The 5 Cyber Essentials Controls Explained

The NCSC's incident data shows the same patterns repeating: attackers get in through unpatched vulnerabilities, default credentials, over-permissioned accounts, and absent malware protection. The five controls are the minimum set of barriers that block these routes. They're not a gold standard: they're the floor.

The Montpellier update, in force since January 2023, made one significant change: MFA is now mandatory for all accounts that can authenticate to internet-facing services. Organisations working from pre-2023 guidance should check this requirement first, since it's the change most likely to require remediation work.

Each control below covers what it requires, why it was included, the specific CE requirements, and what assessors most often find wrong. For a ready-to-use implementation checklist, see the CE certification checklist.

What It Requires

CE requires a firewall at the network boundary (between your internal network and the internet) and personal firewalls on all devices used outside a protected network environment. The requirement is for a default-deny policy: all inbound connections not explicitly required must be blocked.

Why It Exists

Unprotected internet-facing services are among the most common attacker entry points. Services with no firewall or permissive inbound rules are exposed to automated scanning and exploitation within hours of going online. Personal firewalls matter because devices on home broadband or public Wi-Fi face the same threats as any internet-facing service.

Specific Requirements

1. A firewall must protect all devices within the assessment scope boundary.
2. All inbound connections not explicitly required must be blocked by default.
3. Firewall rules must be documented, reviewed, and as restrictive as possible for the services they protect.
4. Administrative access to firewall management interfaces must be restricted to authorised individuals and, where feasible, to specific source IP addresses.
5. Default administrative credentials on all firewalls and network devices must be changed before deployment.
6. Personal firewalls must be enabled on all devices used outside the office network perimeter.

Common failure point: firewall rules that permit inbound connections more broadly than necessary, for example a rule allowing inbound access from any source IP to a service that should only be accessible from specific known addresses. Firewall management interfaces accessible from the internet with default or weak credentials are also a frequent issue.

What It Requires

In-scope devices and software must be configured to reduce their attack surface. CE doesn't prescribe a specific configuration baseline, but requires that organisations remove or disable features, accounts, services, and functionality that aren't needed, and change all default settings that create vulnerabilities.

Why It Exists

Vendors ship devices and software configured for ease of setup, not security. That means default accounts with published passwords, services running that nobody asked for, and permissive settings that nobody reviewed. Attackers know these defaults because they're documented. Checking them off during deployment takes minutes; finding them during an incident does not.

Specific Requirements

1. Default passwords on all hardware and software must be changed before deployment.
2. Unnecessary user accounts, including default vendor accounts and accounts for services not in use, must be removed or disabled.
3. Unnecessary software, services, and features must be uninstalled or disabled. This includes network services, communication protocols not in use, and any functionality that increases attack surface without operational benefit.
4. Auto-run features (USB auto-run, auto-run from network shares or CD/DVD) must be disabled.
5. Devices must lock automatically after a defined period of inactivity and require re-authentication to resume.
6. All in-scope systems must run only currently supported software: the vendor must still be releasing security updates for it.

Common failure point: default credentials on network devices, printers, switches, and IoT-category hardware that get overlooked in configuration hardening. End-of-life software is the other frequent issue: legacy operating systems or applications still in use but no longer receiving vendor security updates.

What It Requires

Access to systems, applications, and data must be limited to what each user needs for their specific role. Administrative privileges must be restricted to accounts designated for those tasks, and those accounts must not be used for routine day-to-day work.

The Montpellier update introduced a mandatory MFA requirement: multi-factor authentication must be enforced on all accounts that can authenticate to any internet-facing service, including cloud applications.

Why It Exists

Excessive account privileges are a consistent attacker objective. A compromised account with administrative privileges allows lateral movement, malware installation, data exfiltration, and access escalation far more easily than a compromised account with limited permissions. Internet-facing accounts without MFA are routinely targeted by credential-stuffing and password-spray attacks: it's not a sophisticated technique, and it works.

