Cyber Essentials is the UK government-backed certification scheme designed to protect organisations against the most prevalent cyber threats. At its core are five technical controls that, when properly implemented, address the attack vectors responsible for the vast majority of breaches — phishing, exploitation of known vulnerabilities, and credential theft. Achieving certification requires every device and piece of software that processes, stores, or transmits organisational data to fall within scope. That includes laptops, desktops, servers, mobile devices, cloud services, and the software running on them. Understanding what each control actually demands — not just in principle, but in practice — is essential for any organisation working towards certification or simply looking to raise its baseline security posture.

1. Firewalls

Firewalls form the first line of defence, controlling which traffic is permitted to enter and leave your network. Cyber Essentials distinguishes between two types: boundary firewalls (or internet gateways) that sit at the edge of your network, and host-based firewalls that run directly on individual devices.

Boundary firewalls and internet gateways

A boundary firewall must be in place wherever your internal network connects to the internet. Its primary function is to block inbound connections that have not been explicitly approved. The default position should be to deny all inbound traffic, with only necessary services permitted through. Administrative interfaces must never be exposed to the internet — managing a firewall remotely over an unapproved connection is one of the most common misconfigurations assessors find.

Host-based firewalls

Every in-scope device must run a software firewall. On Windows, the built-in Windows Defender Firewall is acceptable provided it is enabled and configured correctly. The same blocking principle applies — unapproved inbound connections should be denied by default at the device level, providing a second layer of protection even when a device is connected to an untrusted network.

What Cyber Essentials requires

All firewalls must be running supported software that continues to receive security updates. Default administrator credentials must be changed before deployment — using manufacturer defaults is a straightforward route to compromise. Rules must be reviewed and documented, and any rules that are no longer needed should be removed.

Home worker considerations

For employees working from home, their domestic router functions as the boundary firewall. Under Cyber Essentials, that router must meet the same requirements as an office firewall — it must block unapproved inbound connections, run firmware that is still receiving updates, and have its default admin credentials changed. Organisations should have a clear policy for home workers covering these requirements, and assessors will ask about it.

2. Secure Configuration

Devices and software arrive from manufacturers configured for convenience, not security. The secure configuration control requires organisations to actively harden every in-scope device and application before it is deployed — and to maintain that hardened state throughout its life.

Remove unnecessary software and services

Every piece of software and every enabled service represents a potential attack surface. Anything not required for the device’s intended purpose should be uninstalled or disabled. This includes pre-installed applications, unused network services, and legacy protocols such as SMBv1 or Telnet that are rarely needed but frequently exploited.

Change default credentials

Default usernames and passwords are publicly documented for virtually every device and application. All accounts — not just administrator accounts — must have their default credentials changed before the device goes into use. This applies equally to network hardware, servers, applications, and cloud service dashboards.

Supported operating systems and software

Only operating systems and applications that are still receiving security updates from their vendor can be in scope under Cyber Essentials. Running Windows 10 on a machine where the version has reached end of life, or continuing to use an unsupported version of a web application framework, will result in a failed assessment. The control requires organisations to have visibility of all software versions across their estate and a process for moving to supported versions before support ends.

Auto-run and screen lock

Auto-run features — which automatically execute code from removable media such as USB drives — must be disabled. Screen lock timeouts must also be configured, ensuring devices lock automatically after a period of inactivity. Cyber Essentials specifies a maximum of ten minutes of inactivity before a screen locks, with authentication required to unlock.

3. User Access Control

The principle of least privilege underpins this control. Users should have access only to the data and functionality they need for their role, and no more. Misuse of over-privileged accounts — whether by attackers who have stolen credentials or by insiders — is one of the most damaging attack patterns organisations face.

Standard and privileged accounts

Day-to-day work should be carried out using standard user accounts. Administrative or privileged accounts — which have the ability to install software, change system settings, or access all user data — must be separate accounts used only when administrative tasks actually require them. An IT administrator, for example, should have one account for email and routine work, and a separate account they switch to when performing system administration.

Account lifecycle management

When an employee leaves, their accounts must be disabled or removed promptly. Dormant accounts are a persistent risk — they are rarely monitored and their credentials may still be valid. Organisations should have a formal leaver process that includes account deprovisioning as a standard step, not an afterthought.

Two-factor authentication and password policy

The Montpellier update, which refreshed the Cyber Essentials technical requirements in 2023, strengthened requirements around multi-factor authentication. MFA is now mandatory for all internet-facing services and cloud accounts, including email, remote access solutions, and cloud management consoles. A strong password policy must also be in place — passwords should be of sufficient length, with a minimum of eight characters, and accounts should lock out after repeated failed attempts to prevent brute-force attacks.

4. Malware Protection

Malicious software — delivered via email attachments, malicious websites, or compromised downloads — remains one of the most common entry points into an organisation. Cyber Essentials requires active protection against malware across all in-scope devices.

Anti-malware software

All devices must run anti-malware software with up-to-date definitions. On Windows, Microsoft Defender Antivirus is fully acceptable and does not require a third-party product. The critical requirement is that definitions are kept current — typically through automatic updates — so that new threats are detected as they emerge.

Preventing execution from email and the web

Where anti-malware scanning is in use, it should cover email attachments and files downloaded from the internet, not just on-demand scans. Sandboxing — running suspicious files in an isolated environment before permitting them to execute — provides an additional layer of protection for higher-risk environments.

Application allow-listing as an alternative

Rather than scanning for known malicious software, application allow-listing takes the opposite approach: only explicitly approved applications are permitted to run. Any executable not on the approved list is blocked by default. This is an effective alternative to traditional anti-malware, particularly in controlled environments, and is accepted under Cyber Essentials as an equivalent control. Microsoft AppLocker and Windows Defender Application Control are the most common implementations in Windows environments.

5. Patch Management (Security Update Management)

Unpatched vulnerabilities in operating systems, applications, and firmware are the most reliable route attackers use to gain access to systems at scale. Ransomware groups and nation-state actors alike routinely exploit vulnerabilities for which patches have been available for months or years, targeting organisations that have failed to apply them.

Apply patches within 14 days

Cyber Essentials requires that high and critical severity patches — those with a CVSS score of 7.0 or above — are applied within 14 days of release. This applies to operating systems, all installed applications, and firmware on network devices. Fourteen days is the maximum; applying updates sooner wherever possible reduces the window of exposure.

Automatic updates

Where a vendor provides automatic update mechanisms, organisations should use them. Automatic updates remove the reliance on manual processes that are easy to overlook, particularly for end-user devices. The 14-day requirement is difficult to meet consistently through manual patching alone across a large device estate.

Remove unsupported software

Software that has reached end of life and can no longer receive security patches cannot remain in scope. It must be removed, replaced, or — in exceptional circumstances where removal is not immediately possible — isolated from the rest of the network and excluded from scope with appropriate compensating controls. The Montpellier update placed increased scrutiny on cloud services in this regard, requiring that cloud-hosted software and infrastructure also falls within scope and meets the same patching standards as on-premises systems.

The Five Cyber Essentials Controls Explained

Table of Contents