The Five Technical Controls
Cyber Essentials is built around five fundamental technical controls. These controls address the most common attack vectors and, when properly implemented, provide effective protection against the majority of commodity cyber attacks targeting UK organisations.
Key Takeaways
| Point | Summary |
|---|---|
| 5 controls | Firewalls, Secure Configuration, Security Update Management, User Access Control, Malware Protection |
| Firewalls | Protect network boundaries; all internet connections must have firewall protection |
| Secure Configuration | Remove default passwords, disable unnecessary features, harden systems |
| Security Updates | Apply patches within 14 days of release for high/critical vulnerabilities |
| User Access Control | Unique accounts, least privilege, MFA for cloud services, admin account restrictions |
| Malware Protection | Anti-malware software, application whitelisting, or sandboxing on all devices |
Quick Answer: The 5 Cyber Essentials controls are: (1) Firewalls protecting all internet connections, (2) Secure configuration removing defaults and unnecessary features, (3) Security updates within 14 days for critical patches, (4) User access control with least privilege, (5) Malware protection on all devices.
Understanding the five controls
The NCSC selected these five controls based on research into the most common cyber attack methods. Each control addresses specific attack vectors:
| Attack Method | Control That Addresses It |
|---|---|
| Network intrusion | Firewalls |
| Exploiting default settings | Secure Configuration |
| Exploiting known vulnerabilities | Security Update Management |
| Credential theft/abuse | User Access Control |
| Malware infection | Malware Protection |
Together, these controls create layers of defence. If an attacker gets past one control, others are in place to limit the damage.
Control 1: Firewalls
Firewalls create a barrier between your internal network and external threats, controlling what traffic can pass in and out.
What's required
| Requirement | Details |
|---|---|
| Boundary protection | All internet-connected networks must have a firewall |
| Default deny | Block all incoming connections by default |
| Change defaults | Modify all default firewall passwords |
| Rule documentation | Document firewall rules and their purposes |
| Remove unnecessary rules | Disable rules that aren't required |
Key considerations
Inbound traffic: The default should be to deny all incoming connections, allowing only those services that are explicitly required for business purposes.
Outbound traffic: May be less restrictive than inbound, but consider restricting where appropriate and document any policies.
Administrative access: Change all default passwords, limit admin access to authorised personnel, use strong authentication, and log administrative actions.
Types of firewalls you might need
| Type | Common Use Case |
|---|---|
| Hardware firewall | Network perimeter protection |
| Software firewall | Individual device protection |
| Cloud firewall | Cloud infrastructure protection |
| Router firewall | Home/small office (often built-in) |
Control 2: Secure Configuration
Computers and network devices should be configured to reduce vulnerabilities. Default settings are typically designed for ease of use, not security.
What's required
| Requirement | Details |
|---|---|
| Remove unnecessary software | Uninstall applications that aren't needed |
| Disable unnecessary services | Turn off unused features |
| Change default passwords | Never use factory defaults |
| Disable auto-run | Prevent automatic software execution |
| Enable screen lock | Configure automatic locking |
Password requirements
| Element | Requirement |
|---|---|
| Minimum length | 8+ characters (12+ recommended) |
| Complexity | Mix of character types or passphrase |
| Default passwords | Must be changed |
| Service accounts | Unique, strong passwords |
Common areas to address
Software: Remove unused applications, disable unnecessary browser plugins, uninstall trial software, remove default sample content.
Services: Disable remote desktop if not needed, turn off file sharing if not required, disable Bluetooth if not used.
Accounts: Change all default passwords, remove guest accounts, disable built-in administrator (use named accounts), remove unused accounts.
Features: Disable auto-run for removable media, configure automatic screen lock (under 15 minutes), enable firewall on each device.
Control 3: Security Update Management
Software vulnerabilities are discovered constantly. Regular updates patch these vulnerabilities before attackers can exploit them.
What's required
| Requirement | Details |
|---|---|
| Supported software | Only use licensed, vendor-supported software |
| Patch timeline | Apply critical/high patches within 14 days |
| Automatic updates | Enable where possible |
| Update verification | Confirm updates are applied |
| End-of-life software | Remove software that's no longer supported |
The 14-day rule
Critical and high-severity vulnerabilities must be patched within 14 days of a patch being available:
| Severity | Timeline |
|---|---|
| Critical | Within 14 days (as soon as practical) |
| High | Within 14 days |
| Medium | Reasonable timeframe |
| Low | Next maintenance window |
What needs to be updated
Operating systems: Windows, macOS, Linux distributions, iOS, Android, server operating systems.
