Cyber Essentials Certification Guide: The 5 Controls and How to Pass
Cyber Essentials certification is the UK government's baseline cybersecurity certification scheme, designed to demonstrate that an organization has implemented the fundamental technical controls that prevent the vast majority of common cyber attacks. First launched in 2014 and updated to the Montpelier version in 2023, Cyber Essentials is mandatory for UK government suppliers and increasingly required for organizations in the UK supply chain, healthcare, and financial services sectors.
This guide explains the five technical controls, the two certification tiers, what the assessment involves, and how organizations can prepare.
Check your compliance posture: Free ZeriFlow security scan →
What Cyber Essentials Covers (and What It Does Not)
Cyber Essentials is deliberately scoped to the technical controls that prevent common, internet-based attacks — not sophisticated nation-state threats. The NCSC estimates that Cyber Essentials-certified organizations are protected against approximately 80% of the most common cyber threats.
Cyber Essentials covers: - Boundary firewalls and internet gateways - Secure configuration of devices and software - User access control - Malware protection - Security update management (patching)
Cyber Essentials does not cover: - Physical security - Incident response planning - Security culture and training - Advanced persistent threats - Insider threats - Disaster recovery
For organizations that need broader security assurance, Cyber Essentials Plus (described below) adds a technical assessment, and ISO 27001 provides a comprehensive ISMS framework. Many UK organizations hold Cyber Essentials Plus as a baseline and pursue ISO 27001 for enterprise contracts.
The Five Cyber Essentials Controls
1. Firewalls (Boundary Firewalls and Internet Gateways)
Every device connected to the internet must be protected by a firewall. For organizations, this means:
- A network-level firewall at the perimeter, blocking all inbound connections that are not explicitly required
- Host-based firewalls on all devices that connect to the internet directly (laptops, desktops, servers)
- Administrative interfaces (router management pages, firewall consoles) not accessible from the internet
- Default firmware passwords changed on all network devices
- Rules documented and reviewed: every open inbound port must have a business justification
The 2023 update clarified requirements for home workers: devices used for work from home networks must have host-based firewalls configured, because the home router is outside the organization's control.
2. Secure Configuration
Devices and software must be configured securely before deployment and maintained in a secure state. This means:
- Remove or disable unnecessary software, accounts, and services
- Change all default passwords on all devices and services
- Disable auto-run and auto-play features
- Use the latest version of applications and operating systems with vendor support
- Remove software that is no longer supported (end-of-life software)
For web-facing infrastructure: web servers, application servers, and database servers must have unnecessary services disabled, default administrative credentials changed, and configuration hardened against common attack vectors.
3. User Access Control
User accounts must be limited to what is required for their role:
- Standard user accounts for day-to-day work; administrative accounts used only when necessary
- Only the minimum number of administrative accounts needed
- Administrative accounts not used for email, web browsing, or other general activities
- Two-factor authentication (2FA) required for accounts that can access cloud services, administrative interfaces exposed to the internet, or any system with access to sensitive data
The 2023 Montpelier update strengthened the 2FA requirement significantly: it now applies to all administrative accounts and accounts accessing cloud services, not just internet-facing services.
4. Malware Protection
Organizations must protect against malware (malicious software) using one or more of:
- Anti-malware software that scans files and blocks known malware
- Application allowlisting (only permitted applications can run — no unknown executables)
- Sandboxing (potentially malicious files run in an isolated environment before access is granted)
For web-facing systems: content served or processed by your web application must be scanned. File upload functionality must include malware scanning.
5. Patch Management (Security Update Management)
Software and operating systems must be kept up to date:
- Security updates for operating systems, applications, and firmware must be applied within 14 days of release (for critical patches, as fast as possible)
- Software that cannot be patched (because the vendor no longer provides updates) must be removed
- Auto-update must be enabled where available
- Unsupported operating systems and software are not acceptable under Cyber Essentials
The 14-day patching requirement is one of the most commonly failed controls in Cyber Essentials assessments, particularly for organizations with complex change management processes that slow down patch deployment.
Cyber Essentials vs. Cyber Essentials Plus
There are two certification tiers:
Cyber Essentials — A self-assessment questionnaire verified by an accredited certification body. You answer questions about your technical controls; a certifier reviews your answers. No technical testing is performed. Cost: approximately £300-£600 for most organizations. Certification is typically issued within a few days.
Cyber Essentials Plus — Includes the self-assessment questionnaire plus hands-on technical testing by an assessor. The assessor will: - Conduct a vulnerability scan of external-facing systems - Run internal vulnerability scans - Test patch status of a sample of devices - Test that firewalls are configured correctly - Test multi-factor authentication implementation - Verify malware protection is operating
Cyber Essentials Plus is more rigorous and more credible. Government contracts above certain values require Plus. Cost: approximately £2,000-£5,000+ depending on organization size.
Web Security and Cyber Essentials: The Overlap
Cyber Essentials focuses on endpoint and network security, but web-facing infrastructure is in scope. The most relevant requirements for websites and web applications:
Firewall configuration — Your web server must be behind a properly configured firewall. Inbound rules should allow only the ports required (80/443 for HTTP/HTTPS) and block administrative interfaces from external access.
