Blog
You are here: / / / / What Are The 5 Controls Of Cyber Essentials
,

What Are The 5 Controls Of Cyber Essentials

What Are The 5 Controls Of Cyber Essentials

What Are The 5 Controls Of Cyber Essentials

Cyber Essentials remains one of the most recognised entry-level cyber security certifications in the UK. Designed to help organisations defend against common online threats, it focuses on practical, achievable technical controls rather than complex theory. For SMEs in particular, understanding the five controls is the first meaningful step towards strengthening digital resilience.

This guide explores each of the five controls in depth, explains why they matter, and connects them to wider business concerns such as procurement, insurance, and regulatory confidence. Whether you are preparing for certification or simply want to tighten your security posture, this breakdown will give you clarity.

Why the Five Controls Matter More Than Ever

The UK Government’s Cyber Security Breaches Survey consistently shows that around half of UK businesses report a cyber incident in any given year. The most common attacks remain phishing, credential compromise, malware infections, and exploitation of unpatched systems.

Cyber Essentials is built on a simple premise: most opportunistic attacks exploit basic weaknesses. Address those weaknesses, and you dramatically reduce your exposure.

The five controls are not random. They are based on recurring patterns observed across thousands of real-world incidents.

Control One: Firewalls and Internet Gateways

Firewalls form the first line of defence between your internal systems and the wider internet.

What This Control Covers

Organisations must ensure:

  • A firewall or equivalent boundary control is in place

  • Default passwords are changed

  • Only necessary services are accessible

  • Inbound traffic is restricted

This applies whether you use a traditional on-site firewall or cloud-based infrastructure.

Why Firewalls Still Matter

Despite decades of development, poorly configured firewalls remain a common weakness. Open ports, default credentials, and unused services can expose systems unnecessarily.

Attackers routinely scan the internet for exposed services. Automated tools search for vulnerable devices. Without proper boundary protection, an organisation can become a target within minutes of exposure.

For SMEs, especially those without dedicated IT teams, firewall configuration must be deliberate and reviewed regularly.

Control Two: Secure Configuration

Secure configuration focuses on reducing unnecessary exposure within your systems.

What It Involves

You must:

  • Remove unused software

  • Disable unnecessary services

  • Change default passwords

  • Ensure devices are encrypted where required

  • Use supported operating systems

Unsupported operating systems are a common failure point in certification.

Why Secure Configuration Reduces Risk

Every additional service or application increases potential attack surface. Many breaches originate from overlooked legacy software or forgotten accounts.

In practical terms, secure configuration means asking:

  • Do we still need this software?

  • Is this device still supported?

  • Are default settings still in place?

Reducing complexity reduces risk.

Control Three: User Access Control

Access control is about ensuring that the right people have the right access at the right time.

What Assessors Expect

Organisations must:

  • Avoid shared accounts

  • Restrict administrative privileges

  • Remove leaver accounts promptly

  • Use strong authentication methods

Administrative privileges should only be granted when genuinely required.

The Real-World Risk

Overuse of administrative accounts is one of the biggest internal weaknesses in SMEs. It is often done for convenience, especially in smaller teams.

If one admin account is compromised, an attacker can gain broad control quickly.

Access discipline limits damage and reduces lateral movement within networks.

Control Four: Malware Protection

Malware protection ensures your systems can detect and block malicious software.

Acceptable Approaches

Organisations may use:

  • Anti-malware software

  • Endpoint detection tools

  • Application control

  • Restricted execution environments

The aim is protection against unauthorised code execution.

Why This Control Remains Critical

Ransomware continues to be a significant threat across the UK. Many attacks begin with phishing emails or compromised credentials.

Once malware executes successfully, containment becomes more complex and costly.

Layered protection reduces the likelihood of infection and limits impact.

Control Five: Security Update Management

Security update management focuses on patching known vulnerabilities quickly.

Requirements

You must:

  • Apply critical updates within defined timeframes

  • Ensure all devices are supported

  • Maintain a documented update process

Delayed patching is one of the most common root causes of compromise.

The Statistics Behind It

Research consistently shows that many exploited vulnerabilities had patches available long before exploitation occurred. Attackers often target systems where updates were simply delayed.

Prompt patching closes doors that attackers rely on.

Bringing the Five Controls Together

Individually, each control addresses a different layer of defence. Together, they create a baseline security posture that blocks the majority of commodity attacks.

The five controls:

  1. Protect your perimeter

  2. Harden your devices

  3. Control access

  4. Detect malware

  5. Close known vulnerabilities

They are simple but powerful when applied consistently.

Frequently Asked Questions Around Certification

Businesses exploring Cyber Essentials often ask similar questions. Below are the exact queries many organisations raise during planning.

What are the key requirements for achieving Cyber Essentials certification?

