What does Cyber Essentials cover?

Quick answer: Cyber Essentials covers five technical control families that prevent the most common cyber attacks: firewalls, secure configuration, user access control, malware protection and security update management. Together, when properly implemented, these controls block roughly 80% of basic online attacks.

The five Cyber Essentials controls in plain English

• 1. Firewalls and internet gateways — keep the internet at arm’s length. Boundary firewalls on internet-facing networks, host firewalls on every laptop. Default passwords changed.
• 2. Secure configuration — change default passwords, disable services you don’t need, document your asset register. Walk the office: anything still on admin/admin fails.
• 3. User access control — separate admin and user accounts, MFA on every cloud service holding org data, documented joiner / mover / leaver process.
• 4. Malware protection — anti-malware on every device or application allowlisting or sandboxing. Microsoft Defender, Sophos, CrowdStrike, SentinelOne all qualify.
• 5. Security update management — apply all security updates within 14 days of vendor release. Remove end-of-life software (old Windows, old macOS).

What Cyber Essentials does NOT cover

• Social engineering training (covered by separate frameworks like Cyber Essentials Plus add-ons or Cyber Aware)
• Physical security (locks, badges, CCTV)
• Business continuity / disaster recovery planning
• GDPR compliance specifically (overlaps but they’re separate frameworks)
• ISO 27001-style information security management

For the full requirements see our Cyber Essentials requirements UK 2026 guide or our managed Cyber Essentials service which automates all five controls.