← All frameworks
UK UK · 8 Policy & Process · UK

Cyber Essentials

Cyber Essentials

Willow (2025)

5 controls · 1 domain
Start assessment in platform →

About this framework

Cyber Essentials is a UK government-backed scheme covering five basic technical controls that stop most common attacks. It's a self-assessed certification designed to be achievable for organisations of any size.

Who needs this

For UK organisations wanting a recognised baseline, often required to bid for government contracts.

Cross-framework coverage

Controls in Cyber Essentials also cover:

CJIS 6 shared
ADHICS 6 shared
CIS Controls 6 shared
NCA ECC-2 6 shared

See how Cyber Essentials connects to the rest → the Security Universe

Control domains

technical · Five Technical Controls 5
CE.1
Firewalls
Boundary firewalls and internet gateways configured to control inbound and outbound network traffic; default-deny, no unnecessary open ports, admin interfaces not exposed to the internet.
CJISADHICSCIS ControlsCyber Essentials PlusNCA CCCNCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1Qatar NIAUAE IAISO 27001
CE.2
Secure Configuration
Devices and software configured to reduce inherent vulnerabilities: remove or disable unused accounts and software, change default passwords, and apply hardened settings.
CJISADHICSCIS ControlsCyber Essentials PlusDORAGDPR (EU)HIPAA Security RuleISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CE.3
Security Update Management
Operating systems and applications kept in support and patched; high/critical updates applied within 14 days; auto-update enabled where possible.
CJISADHICSCIS ControlsCyber Essentials PlusDORAISO 27001NCA CCCNCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1Qatar NIASAMA CSFUAE IA
CE.4
User Access Control
Accounts provisioned least-privilege, unique per user, administrative privileges controlled and separated; access removed promptly when no longer required; MFA on cloud/admin where available.
CJISADHICSCIS ControlsCyber Essentials PlusGDPR (EU)HIPAA Security RuleISO 27001NCA ECC-2NCA OTCCNIS2NIST CSFPCI DSS 4.0.1PDPLData-protection rulesPDPPLPDPL – Federal Decree-Law 45/2021Qatar NIASAMA CSFUAE IAUK GDPR
CE.5
Malware Protection
Anti-malware, application allow-listing, or sandboxing in place and kept up to date to prevent execution of malicious code.
CJISADHICSCIS ControlsCyber Essentials PlusISO 27001NCA CCCNCA ECC-2NCA OTCCNIST CSFPCI DSS 4.0.1Qatar NIAUAE IA

Ready to assess against Cyber Essentials?

Start free trial →