To achieve certification, you must demonstrate compliance across all five controls. This involves:

  • Clearly defining your certification scope

  • Ensuring all in-scope systems meet requirements

  • Completing the official questionnaire accurately

  • Responding to assessor queries honestly

The process is structured but manageable with preparation.

How can I prepare my small business for Cyber Essentials assessment?

Preparation typically includes:

  • Conducting a gap analysis

  • Reviewing admin account usage

  • Confirming patch timelines

  • Removing unsupported systems

  • Testing firewall configuration

Many SMEs benefit from internal reviews before submitting.

What software solutions support compliance with Cyber Essentials standards?

Helpful tools may include:

  • Endpoint protection platforms

  • Patch management systems

  • Device management software

  • Multi-factor authentication systems

The key is visibility and control, not excessive complexity.

Can I renew my Cyber Essentials certification through an online service?

Yes. Renewal is typically completed via an accredited Certification Body. The process involves revalidation of compliance and updated questionnaire submission.

Which companies provide Cyber Essentials certification services in the UK?

Certification must be conducted through IASME-approved Certification Bodies. These organisations are licensed to assess submissions and issue certificates.

Which UK-based firms offer Cyber Essentials consultancy services?

Many UK cyber consultancies provide readiness support, remediation advice, and structured preparation. Businesses should ensure independence between consultancy and certification where required.

Cyber Essentials and Business Growth

Cyber Essentials increasingly plays a role in procurement decisions. Public sector contracts often require certification. Larger private organisations may also require suppliers to hold it.

Beyond procurement, certification can:

  • Improve insurer confidence

  • Strengthen customer trust

  • Demonstrate due diligence

  • Support board-level assurance

For SMEs competing in supply chains, it can remove a barrier to entry.

Cyber Essentials Plus: Going Further

Cyber Essentials Plus includes technical verification testing. It validates that controls are implemented effectively in practice.

Testing may include:

  • External vulnerability scans

  • Internal device assessments

  • Malware testing

  • Configuration checks

Organisations operating in higher-risk sectors often consider Plus as the next logical step.

Common Mistakes to Avoid

Many businesses underestimate the detail required.

Common issues include:

  • Overlooking legacy devices

  • Forgetting remote workers’ equipment

  • Misunderstanding patch timeframes

  • Granting admin rights too broadly

  • Including unsupported systems within scope

Thorough internal review reduces risk of rejection.

Integrating Cyber Essentials with Broader Strategy

Cyber Essentials works well alongside:

  • ISO 27001

  • IASME Cyber Assurance

  • Data protection frameworks

  • Insurance risk assessments

For many SMEs, it becomes the foundation of a structured cyber programme.

Ongoing Maintenance After Certification

Certification lasts twelve months, but compliance should remain continuous.

Best practice includes:

  • Quarterly internal audits

  • Access reviews

  • Patch compliance checks

  • Firewall rule reviews

Treating Cyber Essentials as a one-off exercise weakens its value.

Final Thoughts on the Five Controls

The five controls of Cyber Essentials are practical, targeted, and grounded in real-world attack patterns. They do not require enterprise-scale infrastructure or massive budgets. They require discipline, clarity, and consistent execution.

For UK SMEs, the message is straightforward:

Secure your boundary.
Harden your systems.
Control access.
Block malware.
Apply updates promptly.

When those basics are in place, the majority of common threats lose their easiest entry points.

Cyber Essentials is not about perfection. It is about measurable improvement. And for many organisations, understanding these five controls is the first step towards building stronger digital resilience.

UK Cyber Security Group Ltd is here to help

For more information, please do get in touch.

Please check out our Free Cyber Insurance

Other blog posts, Your Cyber Essentials Questions AnsweredCyber Hygiene 101: Essential Habits for Safe Online Activities,

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.

You might also like
GDPR and Cybersecurity: Ensuring Compliance and Protecting DataApple vs. Microsoft: whose systems offer better security?
Elevating Media Literacy: Tools and Tips for Spotting Fake NewsElevating Media Literacy: Tools and Tips for Spotting Fake News
Why Iso 27001 Matters for UK Businesses TodayWhy Iso 27001 Matters for UK Businesses Today
The Future of UK Cyber Regulation: What’s Coming NextThe Future of UK Cyber Regulation: What’s Coming Next
Top 10 Emerging Cyber Threats Facing UK BusinessesTop 10 Emerging Cyber Threats Facing UK Businesses
What Did the Implementation of GDPR Change? A Closer Look at UK Cyber Security Group's PerspectiveWhy every company should have Cyber Essentials
Putin liesInnovative Partnerships at the Forefront of Cybersecurity and Truth Analysis
Are You At Risk of A Cyber Attack? Here Are The Top 5 Ways To Stay SaferAre You At Risk of A Cyber Attack? Here Are The Top 5 Ways To Stay Safer

You can trust us with your cyber security

Our Certifications

 
PreviousNext
12
uk cyber security ltd logo footer

Follow us Online

UK Cyber Security Group Ltd
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.