The Five Technical Controls of Cyber Essentials Explained

The Cyber Essentials scheme, developed by the UK Government and overseen by the National Cyber Security Centre (NCSC), is built upon five fundamental technical controls. These controls form the backbone of the certification — whether you pursue basic Cyber Essentials or the more rigorous Cyber Essentials Plus. Understanding each control in depth is essential for any UK organisation preparing for certification, and equally valuable for those simply looking to strengthen their cybersecurity posture without formal assessment.

This article examines each of the five controls in detail, explaining what they require, why they matter, and how to implement them effectively within your organisation.

Why These Five Controls?

The NCSC selected these five controls based on extensive analysis of the UK cyber threat landscape. Research consistently shows that the vast majority of successful cyber attacks exploit basic weaknesses — unpatched software, default passwords, misconfigured firewalls, excessive user privileges, and absent malware protection. By addressing these five areas, organisations can defend against an estimated 80% of common cyber threats.

The controls are deliberately practical rather than theoretical. They focus on actions that every organisation can take, regardless of size or sector. A sole trader with a single laptop and a multinational corporation with thousands of devices both need firewalls, patches, secure configurations, proper access controls, and malware protection. The scale differs, but the principles are identical.

Control 1: Firewalls

Firewalls are the first line of defence in any network security architecture. They act as gatekeepers, controlling the flow of network traffic between your internal systems and the outside world — primarily the internet. The Cyber Essentials scheme requires that all devices within scope are protected by a properly configured firewall.

What the Standard Requires

The firewall control encompasses both boundary firewalls (hardware or software devices that sit between your internal network and the internet) and personal firewalls (software firewalls running on individual devices such as laptops and desktops). The specific requirements include ensuring that all internet-facing firewall configurations block all inbound connections by default, allowing only those that have been explicitly approved and documented. Default administrative passwords on firewalls and routers must be changed to strong, unique alternatives. Firewall rules must be reviewed and documented, with unnecessary rules removed. Personal firewalls must be enabled on all devices, particularly those that connect to networks outside your direct control — such as home broadband or public Wi-Fi.

Why It Matters

Without a properly configured firewall, your organisation's internal systems are potentially visible and accessible to anyone on the internet. Attackers routinely scan IP ranges looking for open ports and vulnerable services. A misconfigured firewall — or worse, no firewall at all — can expose remote desktop services, database servers, file shares, and other sensitive systems directly to the internet. The consequences range from data theft to ransomware deployment to complete system compromise.

Implementation Guidance

For most UK organisations, implementing the firewall control involves several practical steps. Begin by documenting your current firewall configuration — what rules exist, what ports are open, and why. Remove any rules that are no longer needed. Ensure that the default "deny all inbound" policy is in place and that only specifically approved traffic is allowed through. Change all default passwords on network equipment. Enable the built-in firewall on every Windows, macOS, or Linux device in your organisation, and verify that it cannot be disabled by standard users.

For organisations with remote or hybrid workers, personal firewalls are particularly important. When employees work from home, their laptops connect directly to domestic broadband networks that may lack enterprise-grade protection. The personal firewall on each device becomes the primary defence, and it must be configured to block unsolicited inbound connections regardless of the network the device is connected to.

Control 2: Secure Configuration

Secure configuration addresses the fact that computers, network devices, and software are rarely secure in their default state. Manufacturers ship products with settings designed for ease of use and broad compatibility, not security. The secure configuration control requires organisations to harden their systems by removing unnecessary features and changing insecure defaults.

What the Standard Requires

The secure configuration requirements cover several areas. Unnecessary software must be removed from all devices — if it is not needed for business purposes, it should not be installed. Default user accounts must be disabled or have their passwords changed. Guest accounts and other shared accounts must be disabled unless there is a documented business need. Auto-run and auto-play features must be disabled to prevent malware from executing automatically when removable media is connected. Screen lock policies must be in place to ensure devices lock after a period of inactivity. Only necessary network services should be running — unused services represent potential attack surfaces and should be disabled.

Why It Matters

Default configurations are one of the most commonly exploited weaknesses in cybersecurity. Attackers know the default usernames and passwords for virtually every piece of network equipment, and they know which services are enabled by default on common operating systems. By hardening your configurations, you eliminate a large category of easy wins for attackers. Removing unnecessary software also reduces your attack surface — every piece of installed software is a potential source of vulnerabilities, and software that serves no business purpose is risk without reward.

