Cyber Essentials · 1 July 2026
Cyber Essentials secure configuration explained
Secure configuration is the second of the five Cyber Essentials controls, and it is about one simple idea: devices and software should be set up securely before they go into use, rather than left on the settings they arrived with. This guide explains what the control asks for and how to meet it. For the wider picture, see our overview of the five controls.
Why default settings are a problem
Manufacturers ship devices and software to be easy to set up, not necessarily secure. That often means default passwords, sample accounts, pre-installed software you will never use, and features enabled that create unnecessary risk. Attackers know these defaults, and lists of factory passwords are freely available online. Secure configuration is about removing that low-hanging fruit.
What the control expects
To meet secure configuration, you should be able to show that in-scope devices are set up to reduce their attack surface. The main expectations are:
- Remove or disable unnecessary accounts. Delete sample, guest and unused accounts, and rename or disable default ones where you cannot remove them.
- Change default passwords. Every default or vendor-set password — on devices, routers, firewalls and software — must be changed to a strong, unique one.
- Remove unnecessary software. Uninstall applications and services that are not needed, as each one is a potential way in.
- Disable risky features. Turn off features such as auto-run, which can launch software automatically from a USB stick or downloaded file.
- Apply sensible lock and password policies. Devices should lock after a period of inactivity, and require authentication to unlock.
Passwords and authentication
Secure configuration and user access control overlap on passwords. The scheme expects protection against brute-force guessing — for example, locking or throttling accounts after a number of failed attempts, or using long passwords with a deny-list of common choices. On cloud services this works hand in hand with multi-factor authentication, which our MFA requirements guide covers in detail.
Building a secure baseline
The most reliable way to meet this control is to define a standard secure build for each type of device, then apply it consistently. A simple baseline might cover:
| Area | What to set |
|---|---|
| Accounts | Remove sample and guest accounts; unique login per user |
| Passwords | Change all defaults; enforce strong credentials |
| Software | Remove anything not required for business use |
| Features | Disable auto-run and unused services |
| Screen lock | Auto-lock after inactivity; authentication to resume |
| Firewall | Host firewall enabled (see the firewalls control) |
Documenting the baseline means new devices can be set up the same way every time, and it gives you evidence for your self-assessment. It also makes onboarding faster: whoever prepares a new laptop or tablet has a checklist to follow rather than relying on memory, so nothing important is skipped when the team is busy.
Common configuration mistakes
Secure configuration is a frequent source of non-compliance. Typical issues include:
- Auto-run left enabled on Windows devices.
- Routers and firewalls still using their factory administrator password.
- Old sample or test accounts never removed.
- Unnecessary applications bundled with a device and left in place.
Our guide to the common reasons Cyber Essentials applications fail covers these and other pitfalls across all five controls.
Secure configuration for cloud and mobile
The control is not limited to laptops and servers. Mobile phones and tablets used for work need a passcode or biometric lock, auto-lock after inactivity, and unnecessary features restricted. Cloud services should be configured securely too — using the provider’s recommended security settings, disabling legacy sign-in methods that bypass modern protections, and turning on the built-in security features many services now offer by default. Where a service supports it, this is also where multi-factor authentication belongs, tying secure configuration to the user access control theme.
Getting evidence ready
Because Cyber Essentials is a self-assessment verified by IASME, it helps to have simple evidence that your configuration is genuinely secure. A short written baseline for each device type, a note of which default passwords have been changed, and a record of the standard software image all make your answers easier to stand behind. This is far quicker to produce as you go than to reconstruct later, and it pays off again at renewal.
Keeping configuration secure over time
A secure build is only useful if it stays secure. New software gets installed, settings drift, and devices get reused. Pair your baseline with good patch management so that supported, updated software runs on top of a hardened configuration. Certification is valid for 12 months, so a light periodic check keeps you ready for renewal.
If you go on to Cyber Essentials Plus, the independent technical audit — including device sampling — will look at how devices are actually configured, so a consistent, documented baseline pays off. For organisations working towards a broader framework, the same discipline supports IASME Cyber Assurance and ISO 27001. Unfamiliar terms are explained in our glossary.
How we can help
We support organisations through Cyber Essentials with a clear, transparent delivery process, including practical help defining a secure device baseline and checking that default settings and accounts have been dealt with. If you would like support meeting the secure configuration control, see our Cyber Essentials service or get in touch.
Need help in practice? See our Cyber Essentials service.