top of page

Cyber Essentials: 5 controls that you need to know

Cyber Essentials is a UK government scheme that outlines steps that organisations can take to secure their systems. It contains five controls that cover the basics of effective information security. We take a look at those controls here...

The controls can be implemented by anyone who is familiar with the scheme, regardless of their information security knowledge.

Despite the scheme’s focus on only the fundamentals of cyber security, it is hugely beneficial to anyone who certifies. Those who follow the Cyber Essentials scheme can prevent about 80% of cyber attacks.

This blog explains the five Cyber Essentials controls and how they keep organisations safe. There will be a brief overview of each control, and an additional information sheet in the form of a PDF file should you require more information.

How does Cyber Essentials work?

Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets. Nor do they spend countless hours staking out and researching their targets.

Instead, they tend to be opportunistic, looking for any available target.

They are like burglars in that they know what is valuable, but they prefer to go after easier targets.

Just as burglars identify marks by scouting neighbourhoods and look for poorly protected homes, cyber criminals look for easily exploitable weaknesses.

Cyber Essentials addresses this, helping organisations avoid weaknesses and address vulnerabilities before criminal hackers have the chance to exploit them.

Organisations can certify to Cyber Essentials by completing a self-assessment questionnaire that covers the five controls of the scheme.

What are the five controls?

1) Firewalls

Firewalls stop unauthorised access to and from private networks but must be set up correctly to be effective.

Boundary firewalls and internet gateways allow you to control who can access your system and where your users can go.

Antivirus software defends against viruses and malware, while firewalls protect against external threats.

The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).


Firewalls and Routers Control
Download PDF • 377KB

2) Secure configuration

Web server and application server configurations play a crucial role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.

Configure computers and network devices to reduce vulnerabilities and only provide necessary services.

This will help prevent unauthorised actions from being carried out. It will also ensure that each device discloses only the minimum information about itself to the Internet.

A scan can reveal opportunities for exploitation through insecure configuration.


Secure Configuration Control
Download PDF • 190KB

3) User access control

It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker from being presented with open access to your information.

Criminals want to get administrator rights so they can break into applications and access confidential information.

Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation.

User accounts, particularly those with special access privileges, should be assigned only to authorised individuals. They must be managed effectively, and provide the minimum level of access to applications, computers and networks.


User Access Control
Download PDF • 381KB

4) Malware protection

It is vital that you protect your business from malicious software, which will seek to access files on your system.

The software can cause chaos by stealing private data, corrupting files, and blocking access until you pay a fee.

Protecting against a broad range of malware will protect your computer, your privacy and your important documents from attack.


Malware Protection Control
Download PDF • 196KB

5) Patch management and security updates

All devices and software are prone to technical vulnerabilities. Cyber criminals can rapidly exploit vulnerabilities once they’ve been discovered and shared publicly.

Criminal hackers exploit known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Updating software and operating systems will help to fix these known weaknesses.

It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.


Security Updates Control
Download PDF • 204KB

Why should you get Cyber Essentials?

  • Certified cyber security

  • Reassure customers that you are working to secure your IT against cyber attack

  • Attract new business with the promise you have cyber security measures in place

  • You have a clear picture of your organisation's cyber security level

Cyber Essentials & government contracts

If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification. More information is available on the website.

Provide a level of Cyber Liability insurance

If your firm is UK-domiciled with a turnover under £20m and you achieve Cyber Essentials certification covering your entire organisation, you will be able to opt-into the included cyber liability insurance.

This does not involve any additional cost or forms, it is completely free!

The insurance cover includes a 24-hour technical and legal incident response service. Professional indemnity policies that used to protect law firms if they suffered a cyber breach are now changing their terms to restrict cover due to the high number of claims.

Getting certified is a straightforward way of demonstrating to your insurance company, your business associates and your customers that you take cyber security seriously and have your house in order.

To find out more about Cyber Essentials - and to download a Readiness Tool and the Question Set for free - visit the IASME website

You can also read all our Cyber Essentials blogs here.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page