Applications: Web browsers, email clients, office suites, PDF readers, media players, business applications.
Infrastructure: BIOS/UEFI firmware, router firmware, firewall firmware, network device firmware, IoT device firmware.
Control 4: User Access Control
This control ensures that only authorised individuals can access your systems and data, and that their access is limited to what they actually need.
What's required
| Requirement | Details |
|---|---|
| Unique accounts | Each user must have their own account |
| Appropriate privileges | Users only have access they need |
| Admin account limits | Separate admin and standard accounts |
| Authentication | Strong passwords or MFA |
| Account management | Process for joiners/leavers |
Key principles
Account management: Unique accounts for each user, no shared accounts, remove accounts when people leave, conduct regular access reviews.
Privilege management: Standard user accounts for daily work, separate admin accounts for admin tasks, admin accounts not used for email or browsing, least privilege principle applied.
Authentication: Strong password policy, MFA where possible (especially for admin accounts), account lockout after failed attempts, secure password recovery process.
Admin account best practices
| Practice | Rationale |
|---|---|
| Separate accounts | Limits impact if one account is compromised |
| Not for daily use | Reduces exposure to threats |
| Individual accounts | Provides accountability |
| MFA enabled | Adds an extra protection layer |
| Activity logging | Creates an audit trail |
Control 5: Malware Protection
This control focuses on preventing malicious software from infecting your systems—the final line of defence when other controls don't stop an attack.
What's required
| Requirement | Details |
|---|---|
| Anti-malware | Active protection on all devices |
| Regular updates | Malware definitions updated regularly |
| Automatic scanning | Configure automatic scans |
| Real-time protection | Enable on-access scanning |
| Coverage | All in-scope devices protected |
Acceptable protection methods
Option 1: Anti-malware software
Traditional antivirus, next-generation endpoint protection, or cloud-based scanning. This is the most common approach.
Option 2: Application whitelisting
Only approved applications can run. More restrictive but effective, with higher management overhead.
Option 3: Application sandboxing
Applications run in isolated environments, limiting damage from malware. Often combined with other methods.
Combination approach: Using multiple methods together provides defence in depth and compensates for individual weaknesses.
Configuration requirements
| Setting | Requirement |
|---|---|
| Real-time protection | Enabled |
| Automatic updates | Enabled |
| Scheduled scans | At least weekly |
| Web protection | Enabled |
| Email scanning | Enabled |
| Removable media scan | Enabled |
How the controls work together
The five controls complement each other, creating defence in depth:
External attack scenario:
- Firewall blocks unauthorised access
- If the firewall is bypassed → Secure Configuration reduces the attack surface
- If a vulnerability is targeted → Security Updates patch known vulnerabilities
- If a zero-day attack occurs → User Access Control limits what the attacker can access
- If malware is deployed → Malware Protection detects and blocks it
No single control is expected to stop every attack. The value comes from having multiple layers that each address different aspects of the threat landscape.
Implementation priorities
If you're starting from scratch, consider this order:
| Priority | Control | Rationale |
|---|---|---|
| 1 | Firewalls | First line of defence |
| 2 | Security Updates | Close known vulnerabilities |
| 3 | Secure Configuration | Reduce attack surface |
| 4 | User Access Control | Limit potential damage |
| 5 | Malware Protection | Catch what gets through |
Quick wins for each control
| Control | Quick Win |
|---|---|
| Firewalls | Enable Windows Firewall on all devices |
| Secure Config | Remove unused software |
| Updates | Enable automatic updates |
| Access Control | Create separate admin accounts |
| Malware | Enable Windows Defender or install AV |
How Bastion can help
Implementing all five controls effectively requires understanding not just what's required, but how to apply those requirements to your specific environment.
| Challenge | How We Help |
|---|---|
| Assessment | We evaluate your current control status across all five areas |
| Implementation | Our team provides technical guidance for each control, tailored to your environment |
| Documentation | We help gather evidence for certification |
| Verification | We check your controls before certification to identify any gaps |
| Ongoing management | We help maintain controls through continuous monitoring |
Working with a managed service partner means you're not implementing these controls through trial and error. We bring experience from many implementations, which translates into getting things right the first time and avoiding costly rework.
Need help implementing the five controls? Talk to our team