Specific Requirements

1. User accounts must follow least-privilege principles: users have only the access their job function requires.
2. Administrative accounts must be separate from standard user accounts. Staff must not use administrator accounts for day-to-day activities such as email, browsing, or document editing.
3. The number of administrator accounts must be minimised and reviewed regularly.
4. MFA must be enabled on all accounts that can authenticate to internet-facing services: Microsoft 365, Google Workspace, cloud-hosted applications, VPN and remote access services, web-based email, and any other internet-accessible service. This requirement was introduced in the Montpellier update and applies to all in-scope accounts.
5. Passwords must meet minimum complexity requirements where MFA is not used as the primary control.
6. Guest, shared, and dormant accounts must be removed or disabled. A process must exist to remove accounts promptly when staff leave or change roles.

Common failure point: MFA not enforced on cloud applications, particularly Microsoft 365 and Google Workspace tenancies where MFA is available but left as opt-in rather than required by policy. Shared administrative accounts, where individual accountability for actions is lost, are also a frequent finding.

What It Requires

In-scope devices must be protected against malware. CE accepts two approaches: anti-malware software (traditional AV or next-generation endpoint protection) or application allowlisting (configuring devices to permit only approved applications to execute, blocking everything else by default).

Why It Exists

A single click on a malicious attachment or download can result in full system compromise if nothing is there to stop it. Anti-malware catches known threats before they execute; application allowlisting goes further by blocking any code that isn't on an approved list. CE accepts either because both break the delivery chain that ransomware, credential stealers, and remote access trojans rely on.

Specific Requirements

1. Anti-malware software must be installed on all in-scope devices, unless application allowlisting is used instead.
2. Anti-malware definitions must be configured to update automatically and regularly.
3. Anti-malware scanning must be active: either real-time or scheduled at regular intervals.
4. Anti-malware detections must be reviewed and acted upon. The software must be actively managed, not just present.
5. If application allowlisting is used: only approved, listed applications may execute. The allowlist must be maintained and reviewed. Unapproved applications must be blocked in all cases.

Common failure point: anti-malware software installed but not actively maintained, with definitions weeks or months out of date, or detections logged and never reviewed. Devices added to scope after the initial deployment and never enrolled in the endpoint protection platform are also a consistent finding.

What It Requires

All software on in-scope devices must be kept up to date. CE sets a specific time requirement: critical and high-severity patches must be applied within 14 days of release. End-of-life software (software that no longer receives security patches) must be removed from in-scope devices. The asset and risk management tools that track software inventory and patch status are directly relevant to meeting this control.

Why It Exists

When a patch is released, it tells attackers exactly what the vulnerability is. Automated scanning tools probe for unpatched systems within hours. The 14-day window isn't arbitrary: it reflects how quickly active exploitation follows public disclosure for critical and high-severity vulnerabilities.

End-of-life software is a permanent open door. Once a vendor stops releasing patches, every new vulnerability discovered stays unaddressed. There's no compensating control that satisfies CE: unsupported software is an automatic failure.

Specific Requirements

1. All operating systems on in-scope devices must be kept up to date. Automatic updates must be enabled, or a documented patching process must apply critical and high-severity patches within 14 days of release.
2. All third-party applications on in-scope devices must be kept up to date: web browsers, productivity suites, PDF readers, browser plugins and extensions, media players, and any other installed application.
3. Critical and high-severity patches must be applied within 14 days of vendor release. Applied means installed on the device, not approved or scheduled.
4. All in-scope software must be currently supported by its vendor, still receiving security updates. End-of-life software on any in-scope device is an automatic CE failure with no exceptions.
5. An accurate software inventory must be maintained for all in-scope devices, sufficient to verify patching status and supported-software compliance.

Common failure point: OS updates are running but third-party applications are months behind. Browsers, plugins, and productivity suites accumulate unpatched vulnerabilities that the organisation isn't tracking. End-of-life software is the other consistent failure: kept because replacement is complex, rejected because the scheme has no exceptions. The 14-day window applies to everything.

1. The five CE controls address the attack vectors responsible for the majority of commodity-level cyber attacks on UK organisations.
2. Critical and high-severity patches must be applied within 14 days of vendor release. This window is absolute and applies to all software on in-scope devices.
3. MFA must be enforced on all accounts that can authenticate to internet-facing services, including Microsoft 365, Google Workspace, VPN, and web-based email.
4. End-of-life software on any in-scope device is an automatic CE failure. No mitigation or exception exists under the scheme.
5. Application allowlisting is an accepted alternative to anti-malware for the malware protection control, provided it's actively maintained.
6. The Montpellier scheme update came into force in January 2023. Organisations on older guidance need to review MFA and scope requirements in particular.