UK Cyber Essentials

United Kingdom

6 domains

42 controls

NCSC Cyber Essentials + Cyber Essentials Plus. UK government-backed cybersecurity certification.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

Firewalls

7 controls

Controls in the Firewalls domain of UK Cyber Essentials — 7 controls
Code	Title	Description
CE-FW.1	Boundary Firewalls Deployed	Every device in scope must be protected by a correctly configured firewall (or network device with firewall functionalit...
CE-FW.2	Change Default Firewall Passwords	Change all default administrative passwords on boundary firewalls to a non-guessable password, or disable remote admin a...
CE-FW.3	Block Unauthenticated Inbound Connections	Prevent access to firewall administrative interface from the internet unless protected by MFA or IP allowlist limited to...
CE-FW.4	Approve and Document Inbound Rules	Every inbound firewall rule that permits traffic must be approved and documented by an authorised individual with docume...
CE-FW.5	Remove or Disable Unused Rules	Remove or disable permissive firewall rules promptly when no longer required to limit attack surface.
CE-FW.6	Host-Based Firewall for Remote Workers	Where devices are used on untrusted networks (home, public Wi-Fi), the host-based software firewall must be enabled and...
CE-PLUS.2	External Vulnerability Scan of Internet IPs	An external (unauthenticated) vulnerability scan of all internet-facing IP addresses in scope. Any high or critical CVE...

Malware Protection

8 controls

Controls in the Malware Protection domain of UK Cyber Essentials — 8 controls
Code	Title	Description
CE-MP.1	Anti-Malware Software Deployed	Implement anti-malware on all in-scope devices: anti-malware software (signature/heuristic), application allowlisting, o...
CE-MP.2	Anti-Malware Signatures Updated	Where anti-malware software is used, it must be kept up to date with the latest signatures and engine updates.
CE-MP.3	Anti-Malware Scans Files on Access and Web Pages	Anti-malware software must scan files automatically on access, scan web pages when accessed, and prevent connections to...
CE-MP.4	Application Allowlisting (Alternative)	Where allowlisting is used instead of AV, only approved applications (signed or hash-listed) can execute. List must be a...
CE-MP.5	Mobile App Source Restriction	Mobile devices must only install applications from trusted, vendor-approved app stores. Sideloading and developer mode m...
CE-PLUS.3	Malware Protection Test - EICAR via Email	Assessor tests that mail filtering blocks malicious file attachments using EICAR or simulated malware sample sent to a r...
CE-PLUS.4	Malware Protection Test - Web Download	Assessor tests that the device or web filter blocks malicious files when downloaded via browser from a controlled test U...
CE-PLUS.5	Removable Media Malware Test	Where removable media is permitted, assessor tests that introducing EICAR or sample malware via USB is blocked or detect...

Scope

4 controls

Controls in the Scope domain of UK Cyber Essentials — 4 controls
Code	Title	Description
CE-PLUS.8	Sample Size and Representativeness	CE Plus assessor selects a sample of devices covering each OS, build, location and role. Sample size follows IASME guida...
CE-SCOPE.1	Scope Definition	Define the scope of certification covering all end user devices, servers, networks, cloud services, and remote workers....
CE-SCOPE.2	Cloud Services in Scope	All cloud services (IaaS, PaaS, SaaS) used by the organisation must be in scope and the applicant retains responsibility...
CE-SCOPE.3	BYOD and Home Working	User-owned devices accessing organisational data or services are in scope. Home routers provided by ISP are out of scope...

