 days – Install patches or other vendor‑approved fixes within 14 days of release when they:
    • fix vulnerabilities described by the vendor as critical or high risk or with a CVSS v3 base score of 7 or above,
    • or when the vendor provides a fix but does not specify severity.
      Note that vendors sometimes bundle fixes for vulnerabilities of differing severities; if any part of the update addresses a high‑risk issue, apply it within 14 days.
  • Maintain an up‑to‑date inventory – Keep an asset register of all devices, operating system versions and installed software so you know what needs to be patched.
  • Remove or isolate unsupported software – If you cannot patch a piece of software (because it is obsolete or bespoke), isolate it on a segregated network or remove it from scope.

Enhanced measures

  • Automated patch management tools – Use dedicated patch management platforms or endpoint management solutions to automate update distribution, reporting and compliance tracking.
  • Risk‑based prioritisation – Classify assets based on importance and exposure; prioritise patching for internet‑facing systems and critical business applications. Consider accelerating patches outside the 14‑day window when there is evidence of active exploitation.
  • Testing and staged deployment – For critical systems, test patches in a staging environment before organisation‑wide deployment to ensure they do not disrupt operations. Rolling deployment reduces the risk of widespread outages.
  • Vulnerability scanning and continuous monitoring – Regularly scan your network and cloud services to detect missing patches or misconfigurations. Continuous monitoring helps identify devices that fall out of compliance so they can be remediated quickly.
  • Formal patching policy – Document who is responsible for applying patches, the process for emergency updates and the escalation route when patches cannot be applied within the recommended timeframe.

Security Update Management: Frequently Asked Questions

This is the most critical requirement in the entire Cyber Essentials standard. Once a vendor (like Microsoft, Apple, or Adobe) releases a security update, if that update is marked as “Critical” or “High”, you must apply it to all affected devices within 14 days. This applies to operating systems, apps, and even firmware.

Any software that is installed on devices used for business purposes is in scope. This includes:
Operating Systems (Windows, macOS, iOS, Android).
Web browsers (Chrome, Edge, Safari) and their plugins.
Office productivity suites (Microsoft 365, Adobe Acrobat).
Specialist business software.

If a piece of software or an operating system reaches “End of Life” (EoL) and no longer receives security patches (e.g., Windows 7 or older versions of macOS), you must either:
Remove it from the device.
Replace the device with a modern version.
If an auditor finds EoL software on your network during a CE+ audit, it is an automatic fail.

Assessors look at the Common Vulnerability Scoring System (CVSS). Any vulnerability with a score of 7.0 or higher or any update the vendor describes as “Critical” or “Security” falls under the 14-day rule.

While auto-updates are a great Minimum Action, they aren’t always a guarantee for CE+ compliance. Auditors want to see that updates are actually successful. For larger estates, the Enhanced approach is to use a patch management tool (like Microsoft Intune) to report on compliance and prove that no device is lagging behind.

Yes. If staff use work-related apps on their mobile phones (like Outlook or Teams), those apps must be kept up to date. Using a Mobile Device Management (MDM) solution is the most effective way to enforce this and provide the evidence needed for certification.

A “Zero-Day” is a vulnerability that is exploited before a patch is available. Once the vendor releases an emergency patch for a Zero-Day, the 14-day clock starts immediately. In these cases, it is best practice to deploy the update as soon as possible, rather than waiting for the full 14-day window.

In the UK, the majority of cyber attacks exploit known vulnerabilities that have existing patches. By enforcing the 14-day rule, the NCSC ensures that your “window of vulnerability” is kept small, making it much harder for automated attacks to succeed against your infrastructure.

User Access Control

Every user account provides a way into your systems. Unused or excessively privileged accounts increase the risk of compromise. User access control ensures that accounts are created only for authorised individuals, that they have just enough permissions to perform their role and that strong authentication protects them.

