Cyber Essentials requirements: A quick guide to the 5 controls

Cyber Essentials requirements & controls

Cyber Essentials is one of the most straightforward certification schemes available, offering simple, yet comprehensive cybersecurity standards. The Cyber Essentials requirements consist of five controls, each of which focuses on a specific aspect of cybersecurity.

Understanding the five Cyber Essentials requirements is the first step towards Cyber Essentials certification and for most organisations, a foundation on which to build their cybersecurity strategy.

What is the Cyber Essentials scheme?

Launched in 2014, the Cyber Essentials certification scheme is backed by the UK Government.

Cyber Essentials seeks to protect businesses and not-for-profit organisations against the most common forms of cyberattacks. To obtain the Cyber Essentials certification, organisations need to implement these five controls. The Cyber Essentials scheme offers two types of certifications, Cyber Essentials and Cyber Essentials Plus.

It is essential to recognise that Cyber Essentials provides a fundamental level of due diligence from which organisation can develop a comprehensive cybersecurity strategy.

You can learn more about Cyber Essentials certification

Benefits of the Cyber Essentials scheme

Fundamentally, the Cyber Essentials scheme aims to ensure that businesses and organisations implement cybersecurity practices to defend against common forms of cyberattacks. Ultimately, the main benefit is for the organisation implementing the Cyber Essentials controls.

In addition, by achieving the certification, your business shows its commitment to cyber security, providing assurance to your clients and suppliers that your business has a baseline appreciation of cybersecurity, improving confidence amongst your suppliers, partners and clients when sharing data with you.

Finally, you must have Cyber Essentials if you are tendering for UK Government projects. Several MoD projects and Local Authorities ask for suppliers to be Cyber Essentials Plus certified as a minimum.

What is covered by Cyber Essentials?

The Cyber Essentials scheme identifies five control categories or requirements.  These cover five areas within the organisation which are most vulnerable to cyber threats. These five controls are summarised as:


Secure your Internet connection with a firewall

Organisations have to ensure a correctly and securely configured firewall is positioned between the internet and their internal network.  They must further confirm that they conduct periodic security reviews, to verify and validate the configuration, settings and inbound and outbound traffic.

Ensure your devices and software are securely configured

To avoid devices and software becoming compromised by a malicious user or malware, all devices must be configured securely, and default passwords and configurations must be changed.  All passwords need to be suitably complex to prevent them from being guessed. End-user devices must have any unnecessary or unused software or applications removed.

Control access to your data and services

Account access and privileges need to be controlled, ensuring that access to your data is controlled through correctly assigned user accounts. Administration privileges and administrative rights also need to be controlled. They must only be granted to users where there is a genuine, business need for this level of access to the data.

Protect against viruses and other malware

To prevent computers, servers and end-user devices from being infected with malicious software, a robust anti-malware solution should be applied.  This can be achieved through conventional anti-virus software, running applications in “sandboxed” environments, or through application whitelisting.

Ensure your devices and software are kept up to date

To ensure that security vulnerabilities are fixed, thereby reducing the risk of devices and applications being compromised by a malicious user or malware, all security updates and patches should be applied to devices and installed software.

Requirements of Cyber Essentials: The five controls

You should by now have a useful overview of the five areas that the Cyber Essentials requirements cover.  Presented below are more details for each of the five Cyber Essentials controls:

1. Secure your Internet connection with a firewall

A firewall creates a buffer zone between an organisation’s IT network and an external network. This is commonly known as the demilitarised zone (DMZ).  In simpler terms, the firewall creates a protective layer between devices and external networks, such as the internet, to keep out unauthenticated or untrusted connections.

To comply with the first of the Cyber Essentials requirements, it is mandatory for your business to use and configure a firewall in order to protect all the devices in use. This requirement mainly targets the devices, such as desktops, laptops, routers, servers, and personal devices, which connect to the internet or untrusted Wi-Fi.

For organisations aiming to comply with this requirement, they should start to:

  • Block by default all forms of inbound connections that are untrusted or unauthenticated.
  • Devices that run on untrusted networks should use personal firewalls.
  • Disable the use of permissive firewall rules after they become obsolete.
  • Update and review the manufacturer’s password settings to ensure that they meet specific organisational requirements.
  • Create strong firewall passwords for your administrative use. A strong password set should include a combination of lower and upper case characters, numbers, as well as symbols. It is imperative to disable remote administrative access.
  • Limit user access in the administrative interface. Additionally, this interface should be protected with an IP white list and two-factor authentication in order to enhance protection.

