By Andy Pickett · Managing Director

Published 22 April 2026 · About the author

Last updated: April 2026  |  Reviewed by: Connection Technologies team

Cyber Essentials Controls UK 2026: All Five Technical Controls Explained

The cyber essentials controls are the five technical controls every UK business must implement to achieve Cyber Essentials certification. They were defined by the NCSC and updated by IASME in the April 2026 Willow standard, replacing the previous Montpellier release.

This guide explains all five Cyber Essentials controls in plain English, the specific cyber essentials requirements behind each one, the most common ways UK SMEs fail them, and exactly what evidence an IASME assessor expects to see. Use it alongside our Cyber Essentials checklist to prepare for assessment.

The five Cyber Essentials controls — overview

NCSC estimates that getting these five controls right would prevent around 80% of common cyber attacks against UK SMEs. Together they make up the entirety of the Cyber Essentials requirements — there is nothing else in the scheme.

Control 1 — Boundary firewalls and internet gateways

What it covers: every device that sits between your internal network and the internet. That includes the office router/firewall, branch-office firewalls, the firewall in your AWS/Azure subscription, plus host-based firewalls on laptops used by remote workers (Windows Defender Firewall, macOS Firewall).

Specific Cyber Essentials requirements:

• A firewall is enabled at the boundary of every internal network.
• Default admin passwords on routers and firewalls are changed to strong unique passwords.
• Admin web interfaces are not accessible from the internet (no public port 443 management UI).
• Inbound rules are documented and have a business justification.
• Inbound rules are reviewed at least annually.
• Where a remote worker doesn’t sit behind a corporate firewall (i.e. WFH on home Wi-Fi), the device’s host-based firewall is enabled.

Most common failures: RDP exposed on port 3389; default router admin password unchanged; SSH or admin panels reachable from anywhere; no documented justification for open ports.

Control 2 — Secure configuration

What it covers: hardening of every device, OS and application in scope. The principle: ship things with the minimum attack surface, not the maximum convenience.

Specific Cyber Essentials requirements:

• Unnecessary user accounts (Guest, Admin, default admin on routers/IoT) are removed or disabled.
• Default passwords on devices and software are changed before use.
• Unnecessary software is removed (no abandoned trials, no Java 8, no end-of-life browsers).
• Auto-run / auto-play is disabled for removable media (USB sticks).
• Devices auto-lock after no more than 10 minutes of inactivity.
• A password / PIN / biometric is required to unlock the device.
• For devices that can be lost (laptops, mobiles), full-disk encryption is enabled.
• Where appropriate, a personal firewall is enabled on the device.

Most common failures: Guest account still active; software inventory non-existent; auto-run still enabled; mobile devices without PIN/biometric; old test users left on devices.

Control 3 — User access control (and MFA)

What it covers: who can log in to what, with which privileges, and how identity is verified. This is the most-failed Cyber Essentials control and the one IASME has progressively tightened in every recent revision.

Specific Cyber Essentials requirements:

• Every user has a unique account — no shared logins.
• MFA is enabled on every cloud admin account (M365 global admin, Google super admin, AWS root, Azure subscription owner, etc.).
• MFA is enabled on every standard cloud user account.
• Administrative privileges on workstations are limited to those who need them.
• A documented joiner/mover/leaver process exists, and ex-staff accounts are disabled within 1 working day of departure.
• Service accounts and shared accounts are documented with a named owner.
• Password policy meets one of two routes: 12+ characters with no expiry plus MFA, or 8+ characters plus breached-password screening plus MFA.

Most common failures: a single M365 admin without MFA; ex-staff still active in cloud apps; shared “info@” mailbox without MFA on the underlying account; local admin rights granted by default to everyone.

Control 4 — Malware protection

What it covers: stopping malicious code reaching and executing on your devices. The control accepts three approaches: signature-based AV, sandboxing of unknown content, or strict application allowlisting. Most UK SMEs use the first two together.

Specific Cyber Essentials requirements:

• Malware protection is active on every device in scope. On Windows that’s typically Microsoft Defender or an enterprise EDR (SentinelOne, CrowdStrike, Defender for Business).
• Definitions / cloud lookups are auto-updating; no device more than 7 days behind.
• Real-time scanning is enabled.
• Web filtering blocks known malicious sites (Defender SmartScreen, Cloudflare DNS, Cisco Umbrella).
• Email filtering blocks known malware and phishing (Defender for Office 365, Mimecast, Proofpoint).
• Sandboxing or attachment-scanning is in place for unknown files.
• Mobile devices use the official Apple App Store / Google Play; sideloading is restricted.

Most common failures: Mac fleet without an EDR product (built-in macOS XProtect alone is not sufficient for CE Plus); web filtering disabled on remote workers; sideloading allowed on Android devices; old AV product still running with expired definitions.

Control 5 — Security update management (patching)

What it covers: keeping every piece of software in scope on a supported version with current security patches. The 2022 Evendine update introduced the strict 14-day rule that catches a lot of UK SMEs out.

Specific Cyber Essentials requirements:

• All operating systems in scope are vendor-supported (no Windows 7, no Windows 10 after October 2025 unless on ESU, no macOS older than the 3 most recent versions).
• Critical and high-severity OS patches are applied within 14 days of release.
• Application patches (browsers, Office, Adobe, third-party apps) are applied within 14 days.
• Auto-update is enabled where possible.
• Centralised patching enforces compliance (Intune, NinjaOne, Action1, WSUS).
• Firmware on routers, firewalls, switches and IoT is up to date.
• Out-of-support software is removed.

Most common failures: Java 8 still installed; Office 2016 (out of mainstream support); a Windows 10 device without ESU after October 2025; abandoned Adobe Reader install on a single laptop; firmware on a meeting-room device 18 months out of date.

How the five Cyber Essentials controls are tested

For basic Cyber Essentials, you self-attest via the IASME 64-question SAQ. The assessor reviews your answers, may ask follow-ups and either passes you or fails you. There’s no on-device check.

For Cyber Essentials Plus, an independent assessor verifies the same five controls using:

• External vulnerability scans of every public IP.
• Authenticated vulnerability scan of a sample of devices (typ. 10-15% of fleet, min. 1 of each OS).
• An email phishing test with both file and link payloads.
• A mobile device review.

For full audit detail, see our Cyber Essentials Plus guide.

Automating the Cyber Essentials controls

The five controls are simple to describe but tedious to maintain across a growing UK business. A modern compliance agent can monitor all five continuously across every Windows, macOS, iOS and Android device — flagging drift before it becomes a failed assessment.

Connection Technologies’ managed Cyber Essentials service deploys exactly that agent on every endpoint, automates the policy templates that satisfy each control, and submits the SAQ on your behalf. RRP from £103/month. See Cyber Essentials & CE+ pricing for tier details.

Get Cyber Essentials & Cyber Essentials Plus — fully managed

Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.

Frequently asked questions about cyber essentials controls