What Are the Cyber Essentials Requirements?
Cyber Essentials requires organisations to implement five specific technical controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management. All five must be in place across every in-scope device for certification to be awarded.
Direct Answer
Cyber Essentials covers five technical controls: boundary firewalls, secure configuration, access control, malware protection, and patch management. All in-scope devices must meet these requirements. From 2023, the scope was extended to include cloud services and home working devices, making the certification more demanding than previous versions.
The Five Cyber Essentials Technical Controls
Each control has specific sub-requirements defined in the Cyber Essentials technical specification, updated annually by IASME.
Boundary Firewalls
All internet-facing services must be protected by a properly configured firewall or equivalent control. Default-deny rules are required, and unused ports and services must be blocked.
Secure Configuration
Devices must have default passwords changed, unnecessary software and accounts removed, auto-run disabled, and automatic screen lock enabled. This applies to laptops, desktops, servers, and mobile devices in scope.
User Access Control
Users must have only the permissions they need (least privilege). Admin accounts must be separate from standard accounts and must not be used for email or general browsing.
Malware Protection
Anti-malware software or application allowlisting must be active and up to date on all in-scope devices. Real-time or on-access scanning must be enabled.
Patch Management
High and critical patches must be applied within 14 days of release. Software that is no longer supported and cannot be updated must be removed from scope or have a documented risk acceptance.
Common Compliance Gaps vs Requirements
The controls most organisations struggle with, and what a compliant posture looks like.
| Feature | Common GapTypical SME starting point | CE CompliantRequired for certificationRecommended |
|---|---|---|
| Firewall with default-deny rules | Default-allow or consumer grade | Managed firewall, default-deny |
| Default passwords changed | ||
| Separate admin accounts | ||
| Patches within 14 days | ||
| Anti-malware on all devices | Partial coverage | All in-scope devices |
| Unsupported software removed | ||
| MFA on internet-facing services |
MFA was added as a requirement for cloud-based services in the January 2022 update to the Cyber Essentials technical specification.
Frequently Asked Questions
The average cost of the most disruptive breach is £3,550 for UK businesses. For businesses that experienced negative outcomes such as data loss or financial theft, the average cost rises to £8,260. Medium and large businesses face average costs of £10,830 per disruptive incident.
Yes. 50% of small businesses (10-49 employees) reported a cybersecurity breach in 2025. UK small businesses face around 65,000 hack attempts daily, with approximately 4,500 successful breaches. More than a quarter of SMBs say a single cyber attack could put them out of business entirely.
Organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance. Certification is mandatory for UK government contracts involving sensitive data. Only 3% of UK businesses are currently certified, giving certified businesses a competitive advantage.
UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
Find Out If You're Ready to Certify
AMVIA's gap assessment reviews your current environment against the five Cyber Essentials controls and produces a remediation plan. Most clients certify within four weeks.
Related Guides
Cyber Essentials Certification
AMVIA's managed Cyber Essentials service covering gap assessment, remediation, and certification.
Cyber Essentials vs Cyber Essentials Plus
The differences between the two certification tiers and when Plus is required.
What Is Cyber Essentials?
An overview of the UK government's baseline cybersecurity certification scheme.