Overall, every device that’s running on the organisation’s network should have a boundary firewall. This helps to protect and restrict traffic flow into the network, be it outbound or inbound.

2. Ensure your devices and software are securely configured

When purchasing hardware and software, many come with default configurations and passwords to allow you to start using them straight after purchase easily. However, many default settings are well documented by manufacturers and can therefore be easily identified by cybercriminals, providing them with an entry point into your systems.

That’s why the second of the Cyber Essentials requirements is to change default configurations, including passwords to recommended security settings. This is applicable to web servers, email servers, software and applications, routers, firewalls, desktops, laptops, and personal devices.

Below are some tips which will assist in complying with this requirement:

  • A consistent and secure software installation process and configuration management system. The processes should be comprehensively highlighted in a well-documented corporate policy plan.
  • The organisation should avoid using default passwords that come with devices or programs.
  • All unnecessary functionalities in the ICT systems should be removed to avoid cluttering. They should be kept patched to eliminate the chances of known vulnerabilities.
  • Only verified users should access the organisation’s account. It’s also important to assign every user the appropriate directory or file permissions.
  • All organisation devices including mobile should have personal firewalls
  • Avoid installing unnecessary software programs on the servers and network
  • The secure configuration management should be reviewed and updated frequently

Guidelines for implementing passwords are also specified in this requirement.

3. Control access to your data and services

Organisations need to ensure that administrative access rights are only given to the most relevant people. Limiting user access to only the data and services that they need for their work, as opposed to granting access to all of the companies files, will limit any issues to only those particular areas if the user account is compromised.

With the Cyber Essentials Certification Scheme, the requirement is that access to your data is controlled, through user accounts. This is based on administrative privileges that are given in different measures to those who need them. This applies to user accounts, data, and services.

The below guide should help you in getting started with this requirement:

  • The applicant should know the user account creation process and approval
  • Use unique account credentials to authenticate users before fully granting them account access.
  • Implement multi-factor authentication where necessary.
  • Disable or remove unused user accounts
  • The administrative account should be used for performing administrative work only. Using it for other activities, including those functions that belong to standard accounts, can easily expose such accounts to cyber risks.
  • Remove or disable an access privilege when it’s no longer required.

Every business device or program has vital information that can be used for cyber-attacks. If it’s not guarded, then you risk your organisation’s data being stolen or systems getting compromised. Most organisations have two types of accounts:

  • Basic/standard user accounts: they are normally used to perform the day-to-day tasks within an organisation. They are generally responsible for the supply of organisational data in large scale.
  • Administrative accounts: they are considered to be “powerful”. This is because they are reasonable for issuing access privileges to user accounts.
Cyber Essentials requirements

4. Protect against viruses and other malware

Without anti-virus or anti-malware protection, all of your devices and software are vulnerable to malware attacks. There are several different forms of malware, such as ransomware, viruses, and spyware, that can affect devices. If malware manages to infect one device, then it can spread to other connected devices too.

Consequently, the fourth Cyber Essentials requirement mandates that businesses deploy antivirus software on all devices. This applies to laptops, desktops, servers, and personal devices:

  • Installing working antivirus software on all devices with operating systems such as laptops and computers
  • Only use applications or software programs from approved platforms such as Apple App Store or Google Play.
  • Run applications and programs from unverified sources in a “Sandbox”. This means that the programs will not interact or access other parts of your network or devices.

As per this control measure, the applicant should be ready to implement and effective malware protection mechanisms for all the devices within the system and network. It’s also important to have systems that can automatically prevent unwarranted connections and automatically block access to malicious websites.

5. Ensure your devices and software are kept up to date

developers release regular updates to fix any known security vulnerabilities, and all your devices and software must be kept up to date with these updates.

These application and system updates will include new features and improved security measures to combat the latest known vulnerability. The process of applying these updates is known as patching. 

Patches or updates, when released, must be installed on the relevant systems immediately. Patching needs to be done for operating systems, software programs, and applications that your business uses and is applicable to applications, firewalls, web servers, email, routers, laptops, desktops, and personal devices.

Patches and updates are a simple process, and the patches and updates themselves are free. The process of patching can be made simpler through configuring systems to fetch and apply updates automatically.  However, implementing a patch management process will ensure systems are validated as having been patched with the latest updates.

For any patch management process:

  • The software must be the latest, supported, and licensed.
  • Any software or program that’s no longer supported should be removed
  • The organisation should do the patching within 14 days of the new update being released.
You might also like