Secure configuration — Your web server and application stack must have unnecessary features disabled, default credentials changed, and configurations hardened. TLS configuration is included: deprecated protocols (TLS 1.0/1.1) should be disabled.
Patch management — Your web server software (Nginx, Apache, IIS), application framework, CMS (WordPress, Drupal), and all plugins must be patched within 14 days of security updates. End-of-life CMS versions will fail a Cyber Essentials assessment.
Account control — Administrative access to web applications (CMS admin panels, server control panels) must require MFA. Default admin account names should be changed.
During a Cyber Essentials Plus assessment, assessors will typically run an external vulnerability scan against your web-facing systems. Missing patches, exposed administrative interfaces, and weak TLS configurations will show up as findings.
ZeriFlow checks the web-facing technical controls that overlap with Cyber Essentials requirements — TLS configuration, exposed administrative paths, patch-related headers, and security configuration — giving you a pre-assessment view of findings that an assessor's scanner would surface.
Common Cyber Essentials Failures
The NCSC publishes annual statistics on Cyber Essentials assessment outcomes. The most common failure reasons:
Unsupported software — Organizations running Windows versions, CMS versions, or applications with no vendor security support. WordPress sites running outdated plugins are a frequent failure point.
Missing MFA — Particularly on cloud services (Microsoft 365, Google Workspace, AWS). Many organizations add MFA to their primary identity provider but miss auxiliary accounts.
Overly permissive firewalls — Inbound rules allowing broad port ranges or administrative interfaces (RDP port 3389, SSH port 22) accessible from the internet.
Patch timing — Organizations with change control processes that require lengthy approval cycles before patches are applied. Critical security patches must be applied within 14 days regardless of change management overhead.
Default credentials — Network devices (routers, switches, NAS devices) still running default admin/admin or admin/password credentials.
The Certification Process Step by Step
- 1Choose a Certification Body — IASME Consortium manages the Cyber Essentials scheme on behalf of NCSC. Accredited certification bodies are listed on the IASME website. Choose one appropriate for your organization size and sector.
- 1Complete the Self-Assessment Questionnaire (SAQ) — The questionnaire covers your organization's scope (which systems are in scope), and then each of the five controls. Answers must be accurate — false statements constitute fraud.
- 1Submit to Certification Body — The certification body reviews your answers and may ask clarifying questions. For Cyber Essentials (not Plus), this review is typically documentation-only.
- 1Remediation (if required) — If the certification body identifies gaps in your answers, you must remediate and resubmit.
- 1Certificate Issued — Certificates are valid for one year. Annual recertification is required to maintain certification.
For Cyber Essentials Plus, add the technical assessment phase between submission and certificate issuance.
FAQ
Q: Is Cyber Essentials mandatory for UK government suppliers?
A: Yes, for contracts involving handling of certain types of personal data or providing technical products and services to central government. The Cabinet Office mandates Cyber Essentials (and in some cases Cyber Essentials Plus) as a condition of tendering for these contracts. Check individual procurement notices for requirements on specific contracts.
Q: Can a small business (under 10 employees) get Cyber Essentials certified?
A: Yes — Cyber Essentials is specifically designed to be accessible to small businesses. For micro-organizations, the scheme offers simplified guidance. The cost is modest (£300-£600 for self-assessment certification), and many certification bodies provide support for first-time applicants.
Q: Does Cyber Essentials Plus include a penetration test?
A: No — Cyber Essentials Plus includes vulnerability scanning and configuration testing, but not a full penetration test. The technical assessment verifies that the five controls are in place, not that the application is free of all vulnerabilities. Organizations that need penetration testing as compliance evidence (for PCI DSS, ISO 27001, or SOC 2) must commission a separate pentest engagement.
Q: Does achieving Cyber Essentials help with GDPR compliance?
A: Indirectly. GDPR Article 32 requires organizations to implement "appropriate technical and organisational measures" to secure personal data. Cyber Essentials provides a baseline of technical measures that can be cited as part of GDPR compliance. The UK ICO has indicated that Cyber Essentials provides a useful baseline, though it does not substitute for a full GDPR assessment of data processing risks.
Q: How long is the Cyber Essentials certificate valid?
A: Twelve months. Annual recertification is required. The NCSC recommends treating recertification as a regular security review, not just a paperwork exercise — updating your controls documentation and verifying that configurations remain in the state described in your self-assessment.
Conclusion
Cyber Essentials is the most accessible formal security certification available in the UK market. Its five controls — firewalls, secure configuration, user access control, malware protection, and patching — are the technical baseline that every internet-connected organization should have in place regardless of whether certification is required.
For UK organizations seeking government contracts, healthcare frameworks, or enterprise supply chain inclusion, Cyber Essentials is table stakes. For organizations outside the UK, the five controls provide a practical, actionable security baseline that maps to sections of NIST CSF, ISO 27001, and SOC 2.
The fastest way to prepare for a Cyber Essentials Plus assessment is to scan your web-facing systems before the assessor does — identifying the TLS configurations, patch gaps, and exposed interfaces that will show up in the technical assessment.