Cyber Essentials Controls

Cyber Essentials Controls


What are the five main Cyber Essentials Controls?

Cyber Essentials defines a clear set of controls which, when properly implemented, will provide organisations with essential protection from the most prevalent forms of cyber threats coming from the Internet.

In particular, it focuses on the types of threats which require low levels of attacker skill, and which are widely available online. Those are the very threats faced by most SME businesses and other organisations.


To mitigate the threats identified above, Cyber Essentials requires implementation of the following controls for basic technical cyber protection:


1 – Boundary firewalls and internet gateways

2 – Secure configuration

3 – User access control

4 – Malware protection

5 – Patch management


Why do I need Cyber Essentials?

Put simply, the Cyber Essentials certification allows you to advertise that you meet a Government-endorsed IT Security standard. Furthermore, it demonstrates to your customers, stakeholders and supply chain that you take IT security (and the protection of information you hold on them) seriously.




Threats Requiring Mitigation

By implementing Cyber Essentials, organisations are mitigating against the following common types of cyber attack:

1. Phishing: malware infection through users clicking on malicious e-mail attachments or website links.
2. Hacking: exploitation of known vulnerabilities in Internet connected servers and devices using widely available tools and techniques.

Controls required for basic technical cyber protection

To mitigate the threats identified above, Cyber Essentials requires implementation of the following controls.



Boundary firewalls and internet gateways


Information, applications and computers within the organisation’s internal networks should be protected against unauthorised access and disclosure from the internet, using boundary firewalls, internet gateways or equivalent network devices.




Secure configuration


Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role.




User access control


User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.



Malware protection


Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software.



Patch management


Software running on computers and network devices should be kept up-to-date and have the latest security patches installed.








Find out how you can achieve Cyber Essentials for your business or organisation here…