Applying Cyber Essentials: How to Implement the Key Controls

In the final piece in our practical cyber defences for businesses, we offer practical guidance on implementing the scheme’s five key controls. As a reminder, Cyber Essentials is an accessible cyber security certification scheme that gives a framework of essential cyber security best practices that businesses can (and should!) apply. These best practices are organised into five key controls, which if implemented and verified, will make your business eligible for certification.  

Applying The Key Controls in Your Business

Every business is different, so the specific tools and approaches that they take to meet the requirements of the five key controls will vary. This said, the criterion for meeting the requirements is clear and involves three main ingredients: people, processes and technology.  

For example, to ensure that all devices are securely configured, there will need to be someone responsible for reviewing and configuring new users, devices and software to meet the standards, technological tools such as Microsoft 365 or a mobile device management solution can be used to manage secure configurations, while a process ensures that the requirements under this control are actioned and reviewed regularly.  

Now we will delve into each of the key controls, their requirements, and outline the key steps that you can take to begin implementing each of them. For the self-assessment process, ensure to document all these key steps to verify that each key control has been actioned in your business.  

Implementing The Secure Configuration Key Control

The objective of the secure configuration control is to reduce vulnerabilities that arise from default configurations on devices, firewalls, software and servers, mitigating any risks that your business may be exposed to as a result. It also entails making sure applications and devices are setup in a way that enables them to perform their roles, without needlessly keeping vulnerabilities open.  

For example, a software may be included with a device as standard, but if it is not going to be used, it should be removed from the device. Likewise for users, if user accounts are not active, these should be removed to prevent another entry point from being used to gain access to your systems and data.  

Your organisation will be required to:

  • Remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won't be used).
  • Change any default or guessable account passwords to ones that are more complex and secure.
  • Remove or disable unnecessary software (including applications, system utilities, and network services).  
  • Disable any auto-run feature that allows file execution without user authorisation (such as when they are downloaded from the internet).  
  • Authenticate users before allowing internet-based access to commercially or personally sensitive data, or data that is critical to the running of the organisation.

To start meeting these requirements, your business can:

  1. Create an inventory: document the devices, software (including firewalls) and users across your IT environment.
  1. Implement secure configurations across the inventory: such as enforcing a robust password policy for users, changing any default passwords, enforcing multi-factor authentication for applications and disabling any unnecessary features on them, including automatic features that open files.  
  1. Conduct regular audits and make secure configuration a Standard Operating Process: Create a process for surveying your inventory and ensuring that secure configurations are implemented, including for new devices, users and applications.  

Implementing the Boundary Firewalls and Internet Gateway Key Control

An internet gateway as the name implies, is like a gate that enables traffic to flow between your organisational network and the wider internet, while a firewall is rather like a security guard at this gate that regulates what devices and information can enter and exit your network.  

The objective of this key control is to ensure that only safe and essential digital services can be accessed via the internet, such as websites and web-based applications. To regulate and monitor network traffic between organisational devices and these online services, a secure network firewall solution will need to be implemented to keep flows of network traffic secure.  

For all devices and firewalls, your organisation will be required to:

  • Change any default administrative password to one that is difficult to guess. Alternatively, you can disable remote login access entirely from any application, excepting the firewall provider’s own web-based management system.  
  • Prevent access to the firewall’s admin interface (used to manage firewall configuration) from the internet; for example via a typical home router or a public Wi-Fi device, unless there is a clear and documented business need and the interface is protected by one of the following controls: 1) a second authentication factor, such as a one-time token; or 2) an IP whitelist that limits access to a small range of trusted IP (device) addresses. These two controls help to ensure your Firewall configuration cannot be tampered with by unauthorised actors.  
  • Block unauthenticated inbound connections by default
  • Ensure that the firewall’s inbound traffic rules are approved and documented by an authorised individual, with the business need for these rules being included in the documentation
  • Remove or disable permissive firewall rules promptly, whenever they are no longer needed
  • Ensure the use of firewall software on devices that are being used on untrusted networks, such as public Wi-Fi hotspots.

To start meeting these requirements, your business can:

  1. Map your network: use a network scanning tool to identify the devices connected to your network and their details, access points (WiFi devices) that are being used to access your network; this will help you to deploy a firewall that recognises authorised devices.  
  1. Choose and implement a firewall solution: Find a solution that meets your needs and requirements, for example if your employees work remotely or travel, a solution with VPN capabilities may be ideal for ensuring secure connectivity.  
  1. Configure your firewall to meet the requirements: Implement the requirements for this key control with your solution of choice, allow only necessary inbound and outbound traffic from devices, implement default-deny policies for devices that are not explicitly permitted to enter your network.  
  1. Update regularly: Ensure your firewalls are up to date with the latest firmware and security updates and that these updates are applied promptly.  

Secure Your Business with Our Cyber Gap Assessment Service

Unsure of the integrity of your cyber security posture? Want to secure your business and get Cyber Essentials ready at the same time? Our Cyber Gap Assessment service provides an in-depth audit of your IT environment, giving clear guidance on your vulnerabilities and actionable insights to address them. We will also provide an affordable, accessible and actionable plan that is tailored to your business, enabling you to secure your digital premises, without breaking the bank. Ready to get truly cyber secure? Get in touch with us today for a free consultation.

