What are the five Cyber Essentials controls?

What are the five Cyber Essentials controls?

The five Cyber Essentials controls are: (1) boundary firewalls and internet gateways, (2) secure configuration, (3) user access control, (4) malware protection, and (5) security update management. Together they form the NCSC's baseline of technical cybersecurity expectations for UK organisations, assessed by IASME-licensed certification bodies under the Cyber Essentials scheme.

1. Boundary firewalls and internet gateways

Every internet-facing boundary must be controlled by a firewall or equivalent network device with:

• Default admin credentials changed from factory defaults
• Only necessary ports and services exposed
• Firmware current and supported
• Home-office routers for remote workers in scope under v3.3

See the full pillar guide: Cyber Essentials firewall requirements: what assessors actually check.

2. Secure configuration

Devices, servers, and cloud services must be hardened against known weaknesses:

• Default user accounts disabled or renamed
• Unused services removed
• Auto-run disabled
• Screen locks enforced
• Secure baseline configuration applied

See the pillar guide: Secure Configuration for Cyber Essentials: the controls assessors expect to see.

3. User access control

Every user has an individual named account; admin rights are separated from day-to-day accounts; authentication is strong:

• Individual accounts for every real user
• No shared interactive credentials
• Admin / user account separation for anyone with admin rights
• MFA enforced for every user on every cloud service in scope
• Phishing-resistant MFA (FIDO2, authenticator app, Windows Hello for Business) for admin accounts under v3.3
• Documented joiner / mover / leaver process

See the pillar guide: User Access Control for Cyber Essentials v3.3.

4. Malware protection

Every in-scope endpoint must have malware protection that is current and functioning:

• Reputable endpoint protection installed
• Real-time scanning enabled
• Definitions updated regularly
• Application allow-listing or sandboxing for higher-risk environments
• Safe-browsing protection enabled on browsers

See the pillar guide: Malware Protection for Cyber Essentials: what qualifies and what does not.

5. Security update management

Software, firmware, and operating systems must be maintained within the defined patching windows:

• Vendor-supported OS versions only (Windows 11, current macOS, current iOS, supported Android)
• 14-day deployment window for high and critical severity vulnerabilities
• Managed patch mechanism (Intune, Jamf, MDM, or equivalent)
• Supported-version check applied to browsers, applications, and firmware

See the pillar guide: Security Update Management for Cyber Essentials v3.3.

Why these five?

They are the controls the NCSC identified as preventing roughly 80% of the most common internet-based attacks on UK organisations - phishing-delivered malware, credential stuffing, exploitation of unpatched vulnerabilities, and abuse of default configurations.

They are deliberately narrow. They are not a complete security programme. But they are the baseline the UK government considers essential.

How many questions cover the five controls?

The current IASME questionnaire contains around 75 technical questions across the five controls, plus organisational and scoping questions. A prepared organisation can complete it in 60–90 minutes.

Bottom line

The five Cyber Essentials controls - firewalls, secure configuration, user access, malware protection, and patching - are the UK's baseline cybersecurity standard. Certify in 6 working hours with Fig Group from £299.99 + VAT.

Start Cyber Essentials from £299.99 + VAT | All five pillar guides | Free readiness check