Cyber Essentials is a government-backed scheme that helps businesses of all sizes protect themselves from common cyber threats. The scheme sets out five technical controls companies must implement to achieve certification. These controls protect against the most common cyber attacks, such as malware, phishing, and denial-of-service attacks.
Cyber Essentials Certification Criteria
The main criteria to achieve Cyber Essentials Certification includes an audit against these key controls:
- Step 1: Decide what parts of your business are in scope for Cyber Essentials. This could be everything or just certain departments or systems.
- Step 2: Read through the five technical controls and understand what each one means.
- Step 3: Take the necessary steps to implement all five controls. This may involve changing your IT infrastructure, policies, and procedures.
- Step 4: Once confident you meet all the requirements, apply for Cyber Essentials certification.
Cyber Essentials Requirements for IT Infrastructure (Updated content: April, 2026 Danzell question set changes)
The Cyber Essentials requirements for IT infrastructure are organised under five technical audit and control areas. As a Cyber Essentials scheme applicant, you must ensure that your organisation meets all the five Cyber Essentials requirements for IT infrastructures. You might also be required to supply evidence before your certification body can award certification at the level for which you’re applying.
To learn about the IT infrastructure requirements, we have included a description of each Cyber Essentials criteria and its aim from the Cyber Essentials certification perspective in the following section.
1. Firewalls
Aim: Establish effective boundary firewalls and internet gateways to protect your network from cyber threats.
Description: Firewalls are an essential line of defence in network security. They are used to prevent unauthorised access to or from a private network.
Requirements:
The firewall must have a non-default, strong administrative password, or have remote administrative access disabled entirely.
The administrative interface must not be accessible from the internet unless protected by multi-factor authentication (MFA) or an IP allow list combined with a managed password.
Firewalls must block unauthenticated inbound connections by default, and inbound firewall rules must be approved, documented by an authorised person, and include the business need in the documentation.
2. Secure Configuration
Aim: To ensure that systems and cloud services are configured most securely for the organisation’s needs.
Description: Secure configuration involves hardening your systems and applications by changing the default settings to reduce vulnerabilities.
Requirements: You must change default or guessable account passwords, remove or deactivate unnecessary user accounts, remove unused or unnecessary software, turn off auto-run features that don’t need authorisation, and authenticate users before they access sensitive data. Furthermore, for devices requiring physical presence to unlock (like a laptop or mobile phone), the authentication method must be protected against brute-force attacks by either locking the device after no more than 10 unsuccessful attempts or “throttling” the rate of attempts (allowing no more than 10 guesses in 5 minutes).
3. User Access Control
Aim: To manage the creation of user accounts and administer the associated controls. Users should only be provided with access to the services deemed necessary by the business.
Description: User access control involves managing who has access to your resources and ensuring they can only access the data they need.
Requirements: User access control must require an approval process for user account creation and authenticate users with unique credentials.
You must implement multi-factor authentication (MFA) where available, and “authentication to cloud services must always use MFA”.
You must disable unnecessary user accounts, restrict the use of administrative accounts to administrative activities only, and revoke additional access when no longer required.
If you already have Passwordless authentication, which can include methods like FIDO2 authenticators, biometrics, or security keys, that’s a straight forward pass.
4. Malware Protection
Aim: To ensure that virus and malware protection is installed and is up to date.
Description: Malware protection involves using software to prevent, detect, and quarantine/remove malicious software from your systems.
Requirements: You must ensure that a malware protection mechanism is active on all devices in scope. If using anti-malware software, it has to be updated in line with vendor recommendations, preventing malware from running, preventing the execution of malicious code, and preventing connections to malicious websites over the internet. Alternatively, you can use “Application allow listing”, ensuring only approved applications restricted by code signing are allowed to execute.
5. Security Update Management
Aim: To keep your devices, software, and apps up to date to protect your systems from the latest threats.
Description: Security update management involves regularly updating and patching your systems to fix known vulnerabilities.
Requirements: Security update management helps to keep existing software up to date and reduces the business risk of security flaws. You must retain all licensed and supported software, remove unsupported software from devices, and enable automatic updates if possible. Where automatic updates are unavailable, you must update software within 14 days of release if the update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ (or those with a CVSS v3 base score of 7 or above)
Example: A company might set their servers to automatically install security updates as soon as they are released to ensure they are always running the latest, most secure version of their software.
Implementing the Cyber Essentials controls can help businesses improve their security posture, and taking this implementation to Cyber Essentials Plus levels will significantly reduce their risk of cyber attack. The scheme is also a valuable marketing tool, showing customers that the business is serious about cyber security.
Suggested Read: Cyber Essentials Plus Checklist
Latest changes: Cyber Essentials scheme from April 2026
Official NCSC Guidance on Cyber essentials requirements for IT infrastructure (April 2026 changes)
A latest update is now available for upcoming changes to Cyber Essentials effective from April 2026. NCSC have released an updated version for Cyber Essentials Requirements for Infrastructure with v3.3, that’s available here:
NCSC Cyber Essentials IT Infrastructure Requirement v3.3
At a high level, the official “What’s new in this version” updates for v3.3 include:
- Definition for ‘cloud services’ provided
- Updated definition for Passwordless Authentication to include FIDO2
- Definitive statement that cloud services cannot be excluded from scope
- Software Security Code of Practice introduced in Software Development section
- Scope criteria no longer refers to ‘untrusted connections’
- Importance of backing up data is emphasised
