> series: cyber_essentials_demystified —— part: 02/10 —— controls: 5 —— defence: layered<span class="cursor-blink">_</span>_
Cyber Essentials is built on a simple principle: the overwhelming majority of commodity cyberattacks can be prevented by implementing five fundamental technical controls consistently across your IT estate. These controls are not exotic or expensive. They represent the security equivalent of locking your doors, closing your windows, and not leaving your keys under the mat. What makes them powerful is not their individual sophistication — it is the fact that together they create layers of defence that force an attacker to overcome multiple barriers rather than just one.
This article provides an overview of all five controls. Parts 3 through 7 of this series will deep-dive into each one individually, covering the specific Danzell v3.3 requirements, practical implementation guidance, and the common pitfalls we see during assessments. If you want the full picture before diving into the detail, this is where to start.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your CertificationA firewall is the gatekeeper between your network and the internet. It inspects incoming and outgoing traffic and applies rules that determine what is allowed through and what is blocked. Every device that connects to the internet must be protected by a firewall — whether that is a dedicated hardware appliance at your network boundary, a software firewall running on each device, or a cloud-based firewall service.
The Cyber Essentials requirement is not just that a firewall exists — it is that the firewall is configured correctly. Default configurations, overly permissive rules, and open management interfaces are the most common firewall-related findings we encounter during CE Plus assessments. A firewall that allows everything through is worse than no firewall at all, because it creates a false sense of protection.
Every device in scope must be protected by a correctly configured firewall. Default firewall rules should block all inbound connections by default and only allow those that are explicitly required. Administrative interfaces must not be accessible from the internet unless protected by additional controls. Personal firewalls on individual devices must be enabled and must not be configurable by end users.
Every computer, server, phone, router, and cloud service comes with a default configuration designed for ease of setup — not security. Default passwords, unnecessary user accounts, pre-installed software, enabled services you do not use, and sample configurations all create opportunities for attackers. Secure configuration is the process of stripping away everything that is not needed and hardening everything that remains.
This control requires you to change default passwords on all devices and services, remove or disable unnecessary user accounts (including default administrator and guest accounts), remove unnecessary software, and disable unnecessary services and features. The principle is simple: if you do not need it, remove it. Everything that remains is one fewer entry point for an attacker.
All default or guessable passwords must be changed before deployment. Unnecessary software must be removed. Unnecessary accounts — including guest accounts and default administrator accounts — must be disabled or removed. Automatic device locking must be configured after a period of inactivity. Only required network services and features should be enabled.
Every piece of software contains vulnerabilities. When a vulnerability is discovered, the vendor releases a security update (patch) to fix it. Between the moment a patch is released and the moment you apply it, your systems are vulnerable to an attack that exploits the known weakness. The security update management control requires you to keep all in-scope software up to date — and under the Danzell question set, the timelines are now enforced with automatic-failure consequences.
This is the control that has changed most significantly under Danzell. Two new questions — A6.4 and A6.5 — now carry automatic-failure status. A6.4 requires that all high-risk and critical updates for operating systems, router firmware, and firewall firmware are installed within 14 days of release. A6.5 requires the same for applications, including associated files and browser extensions. Failure to meet either requirement means automatic assessment failure, regardless of how well you perform across all other controls.
All software must be licensed and supported — unsupported (end-of-life) software must be removed from scope. High-risk and critical security updates must be applied within 14 days of release (auto-fail under Danzell). Automatic updates should be enabled where possible. A documented process for managing updates must exist, particularly for larger organisations that cannot rely on automatic updates alone.
User access control ensures that only authorised individuals can access your systems and data, and that they have only the minimum level of access required for their role. It also addresses authentication — how users prove their identity — which under Danzell now includes mandatory multi-factor authentication for all cloud services where MFA is available.
This is the second control with automatic-failure implications under Danzell. If any cloud service used by your organisation offers MFA — whether free, bundled, paid, or available through a connected identity provider — and you have not enabled it for all users, the assessment fails automatically. IASME maintains a list of cloud services and their MFA capability, though it is not exhaustive and the responsibility to verify lies with the applicant.
Each user must have their own unique account — no shared accounts. Administrative accounts must be used only for administrative tasks, not day-to-day work. Administrative privileges must be granted only to those who require them. MFA must be enabled on all cloud services where available (auto-fail under Danzell). Passwords must meet minimum complexity requirements, or passwordless authentication (such as FIDO2/passkeys) may be used.
Malware — malicious software including viruses, ransomware, spyware, and trojans — is one of the most common threats to UK businesses. The malware protection control requires you to implement at least one of three approaches: anti-malware software, application whitelisting (allowing only approved software to run), or sandboxing (running applications in an isolated environment). For most organisations, anti-malware software is the primary mechanism.
The control also covers preventing users from installing unauthorised software — a common vector for malware delivery — and ensuring that anti-malware tools are configured to scan files automatically on access, scan web pages during browsing, and update their signatures regularly. For organisations using SOC in a Box, the 24/7 monitoring and EmilyAI triage layer provide an additional detection capability above and beyond endpoint anti-malware.
Anti-malware software must be installed and active on all in-scope devices (or an alternative approach such as application whitelisting must be in place). Anti-malware must be configured to scan files automatically when accessed, scan web pages during browsing, prevent connections to malicious websites, and update signatures at least daily. Users should be prevented from running unauthorised applications.
No single control is sufficient on its own. A firewall that blocks unauthorised traffic can be bypassed by a phishing email that delivers malware through an authorised channel. Anti-malware software that detects known threats can be evaded by a novel attack that exploits an unpatched vulnerability. Strong access controls cannot prevent a compromise if the password was harvested from a system running unsupported software with default credentials.
The five controls work together because each one addresses a different stage of a typical attack. The firewall limits external access. Secure configuration removes easy entry points. Patching closes known vulnerabilities before they can be exploited. Access control ensures that even if an attacker gets in, their access is limited. And malware protection catches the payloads that make it through the other layers. An attacker must overcome all five barriers — and that dramatically increases the cost and difficulty of a successful compromise.
Starting next week, we begin our deep-dive series on each control individually. Part 3 covers firewalls — the first line of defence and the control that defines your network boundary. We will cover what the Danzell requirements specifically demand, the most common configuration mistakes we find during CE Plus assessments, and practical steps to ensure your firewalls meet the standard.
We guide organisations through both Cyber Essentials and Cyber Essentials Plus certification. Our <a href="/cyber-essentials/concierge">Concierge service</a> handles the entire process — from gap analysis through remediation to certification — with minimal disruption to your day. For continuous protection beyond certification, <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides 24/7 monitoring with Cyber Essentials support built in.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification