The 5 Cyber Essentials Controls: What Every Small Business Needs to Know

Cyber Essentials is built on five technical controls. That is it. Five. If your business gets those five things right, you pass. If you get even one of them wrong, you do not.

The controls are set by the National Cyber Security Centre (NCSC) and assessed through the IASME certification scheme. They are deliberately practical and designed around the most common internet-based threats that hit UK businesses every single day. You do not need a dedicated IT team to meet them, but you do need to understand what they actually mean in your environment.

This guide walks through all five controls in plain English, explains where small businesses typically slip up, and sets out what you need to do to get each one right.

Before You Start: Know What Is in Scope

Before you look at any of the five controls, you need to work out what is actually in scope for your certification. This is where a surprising number of small businesses come unstuck before they have even started.

Scope means identifying every device, user, internet connection, and cloud service that sits within the boundary of your assessment. If you use Microsoft 365, that is in scope. If staff use their own laptops for work, those are probably in scope too. If you have a broadband router in the office, that is in scope.

Getting scope wrong means your answers to the assessment questionnaire will not match reality, and that is one of the fastest ways to fail.

Control 1: Firewalls and Routers

This control is about putting a barrier between the internet and your business systems. Think of it as the front door to your network. The aim is to make sure that only the traffic you actually need can get through, and everything else is blocked.

What This Means for Your Business

If you have a broadband router in the office, a cloud-hosted firewall, or staff working remotely through a VPN, all of those sit within this control. You need to make sure that default passwords have been changed, that remote management features are switched off unless you genuinely need them, and that your firewall rules are not wider open than they should be.

Many small businesses assume their broadband router handles this automatically. Sometimes it does. Often it does not, especially if nobody has reviewed the settings since the day it was plugged in.

Where Small Businesses Go Wrong

• Default passwords on routers and firewalls were never changed
• Remote administration is left enabled and exposed to the internet
• Ports are open that nobody can explain or justify
• Nobody has reviewed or documented the firewall rules

If you cannot explain what sits between the internet and your business data, this control is not under your control yet.

Control 2: Secure Configuration

Secure configuration means your computers, phones, tablets, and cloud services are set up safely from the outset. Default settings on most devices and software are designed for convenience, not security. This control asks you to tighten things up.

What This Means for Your Business

You should make sure that devices are not running with unnecessary default settings, unused accounts are removed or disabled, software you do not use is uninstalled, unnecessary services are turned off, and browser and cloud sharing settings are not left wide open.

In most small businesses, the problem is not that someone made a reckless decision. It is that devices were set up in a hurry and never properly reviewed. That laptop you bought two years ago and handed to a new starter with a five-minute setup? That is a secure configuration risk.

Where Small Businesses Go Wrong

• Old local admin accounts that nobody uses still exist on machines
• Devices still have software installed that nobody needs
• Cloud sharing settings in Microsoft 365 or Google Workspace are too permissive
• One laptop is configured well, but five others are not, and nobody noticed

The word that matters most here is consistency. One well-configured device does not help you if the rest of your estate is a mess.

Control 3: User Access Control

This control is about making sure the right people have the right level of access, and nobody has more than they need. It is one of the most important controls because poor access management makes every other control weaker.

What This Means for Your Business

Every person should have their own individual account. Shared accounts should be avoided wherever possible. Admin rights should only be given to people who genuinely need them, and even then, those people should use a separate admin account rather than running everything as an administrator day to day.

When someone leaves the business, their access needs to be removed quickly. This sounds obvious, but it is one of the most common gaps found during assessments.

Where Small Businesses Go Wrong

• Too many people have local admin rights on their machines
• Shared admin accounts still exist, sometimes with the password written on a sticky note
• Former staff accounts were never disabled or removed
• People use a single account for both everyday work and admin tasks
• Nobody has reviewed who has access to what in months, or even years

This control often feels uncomfortable because it exposes just how informal things have become. That discomfort is a sign you need to act.

Control 4: Malware Protection

Malware protection is about stopping harmful software — ransomware, trojans, infected email attachments, dodgy downloads — from running on your systems or causing damage. Cyber Essentials includes this as a core control because a huge number of attacks still start with someone clicking something they should not have.

What This Means for Your Business

You need anti-malware software on your devices, and it needs to be kept up to date. But it goes further than that. Users should not be able to freely install whatever software they like. Risky file types should be handled carefully. Email and web browsing risks should not be ignored.

The control is not just about having antivirus installed. It is about whether your environment genuinely reduces the chance of malicious software running successfully.

Where Small Businesses Go Wrong

• Endpoint protection is installed but nobody is monitoring whether it is actually working
• Users can install any software they want without restriction
• Some devices are covered and others are not
• The business assumes Windows Defender alone is enough without ever checking its configuration
• No central view of which devices are protected and which have fallen out of coverage

Malware protection only counts if it is active, managed, and applied consistently across every device in scope.

Control 5: Security Updates

Security updates, often called patching, are about fixing known vulnerabilities before an attacker can exploit them. This is usually one of the biggest risk areas for small businesses because patching sounds simple but is surprisingly easy to let slide.

What This Means for Your Business

Your operating systems need to be supported versions. Critical security patches need to be applied promptly. Business software, browsers, and plugins all need to be kept current. And you need visibility of which devices are up to date and which are falling behind.

For Cyber Essentials, you are expected to apply critical and high-risk updates within 14 days of release. If a device is running an unsupported operating system, it will fail the assessment outright.

Where Small Businesses Go Wrong

• Devices are still running unsupported versions of Windows or macOS
• Updates are applied inconsistently — some machines are current, others are months behind
• Third-party applications such as Adobe Reader, Zoom, or Chrome are ignored
• Remote or home-working devices are not being patched because they are off the office network
• Nobody owns the patching process, so it simply does not happen

If you do not know your current patch status across all devices, you do not control this risk.

The Five Controls Work Together

One common mistake is treating each control as a separate tick-box exercise. They are not independent. They reinforce each other, and weakness in one undermines the rest.

Poor access control makes malware protection less effective, because a compromised admin account can disable security tools. Weak secure configuration makes your firewall less useful, because internal systems are left exposed. Poor patching makes every other control easier to bypass, because known vulnerabilities give attackers a way in regardless of your other defences.

Think of the five controls as a chain. Every link needs to hold.

What Changed in 2026

The five controls themselves have not changed for 2026. They remain the same five areas they have always been. However, the IASME scheme has updated the detailed requirements, the assessment methodology, and the way questions are marked. The scheme is becoming clearer and stricter in how the controls are interpreted.

If you attempted Cyber Essentials a couple of years ago, do not assume the same answers will work this time. Use the latest guidance and scheme materials to prepare.

How to Use the Five Controls to Pass First Time

If you want to pass first time, use the five controls as a checklist before you go anywhere near the assessment questionnaire:

1. Confirm your scope — know exactly which devices, users, cloud services, and internet connections are included
2. Review each control honestly — check what is actually in place, not what you think is in place
3. Fix the gaps first — do not answer the questionnaire and hope for the best
4. Make sure your answers match reality — the assessor is checking what you actually do, not what you plan to do
5. Get a second opinion — if your environment is at all complex, have someone else review your answers before you submit

Most failures happen because businesses rush to submit before they have checked the basics. A few days of preparation can save you weeks of rework.