Secure Configuration

9 controls

Controls in the Secure Configuration domain of UK Cyber Essentials — 9 controls
Code	Title	Description
CE-PLUS.1	Authenticated Vulnerability Scan of Sample Devices	An authenticated vulnerability scan is performed by the assessor on a representative sample of in-scope EUDs and servers...
CE-SC.1	Remove or Disable Unused Software	Remove or disable unnecessary user accounts, software, and services on devices to reduce the attack surface.
CE-SC.2	Change Default Passwords on Devices and Software	Change any default passwords on devices and software before deployment, or remove the account if not needed.
CE-SC.3	Disable Auto-Run Features	Disable auto-run or auto-play features that automatically execute code without user authorisation on removable media or...
CE-SC.4	Authenticate Users Before Access	Authenticate users with a unique credential before granting access to applications and devices. Auto-logon must be disab...
CE-SC.5	Password-Based Authentication Quality	Where passwords are the only factor, protect against brute force by lockout (max 10 attempts in 5 min), throttling, or b...
CE-SC.6	Multi-Factor Authentication for Cloud Services	MFA must be applied to all administrative accounts on cloud services and to all user accounts on cloud services where su...
CE-SC.7	Educate Users on Strong Passwords	Educate users to avoid common, predictable, or compromised passwords and on the importance of unique passwords per accou...
CE-SC.8	Process for Compromised Passwords	Have a process to change passwords promptly when the user knows or suspects the password or account has been compromised...

Security Update Management

5 controls

Controls in the Security Update Management domain of UK Cyber Essentials — 5 controls
Code	Title	Description
CE-SU.1	Software Licensed and Supported	All software on in-scope devices must be licensed and supported by the vendor (i.e. receiving security updates). Unsuppo...
CE-SU.2	Automatic Updates Enabled Where Possible	Automatic updates must be enabled on devices and software where the option exists, to ensure security updates are applie...
CE-SU.3	Critical and High Updates within 14 Days	All high or critical security updates (CVSS 7.0+ or vendor critical/high rating) must be applied within 14 days of relea...
CE-SU.4	Remove Out-of-Support Software	Remove software that is no longer receiving security updates from in-scope devices, or fully segregate it from the rest...
CE-SU.5	Firmware Updates	Firmware on routers, firewalls and other in-scope network devices must be kept current. Firmware is treated as software...

User Access Control

9 controls

Controls in the User Access Control domain of UK Cyber Essentials — 9 controls
Code	Title	Description
CE-AC.1	User Account Approval Process	Have a documented user account creation and approval process. All accounts must be approved by an authorised individual...
CE-AC.2	Authenticate Users Before Granting Access	Authenticate users with a unique account and password (or other credential) before granting access to applications or de...
CE-AC.3	Remove or Disable Accounts When No Longer Required	Remove or disable user accounts when they are no longer required (leaver, role change, extended leave) within a defined...
CE-AC.4	Privileged Account Approval and Tracking	Implement an approval process and keep track of privileged (administrative) accounts. The granting of privileges must be...
CE-AC.5	Separate Admin Accounts for Administrative Activities	Use separate accounts to perform administrative activities only. Admin accounts must not be used for routine activities...
CE-AC.6	Periodic Review of Privileged Access	Review user accounts with special access privileges on a regular basis and remove or downgrade where no longer needed.
CE-AC.7	MFA for Administrative Accounts	Multi-factor authentication must be enabled for all administrative accounts on cloud services and where technically feas...
CE-PLUS.6	Account Separation Verification	Assessor verifies on sample devices that standard user accounts cannot install software or perform administrative tasks...
CE-PLUS.7	MFA Verification on Cloud Services	Assessor verifies that MFA is enforced for all admin accounts and all users on cloud services by inspecting policy and a...

Frequently Asked Questions

What is UK Cyber Essentials?

UK Cyber Essentials is a compliance framework from United Kingdom with 6 domains and 42 controls. NCSC Cyber Essentials + Cyber Essentials Plus. UK government-backed cybersecurity certification. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does UK Cyber Essentials have?

UK Cyber Essentials has 42 controls organised across 6 domains. The largest domains are Secure Configuration (9 controls), User Access Control (9 controls), Malware Protection (8 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does UK Cyber Essentials map to?

UK Cyber Essentials does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with UK Cyber Essentials compliance?

Start your UK Cyber Essentials compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about UK Cyber Essentials requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required