Implementation Guidance

Start with an inventory of all software installed across your devices. Remove anything that is not required for business operations. This includes trial software, games, development tools on non-developer machines, and any application that users have installed without authorisation. Review the services running on each device and disable any that are not needed.

Check all network equipment — routers, switches, access points, firewalls — for default credentials and change them to strong, unique passwords. Disable any management interfaces that are accessible from the internet unless they are specifically required and protected by strong authentication. Implement screen lock policies across all devices, requiring a password or PIN after no more than 15 minutes of inactivity. Configure devices to prevent auto-run and auto-play from executing content on removable media.

Control 3: Security Update Management

Security update management — often called patch management — is the process of keeping software up to date with the latest security fixes. Software vendors regularly discover and patch vulnerabilities in their products, and applying these patches promptly is one of the most effective defences against cyber attacks.

What the Standard Requires

The Cyber Essentials standard requires that all software in use must be licensed and within its supported lifecycle. Software that has reached end of life — meaning the vendor no longer provides security updates — must be removed or replaced. Critical and high-risk security updates must be applied within 14 days of release. This applies to operating systems, web browsers, email clients, office applications, plugins, and any other software that handles data from the internet or untrusted sources.

Why It Matters

Unpatched software is one of the primary routes through which attackers compromise systems. When a vulnerability is publicly disclosed and a patch is released, attackers immediately begin scanning for systems that have not yet been updated. The window between patch release and widespread exploitation is shrinking — in many cases, exploit code appears within days or even hours. Organisations that do not apply patches promptly are leaving known vulnerabilities open for exploitation.

The 14-day requirement strikes a balance between urgency and practicality. It recognises that organisations need time to test and deploy patches, while ensuring that critical vulnerabilities are not left unaddressed for extended periods. For many organisations, achieving this consistently is one of the more challenging aspects of Cyber Essentials compliance.

Implementation Guidance

Establish a patch management process that includes regular monitoring for new security updates across all software in your environment. Enable automatic updates wherever practical — most operating systems, browsers, and productivity applications support this. For systems where automatic updates are not feasible (such as line-of-business applications or server software), establish a schedule for manual patching that ensures the 14-day window is met.

Maintain an inventory of all software in use, including version numbers and support status. This enables you to identify quickly when software is approaching or has reached end of life, and to plan replacements before support expires. Pay particular attention to third-party plugins and extensions — browser plugins, PDF readers, Java, and similar components are frequent targets for attackers and are sometimes overlooked in patch management processes.

Control 4: User Access Control

User access control governs who can access your systems and what they can do once they have access. The principle at the heart of this control is "least privilege" — every user should have the minimum level of access necessary to perform their role, and no more.

What the Standard Requires

The user access control requirements cover several aspects of account management. Every user must have their own individual account — shared accounts are not permitted. User accounts must be authenticated using strong passwords or other robust mechanisms. Administrative accounts — those with elevated privileges to install software, change system settings, or manage other accounts — must be restricted to the individuals who genuinely need them and must only be used for administrative tasks, not for routine activities such as web browsing or email.

Multi-factor authentication (MFA) is required for all cloud services and for administrative access. Password policies must enforce a minimum length and complexity, and accounts must be locked or throttled after a defined number of failed login attempts. User accounts must be reviewed regularly, and accounts for former employees or those who have changed roles must be promptly disabled or adjusted.

Why It Matters

Compromised user accounts are one of the most common entry points for cyber attacks. If an attacker obtains a user's credentials — through phishing, credential stuffing, or other means — the damage they can cause is directly proportional to the privileges that account holds. An account with administrative privileges gives an attacker the ability to install malware, access sensitive data, create new accounts, and move laterally through the network. An account with standard user privileges limits the attacker's options significantly.

The requirement for individual accounts ensures accountability — when an incident occurs, you can trace actions back to a specific user. Shared accounts make this impossible and are a significant security weakness. Multi-factor authentication adds a critical layer of protection by ensuring that a stolen password alone is not sufficient to gain access.

Implementation Guidance

Audit your current user accounts to identify shared accounts, accounts with unnecessary administrative privileges, and accounts belonging to former employees. Eliminate shared accounts by creating individual accounts for each user. Restrict administrative privileges to the minimum number of people who genuinely require them, and ensure those individuals use separate accounts for administrative and routine tasks.

Implement multi-factor authentication across all cloud services and for all administrative access. This is non-negotiable under the current Cyber Essentials standard. Deploy a password policy that requires a minimum of 12 characters (or 8 characters with complexity requirements and throttling). Implement account lockout or throttling after a defined number of failed attempts. Establish a process for regular account reviews — monthly or quarterly — to ensure that access permissions remain appropriate as roles change and staff leave.