Minimum actions

  • Establish a process for account creation and approval – Only create accounts for authorised users and document who approved the account.
  • Use unique credentials for each user – Never share user accounts; unique usernames and passwords allow activity to be attributed to individuals.
  • Promptly disable accounts no longer required – Remove access when staff leave or change roles, or after a defined period of inactivity.
  • Implement multi‑factor authentication (MFA) – Require MFA wherever it is available, particularly for cloud services and administrative accounts. MFA provides additional protection against credential theft.
  • Use separate administrative accounts – Do not perform day‑to‑day activities such as browsing or email from an account with special privileges. Restrict privileged accounts to administrative tasks only.
  • Control password quality and protect against brute force – Enforce minimum password lengths (12 characters where MFA isn’t used or at least 8 characters with deny‑lists when MFA is used) and implement account lockout or throttling after multiple failed attempts. Avoid mandatory password complexity rules or regular forced changes.

Enhanced measures

  • Centralised identity management – Implement directory services (e.g., Microsoft Entra ID/Azure AD) or identity‑as‑a‑service solutions to manage accounts, enforce MFA policies and provide single sign‑on (SSO) across cloud services. Such services simplify onboarding and offboarding, and enable conditional access based on device health and location.
  • Password managers and passphrase policies – Encourage users to create strong, memorable passphrases using three random words and store them in a secure password manager. Provide guidance on avoiding easily guessed words and re‑used passwords. Modern password policies should focus on length and uniqueness rather than arbitrary complexity rules.
  • Adopt passwordless authentication – Where possible, implement passwordless methods such as biometrics, security keys or trusted-device push notifications, as recognised in the Cyber Essentials v3.2 update. Passwordless approaches reduce reliance on secrets that can be phished.
  • Regular access reviews – Periodically review user permissions and group memberships to ensure they remain appropriate. Remove “standing” administrative rights in favour of just‑in‑time privileged access for tasks requiring elevation.
  • User training and awareness – Educate staff about phishing, credential theft and social engineering. Simulated phishing exercises and regular reminders help reinforce good habits.

User Access Control: Frequently Asked Questions

This is the core of User Access Control. It means that every user should only have the minimum level of access required to do their job, and no more. For example, a member of the Finance team needs access to accounting software, but they do not need the rights to install new software or change network settings.

If an IT administrator uses their “privileged” account for daily tasks like checking email or browsing the web, a single phishing link could grant an attacker full control over your entire network. To pass Cyber Essentials, IT staff must have a standard user account for daily work and a separate, dedicated admin account for technical tasks.

A User Access Review is a check to ensure that only current employees have active accounts and that their permission levels are still correct.
Minimum Action: You must have a process to deactivate accounts as soon as a staff member leaves the organisation.
Enhanced Measure: Conduct a formal audit of all user permissions every 6 months to identify “privilege creep” where users have accumulated access they no longer need.

Standard employees should almost never have “Local Admin” rights on their laptops. If a user can bypass security prompts or install unauthorised software without a separate admin credential, the device will fail a CE+ audit. All software installations should be handled by the IT team or deployed via a managed app store.

Yes. You must be able to show that there is a formal process for requesting and approving access to sensitive data or systems. This ensures that access is not granted “on the fly” but is instead a deliberate decision by a responsible person (like a Department Head or the Head of IT).

Guest accounts and shared logins (where multiple people know one password) are a significant security risk because they remove individual accountability.
Requirement: Disable or delete all guest accounts.
Requirement: Ensure every user has a unique, identifiable account. Shared accounts should be avoided unless there is a very specific, documented technical reason.

No. Many systems come with a default “admin” or “root” account with a factory-set password. These are the first targets for attackers. You must either rename/disable these accounts or, at the very least, change the default password to a strong, unique one immediately upon setup.

No. The same rules apply to Microsoft 365, Google Workspace, and any other cloud platform. You must ensure that only those who need “Global Admin” or “Super Admin” roles have them, and that these accounts are not used for daily email activities.

