Cyber Essentials requirements: the five controls explained
The Cyber Essentials requirements are five technical controls every certified organisation must meet: firewalls, secure configuration, user access control, malware protection, and security update management. Together they cover the basics that block most common internet-based attacks. Cyber Essentials is a UK government-backed scheme, delivered by IASME.
Cyber Essentials is a UK government-backed certification scheme, delivered by IASME, that sets out five technical controls every organisation should have in place to defend against the most common internet-based attacks. Meeting all five is what the scheme requires. As a Cyber Essentials certification body, we assess businesses against these controls every week, so here is what each one actually asks of you, stated plainly.
1. Firewalls
Protect the boundary of your network with properly configured firewalls. Every device that connects to the internet needs to sit behind a firewall, whether that is a dedicated boundary firewall on your network or the software firewall built into a laptop used away from the office. The requirement is that the firewall is switched on, its default administrative password has been changed, and it only allows the network services you actually need. Anything that is not required is blocked.
2. Secure configuration
Remove or disable unnecessary functionality, and change default passwords, so devices and software are not left in a weak default state. Computers, servers, phones and network devices ship with settings chosen for convenience rather than security. The requirement is to tighten them: delete or disable accounts and software you do not use, change or remove any default passwords, and turn off features you do not need. A device set up this way gives an attacker far less to work with.
3. User access control
Give people unique accounts with the least privilege they need to do their job, keep administrative rights tightly controlled, and enforce multi-factor authentication. Everyday work should happen in a standard user account, not an administrator one, and admin access should be granted only where it is needed and used only for admin tasks. Accounts should belong to real, named individuals, and multi-factor authentication adds a second check so a stolen password alone is not enough to get in.
4. Malware protection
Protect every in-scope device against malicious software. The requirement can be met in more than one way: run anti-malware software that is kept up to date, or restrict what can run on a device to an allow-list of approved applications. Either approach stops known malware and untrusted software from executing. The point is that no device in scope is left with nothing standing between it and a malicious file or link.
5. Security update management
Use software that is still supported by its vendor, and apply security updates promptly. Unsupported software stops receiving fixes and cannot be made safe, so it has to be updated, replaced or removed from the devices in scope. For software that is supported, security updates must be applied quickly: high-risk or critical updates are expected within 14 days of release, across operating systems, firmware and applications.
Those five controls are the whole of the standard, and none of them is exotic. Most businesses already do some of it and simply need to close the gaps. If you would rather have hands-on help meeting the controls, that is the sort of work our NCSC Assured Service Provider team does, and for a sense of the outlay, see our guide to what Cyber Essentials costs.
What changed in April 2026
From 26 April 2026, two of the five controls became stricter and now cause an automatic fail. Multi-factor authentication is required on all cloud services where it is available, and high-risk or critical security updates must be installed within 14 days. If either is not already in place, it is the first thing to sort out, because you cannot certify without it.
Cyber Essentials vs Cyber Essentials Plus
Both certifications cover exactly the same five controls. The difference is how they are checked. Basic Cyber Essentials is a self-assessment that an appointed certification body reviews and verifies. Cyber Essentials Plus adds a hands-on technical audit, where an assessor tests a sample of your devices and accounts to confirm the controls genuinely work. If you are heading for the audited version, our guide to preparing for Cyber Essentials Plus walks through what the assessor checks and the common blockers.
Common questions
What are the five Cyber Essentials controls?
The five controls are firewalls, secure configuration, user access control, malware protection, and security update management. Together they set a baseline of technical measures that block the majority of common internet-based attacks, and an organisation must meet all five to be certified.
Do I need MFA for Cyber Essentials?
Yes. Multi-factor authentication falls under user access control, and since 26 April 2026 it is required on all cloud services where it is available. Missing it is an automatic fail, so it should be enforced across accounts, including administrative ones, before you certify.
How often must I patch for Cyber Essentials?
Security update management requires that high-risk or critical security updates are applied within 14 days of release, across operating systems, firmware and applications. You must also use software that is still supported by its vendor, because unsupported software no longer receives fixes and cannot be made safe.
Is Cyber Essentials self-assessed?
Basic Cyber Essentials is a self-assessment that an appointed certification body reviews and verifies before certifying you. Cyber Essentials Plus covers the same five controls but adds an independent hands-on technical audit, so it is verified rather than self-declared.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Both cover the same five controls. Cyber Essentials is a verified self-assessment, while Cyber Essentials Plus adds a hands-on technical audit in which an assessor tests a sample of your devices and accounts to confirm the controls are genuinely in place. Plus carries more weight because it is independently checked.
Not sure you meet the five controls?
Tell us about your setup and we will tell you honestly where you stand against each requirement, and what it takes to close the gaps. We are an appointed Cyber Essentials certification body. We reply within one working day, and you will speak to an engineer, not a salesperson.