Control 5: Malware Protection

The final technical control addresses the threat of malware — malicious software designed to damage, disrupt, or gain unauthorised access to computer systems. This includes viruses, worms, trojans, ransomware, spyware, and other forms of malicious code.

What the Standard Requires

The malware protection control requires that at least one of the following mechanisms is in place on every device in scope: anti-malware software that is kept up to date and configured for automatic scanning, application whitelisting (allowing only approved applications to run), or sandboxing (running applications in an isolated environment). In practice, most organisations rely on anti-malware software, though the other approaches are increasingly common in more security-mature environments.

The anti-malware solution must be configured to scan files automatically upon access, scan web pages as they are accessed (where the solution supports this), prevent connections to malicious websites, and update its signatures and detection capabilities automatically and frequently — at least daily. Users must be prevented from running any software that has not been approved or from disabling the anti-malware protection.

Why It Matters

Malware remains one of the most prevalent and damaging cyber threats facing UK organisations. Ransomware alone has caused hundreds of millions of pounds in losses across the UK, with attacks on organisations ranging from small businesses to NHS trusts and local councils. Phishing emails delivering malware, drive-by downloads from compromised websites, and infected USB drives are all common delivery mechanisms.

Effective malware protection provides multiple layers of defence. Real-time scanning catches known malware as it attempts to execute. Web filtering blocks connections to known malicious sites. Behavioural analysis detects previously unknown threats based on their actions rather than their signatures. Together, these capabilities significantly reduce the risk of a successful malware infection.

Implementation Guidance

Ensure that every device in scope has active anti-malware protection. For Windows devices, Microsoft Defender — included with Windows 10 and 11 — meets the Cyber Essentials requirements when properly configured. For macOS devices, the built-in XProtect provides a baseline, though additional third-party solutions are often recommended. For Linux devices, anti-malware software should be deployed, particularly on those that handle files from external sources.

Configure your anti-malware solution for automatic updates and real-time scanning. Verify that users cannot disable the protection — this typically requires administrative privileges to change security settings, which standard users should not have. Test your malware defences by downloading the EICAR test file (a harmless test file that triggers antivirus alerts) and verifying that your solution detects and blocks it. This is one of the specific tests that a Cyber Essentials Plus assessor will perform.

Consider supplementing traditional anti-malware with DNS-based filtering services that block access to known malicious domains. These services provide an additional layer of protection at the network level, catching threats that may bypass endpoint solutions. Several reputable services are available, some at no cost for basic usage.

How the Controls Work Together

While each of the five controls addresses a specific area of risk, their true power lies in how they work together as a defence-in-depth strategy. Firewalls prevent unauthorised access to your network. Secure configuration reduces the attack surface on individual devices. Patch management closes known vulnerabilities before attackers can exploit them. User access control limits the damage if an account is compromised. Malware protection catches threats that make it through the other layers.

No single control is sufficient on its own. A perfectly configured firewall will not protect against malware delivered via a phishing email. Up-to-date patches will not prevent an attacker who has obtained valid user credentials. Anti-malware software will not stop an attacker who exploits a misconfigured service. It is the combination of all five controls that provides the robust baseline defence the Cyber Essentials scheme is designed to deliver.

This is why the scheme requires all five controls to be in place — partial implementation provides partial protection, and attackers will inevitably find the gap. Organisations that implement all five controls consistently and maintain them over time create a significantly harder target for cybercriminals, who typically move on to easier victims when confronted with well-defended systems.

Preparing for Assessment

Whether you are pursuing basic Cyber Essentials or Cyber Essentials Plus, thorough preparation against each of the five controls is essential. For the basic level, ensure that your self-assessment answers accurately reflect your actual security posture — overstating your controls will only cause problems if you later progress to Plus and face hands-on testing.

For Cyber Essentials Plus, prepare by conducting your own internal testing before the assessor arrives. Run vulnerability scans against your internet-facing systems and address any findings. Check patch levels across a sample of devices and ensure all critical updates are applied. Verify that user accounts follow least privilege principles and that MFA is enabled where required. Test your malware defences with EICAR test files. Document your firewall rules and configuration policies.

Organisations that prepare thoroughly typically pass the Plus assessment first time, saving both time and money. Those that do not prepare often face a stressful remediation period, scrambling to fix issues that could have been addressed in advance. The five controls are not complicated — but they do require consistent attention and ongoing management.