Cyber Essentials Compliance

Cyber Essentials is the UK government-backed cybersecurity certification scheme designed to protect organizations against the most common cyber attacks. Unlike more extensive frameworks, it's deliberately focused — five technical controls that address the attack vectors responsible for most successful breaches.

For UK organizations, Cyber Essentials certification is required for government contracts involving sensitive information or the provision of certain technical products and services. For all organizations, it represents a practical, achievable baseline that addresses real-world threats without requiring a comprehensive security program rebuild.

The five Cyber Essentials controls, operationally

1. Firewalls

Boundary firewalls and internet gateways must be configured to block unauthorized inbound connections. For cloud services and remote working, this extends to software firewalls on devices. The requirement is for default-deny inbound rules, with documented exceptions for necessary services.

Operationally: Firewall configuration must be assessed and documented. Default-deny rules must be in place. Exceptions must be reviewed and authorized.

Quick Take: If you cannot clearly explain “why a port is open ?”, it probably should not be. Most real-world breaches happen through forgotten open access, not sophisticated attacks.

2. Secure Configuration

Systems must be configured securely — removing or disabling unnecessary software, services, and features; changing default passwords; and ensuring that only necessary software is installed and running.

Operationally: secure configuration assessment must cover all in-scope devices. Default credentials must be identified and changed. Unnecessary services must be disabled. This requires both a configuration baseline and continuous assessment against it.

Quick Take: Every extra service running on a system is a potential entry point. If a system’s purpose is clear, its configuration should be minimal. Simplicity is often the strongest form of security.

3. Security Update Management

Software on all in-scope devices must be kept up to date. Licensed software must be kept supported — vendors must still be providing security patches. Patches rated 'critical' or 'high' must be applied within 14 days of release.

Operationally: This is a direct patch management requirement with a specific SLA. Organizations must be able to demonstrate that critical and high-severity patches are deployed within 14 days across all in-scope devices — including third-party applications, not just operating systems.

Quick Take: Attackers do not break systems, they exploit delays. The gap between a patch being released and being applied is one of the most predictable risk windows in security.

4. User Access Control

User accounts must have limited privileges where standard users should not have administrative privileges unless specifically required. Administrative accounts must not be used for day-to-day activities. Remote management interfaces must be protected.

Operationally: Privilege inventories must identify accounts with administrative access. Justification for elevated privileges must be documented. Standard user accounts must be operational norms.

Quick Take: Do not ask “who has access?” Ask “who still needs access today?” Access that made sense months ago is often the risk you overlook today.

5. Malware Protection

All in-scope devices must be protected against malware. This can be achieved through anti-malware software, application allowlisting, or sandbox-based analysis. The control requires that the protection mechanism is actively managed and current.

Operationally: Endpoint protection deployment must be current, active, and covering all in-scope devices. Coverage gaps must be identified and addressed.

Quick Take: It is easy to assume you are protected because a tool is deployed. The real question is whether every device is actually covered, updated, and reporting as expected. That visibility is what makes protection reliable.

Cyber Essentials Plus

Cyber Essentials Plus includes all five Cyber Essentials controls plus an independent technical assessment — vulnerability scanning, configuration sampling, and simulated phishing — conducted by a certification body. The Plus certification provides greater assurance because control implementation is independently verified rather than self-assessed.

Organizations pursuing Cyber Essentials Plus should ensure that their vulnerability management and configuration assessment data reflects accurate current state — because the independent assessment will verify what the self-assessment claims.

Where Cyber Essentials programs commonly fall short

•The 14-day patch requirement for third-party apps is missed. OS patches often meet the 14-day window. Third-party applications — browsers, productivity tools, plugins — frequently do not. This is one of the most common assessment findings.

•Scope definition is incomplete. All devices that can access organizational data or services are in scope. Cloud services accessed from corporate devices, personal devices used for work, and home routers for remote workers may all be in scope and are frequently excluded from assessments.

•Configuration assessment is point-in-time. Configurations assessed as compliant during the certification assessment may drift before the next annual review. Organizations that don't continuously monitor configuration state are depending on luck between certifications.

•Unsupported software is underidentified. The requirement to use only supported software is frequently under-assessed. Legacy applications, end-of-life frameworks, and outdated plugins create compliance gaps that continuous software inventory monitoring would surface.

How Saner Platform supports Cyber Essentials compliance

Saner Platform supports Cyber Essentials compliance by going beyond visibility to enable prioritized, actionable security. It continuously identifies exploitable exposures and guides remediation, helping organizations reduce attack surface, improve remediation timelines, and manage risk effectively across in-scope devices.

AI-driven risk prioritization ensures that remediation efforts are focused on the most critical issues first, based on exploitability and business impact. This helps organizations address high-risk vulnerabilities within required timelines and maintain a consistent, compliant security posture.

Secure configuration assessment

Endpoint and server configurations are continuously assessed against Cyber Essentials-applicable secure configuration requirements, with detection of deviations and tracking of remediation. This ensures systems remain aligned with secure baselines, reduces configuration drift, and eliminates unnecessary services and insecure settings over time.

14-day patch SLA management

Critical and high-severity patches are tracked against the 14-day deployment requirement, with SLA miss alerts and compliance reporting that demonstrates adherence across in-scope devices. This enables organizations to consistently meet patch timelines and reduce exposure to known vulnerabilities.

Third-party application patch coverage

Operating system and third-party application patches are managed within the same workflow, addressing the common gap where third-party applications are often overlooked. This ensures complete patch coverage across the environment and reduces risk from widely exploited applications.

Unsupported software detection

End-of-life and unsupported applications are identified across in-scope devices, surfacing software currency gaps early. This allows organizations to proactively replace or upgrade unsupported software before it becomes a compliance issue or security risk.

Asset inventory for scope management

A current and accurate inventory of in-scope devices supports precise scope definition and provides the foundation for all five Cyber Essentials control assessments. This ensures no asset is missed and all controls are applied consistently across the environment.