Malware Protection

Malware includes viruses, worms, ransomware and other malicious software that can damage systems, steal data or facilitate further attacks. Cyber Essentials requires you to restrict the delivery and execution of malware on all devices. You can meet this requirement through anti‑malware software or by implementing application allow‑listing.

Minimum actions

  • Use anti‑malware software or application allow‑listing – On Windows and macOS systems, install anti‑malware software that is kept up‑to‑date and configured to block known malware, prevent the execution of malicious code and stop connections to known‑malicious websites. Alternatively, use application allow‑listing so that only approved, signed applications can run.
  • Keep malware definitions up to date – Configure your anti‑malware solution to update automatically in line with vendor recommendations.
  • Prevent malware delivery – Use email filtering and web protection to block malicious attachments and websites. Disable or restrict macros and script execution where possible.
  • Maintain an approved software list – Actively approve applications before deployment and maintain a list of approved software. Users must not be able to install unsigned or unapproved applications.
  • Ensure full coverage – Deploy malware protection on all in‑scope devices, including servers, desktops, laptops, tablets, smartphones and cloud workloads.

Enhanced measures

  • Endpoint detection and response (EDR) – Upgrade from basic anti‑virus to EDR solutions that use behavioural analysis and machine learning to detect and respond to unknown threats. EDR platforms provide central visibility across endpoints and support rapid containment.
  • Application control and sandboxing – Use application control to restrict which executables, scripts and libraries can run. For high‑risk environments, sandbox suspicious attachments and links to observe behaviour before allowing them onto the network.
  • Threat intelligence and network monitoring – Subscribe to threat‑intelligence feeds and integrate them into your malware defences. Monitor network traffic for indicators of compromise and unusual patterns.
  • Backups and recovery – Although not a requirement, the NCSC strongly recommends having regular, offline backups so you can recover quickly if ransomware or destructive malware strikes.
  • User awareness and phishing simulation – Train users to recognise phishing emails and malware delivery techniques; run regular simulations to reinforce skills.

Malware Protection: Frequently Asked Questions

Yes. To be compliant, any device that can connect to the internet (including servers, laptops, and desktops) must have an active malware protection mechanism. On modern systems, this can be the built-in protection (like Windows Defender) or a third-party antivirus solution.

Cyber Essentials recognises three distinct ways to satisfy this requirement:
Anti-Malware Software: Traditional antivirus that scans for signatures of known threats and is kept up to date.
Application Whitelisting: Ensuring that only apps specifically approved by the organisation can run on a device.
Sandboxing: Ensuring that any untrusted code (like a file from the web) is run in an isolated environment where it cannot access the rest of the system.
Most UK businesses use Option 1 (Anti-Malware) as their primary control.

No. For a CE/CE+ pass, the software must be properly configured. This means:
It must be set to scan files automatically upon access (on-access scanning).
It must be set to update its malware definitions (signatures) daily.
It must be configured to warn users and block malicious files/websites.

Yes. While there is a common myth that Macs don’t get viruses, the NCSC treats them exactly like Windows PCs. To pass, macOS devices must have malware protection enabled and updated daily.

Mobile devices are slightly different. Because modern mobile operating systems use Sandboxing (where apps are isolated from each other), they often meet the malware protection requirement without needing a separate antivirus app, provided the OS is kept up to date.

During a CE+ audit, the assessor will perform a “Malware Gallery” test. They will attempt to download and execute various non-malicious “test files” (like the EICAR test file) through your browser and email. If the files are not blocked or quarantined by your protection software, the audit will fail.

While basic AV is the minimum, an Enhanced Measure is to deploy Endpoint Detection and Response (EDR). EDR doesn’t just look for known “bad” files; it looks for suspicious behavior (like a Word document suddenly trying to run code). This provides much higher security against sophisticated “zero-day” attacks.

Yes. Restricting users’ ability to install software (by removing Local Admin rights) is one of the most effective ways to prevent malware from being introduced to your network. This links directly to the “User Access Control” requirements.