Skip to content
360 Cyber Compliance

Cyber Essentials · 1 July 2026

The five Cyber Essentials controls explained

Cyber Essentials is a UK government-backed scheme, delivered by IASME for the National Cyber Security Centre (NCSC). At its heart sit five technical controls that, when implemented well, stop the vast majority of common internet-based attacks. This guide explains each one in plain English so you know exactly what the Cyber Essentials self-assessment is asking of you.

How the five controls fit together

Certification is a self-assessment questionnaire, verified by IASME, and a pass is valid for 12 months. The five controls are not a menu to pick from — you need all five in place across everything in your defined scope, from laptops and servers to the cloud services you use. Get them right and you close the doors attackers rely on most.

#ControlWhat it protects against
1FirewallsUnwanted inbound connections from the internet
2Secure configurationWeak default settings and unnecessary features
3User access controlMisuse of accounts and excessive privileges
4Malware protectionViruses, ransomware and malicious software
5Security update managementKnown, unpatched vulnerabilities

1. Firewalls

Firewalls sit between your devices and the internet, deciding what traffic is allowed through. The aim is to ensure only necessary connections reach your systems.

In practice this means:

  • Every device that connects to the internet is protected by a correctly configured firewall — either a dedicated boundary firewall or the software firewall built into the operating system.
  • The default administrative password on any firewall or internet router has been changed to a strong, unique one.
  • Inbound services are blocked unless there is a documented business need, and any rule that opens a port is reviewed and removed when no longer required.

For home and remote workers, the software firewall on each device carries much of this responsibility, which is why the next control matters just as much.

2. Secure configuration

Devices and software often arrive with settings chosen for convenience, not security — default passwords, sample accounts and features you will never use. Secure configuration is about tightening those settings before a device goes into service.

Key expectations include removing or disabling unnecessary user accounts and software, changing any default or guessable passwords, and disabling features such as auto-run that can launch malicious files without a click. You should also apply sensible screen-lock and password policies. Our dedicated guide on secure configuration covers this in more depth.

3. User access control

The principle here is simple: people should have access only to what they need to do their job, and no more. Over-privileged accounts are one of the most common ways an attacker turns a single compromised login into a full breach.

To meet this control you should:

  • Give each user their own account and avoid shared logins.
  • Grant administrator rights only to those who genuinely need them, and use those accounts solely for administrative tasks — not for everyday email and browsing.
  • Remove or disable accounts promptly when someone leaves or changes role.
  • Protect accounts on cloud services with multi-factor authentication (MFA), which Cyber Essentials now requires. See our MFA requirements guide for the detail.

4. Malware protection

Malware protection stops malicious software from running on your devices. Cyber Essentials accepts more than one approach, and you can combine them.

The common options are:

  • Anti-malware software — kept up to date and set to scan files automatically, such as the protection built into modern Windows and macOS.
  • Application allow-listing — only approved applications are permitted to run, blocking everything else by default.

Whichever route you take, it must be applied consistently across every in-scope device, including mobile phones and tablets used for work.

5. Security update management

Software vendors regularly release updates that fix security flaws. Attackers actively scan for systems that have not applied them, so keeping software patched is one of the highest-value things you can do.

This control expects that:

  • All operating systems and applications are supported by the vendor and still receive security updates.
  • Security updates are applied promptly — critical or high-risk fixes within 14 days of release is the accepted benchmark.
  • Software that is no longer supported is removed from scope or replaced.

Our patch management guide walks through how to keep on top of this without it becoming a burden.

Turning the controls into a pass

The controls are deliberately practical, but the self-assessment asks precise questions and expects your answers to reflect reality across your whole scope. Many organisations trip up not because the controls are hard, but because a single setting, account or unsupported device slips through — as our guide on the common reasons Cyber Essentials applications fail explains.

If you want independent assurance that the controls are genuinely working, Cyber Essentials Plus adds a technical audit — vulnerability scans and device sampling — usually taken within three months of your base certification. For organisations building a broader security programme, these controls also form a solid foundation for IASME Cyber Assurance or ISO 27001. You can find definitions for any unfamiliar terms in our glossary.

How we can help

We support organisations through Cyber Essentials with a clear, transparent delivery process. We help you define a sensible scope, work through each of the five controls in plain English, and prepare your self-assessment so it accurately reflects what you have in place. If you would like practical support from start to submission, see our Cyber Essentials service or get in touch.

Need help in practice? See our Cyber Essentials service.

Need a hand with this?

Book a free, no-obligation readiness check.