Implementing the Access Controls Key Control

Access controls determine which users can access certain files, applications and features within your IT environment’s devices and applications. In a nutshell, access should be given on a ‘need to know’ basis, which minimises risks. For example, if a user account is compromised, the wider risk to your business is limited by the degree of access that the user account has.  

The objective of this key control is to ensure that user accounts are accessible to authorised individuals only, and that these accounts only provide access to devices, networks and applications that are needed for that user to conduct their work.  

Your organisation will be required to:

  • Create and maintain a user account creation and access approval process
  • Authenticate users before granting access to applications and devices, using their unique credentials
  • Remove or disable user accounts when they are no longer required (e.g when a user leaves the organisation or after a defined period of account inactivity).
  • Implement two-factor authentication, wherever it is available.
  • Use dedicated administrative accounts (e.g to perform administrative activities only, with non-essential functionality - such as email or web browsing – disabled to avoid exposing these accounts to avoidable risks.
  • Remove or disable special access privileges when they are no longer required, such as when a member of your team changes their role or leaves your organisation.

To start meeting these requirements, your business can:

  1. Map your users and data: To align user access permissions with data and settings on a ‘need to know’ basis, begin by clarifying your users’ roles, and the data and settings that they have access to.  
  1. Reconfigure access permissions and administrative privileges: Determine which applications, systems and features within each of these, that your users should have access to base on their roles and reconfigure their access permissions and administrative privileges accordingly.  
  1. Regularly review your access controls and activity: Enshrine regular reviews to ensure that users are accessing data and features that are needed for their role. You can also use monitoring tools such as a SIEM (Security Information & Event Management) software to review and monitor potential suspicious access activity by user accounts.

Implementing the Malware Key Control

Malware is a type of software that is used for malicious purposes by cyber criminals with the aim of destroying, accessing or preventing access to your data and systems. The objective of the malware key control is to mitigate, as much as possible, the potential for malware and untrusted software to cause damage and access sensitive data.  

Your organisation will be required to:

  • Implement anti-malware software on all devices and ensure that it is updated daily (this can be configured to happen automatically), configured to automatically scan files and web pages whenever they are accessed, and prevent access to unsafe websites, unless there is a clear, purposeful and documented need to do so.  
  • Create and maintain a whitelist of approved applications for users to download and use. These are applications that are organisationally approved and formally documented.  
  • If you use or intend to use any code or data of an unknown origin (such as an app that has been downloaded from an unapproved or unofficial source), it will need to be ran in a sandbox, an isolated environment from the rest of your network’s data and devices.  

To start meeting these requirements, your business can:

  1. Install and configure antivirus software on all devices: Install a trusted antivirus solution across your organisation and configure it to update daily and to automatically scan files and websites.  
  1. Create a whitelist of approved applications: Create a document that formalises the applications that are allowed to be used in your organisation and keep it updated.  
  1. (If needed) Create sandboxed environments for unofficial applications and code: for non-technical teams, it is possible to implement sandboxes via software and cloud-based services, but for peace of mind, it may be best to get the help of an IT support provider to do this.  

Implementing the Patch Management Key Control

Patch management entails ensuring that new security patches are applied to devices and applications in a timely and prompt manner. Patches ensure that the latest security updates are protecting your business from emergent cyber threats. The objective of this key control is  

The objective of this key control is to ensure that devices and software are not vulnerable to known security issues where there are fixe available for them. Here are the requirements:  

Your organisation will be required to:

  • Ensure that all software in use is licensed and remains supported by vendor patches.  
  • Ensure that all unsupported software must be removed from devices.  
  • Apply software updates and patches within 14 days of them being released, wherever the patch fixes a vulnerability that the vendor describes as ‘critical’ or ‘high risk’.  

To start meeting these requirements, your business can:

  1. Create an inventory of supported devices and applications: This ensures that your business will be able to track and apply updates to devices and applications in use in the business. Ensure that all devices and applications are still being supported by vendors.  
  1. Regularly check for patches to apply: This can be done via a patch management tool or via subscribing to receive updates from updates for example.  
  1. Ensure critical or ‘high risk’ patches are applied within 14 days of their release: To help ensure this requirement is met, you can automate the patching process as much as possible. For example, the settings within specific applications can be updated to automatically apply updates when they are released.  


By applying each of these key controls, you’ll bolster the security of your digital premises while aligning your business to get certified under the Cyber Essentials scheme, enabling you to tap into the benefits for your business. By gaining oversight over your IT environment, taking steps to meet each of the requirements, and implementing processes to maintain them, you can get on a fast-track to a more cyber secure business, one that demonstrates a steadfast commitment to cyber security to clients and partners alike.  

Delivering Digital Excellence to Liverpool and Merseyside’s Businesses

Since 1988, our commitment has always been to empower Liverpool and the greater Merseyside region through the transformative power of technology. Over the years, we've expanded to become a premier provider of IT support, telecommunications, and cutting-edge workplace solutions in Liverpool. Our primary goal is to ensure the security, productivity, and connectivity of businesses throughout Liverpool.

While we excel in the realm of technology, our true strength lies in fostering relationships with people. We take pride in offering a personal touch and dedicated account management services, all designed to provide you with dependable support. Discover the limitless possibilities for your Liverpool-based business today by reaching out to us; we're here to assist you every step of the way.

Other blog posts