Cyber Essentials
DashboardSign Out

Lesson 1.2 — The five controls

This lesson introduces each of the five Cyber Essentials technical control areas in plain language — what each one protects against, what it requires, and why it matters.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • describe each of the five Cyber Essentials controls
  • explain what each one is designed to prevent
  • identify at least one practical example of what each control looks like in a real organisation.

Why This Matters

Learners need a working mental model of the five controls before they begin the detailed assessment sections.

The Core Rule

Cyber Essentials is built around five controls: firewalls, secure configuration, user access control, malware protection and security update management.

Firewalls control what can connect to your systems. Secure configuration means your devices and software are set up safely, not relying on defaults. User access control means people only have the access they need, with strong authentication for sensitive accounts. Malware protection means your devices are protected against malicious software. Security update management means you keep software up to date and fix known weaknesses quickly.

Control 1 — Firewalls

A firewall is a system that controls what network traffic is allowed in and out of a network or device.

Think of it as a gate. The gate has rules about who can enter and who can leave. Without rules, or with poorly configured rules, attackers can reach internal systems directly from the internet.

Control 2 — Secure configuration

Secure configuration is about making sure that devices and systems are set up securely before they are used — and that they are kept secure over time.

When a device, operating system or application is first installed, it often comes with default settings that are designed for ease of use, not security. Those defaults may include generic usernames, well-known passwords, unnecessary services that run in the background, open ports, or features that most users do not need but that an attacker could exploit.

Control 3 — User access control

User access control is about making sure that the right people have the right access to the right systems — and no more than that.

Every account is a potential entry point for an attacker. An account with more access than it needs creates more risk than an account with limited access. An account that is no longer used but still exists is a door left open.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the purpose of a boundary firewall in Cyber Essentials?
  • [ ] What does "secure configuration" mean in the context of Cyber Essentials?
  • [ ] Within how many days must high-risk and critical security updates be applied under Cyber Essentials?
  • [ ] Which of the following is an approved malware protection method under Cyber Essentials?
  • [ ] What does "least privilege" mean in user access control?

Your Action

Do this now — it takes 10–20 minutes.

For each of the five controls, write one sentence about where your organisation currently stands — strong, weak, or unknown. Add it to the notes page of your evidence document.

Key Takeaway

The detailed lessons for each control will explain exactly what you need to check and document.

Your Workbook Activity

Complete: Five controls overview and initial gap flags

Next Lesson

In the next lesson: Why certification matters

Up next

Why certification matters

Learn why Cyber Essentials certification matters commercially, operationally, and for stakeholder confidence.