Five technical controls, a self-assessment questionnaire, and a certification body.
The five controls
- Firewalls. Every device has a properly-configured firewall.
- Secure configuration. Default passwords removed.
- User access control. Admin rights rare and reviewed; documented leaver process.
- Malware protection. Antivirus / EDR on every device.
- Patch management. Security updates within 14 days.
Typical 4-week run
- Week 1. Download IASME questionnaire. Identify gaps.
- Week 2. Fix easy ones (MFA, remove local admin).
- Week 3. Harder ones (patching schedule, EDR, leaver process).
- Week 4. Complete and submit.
Cyber Essentials vs Cyber Essentials Plus
- CE: self-assessed.
- CE Plus: external technical check. Often required for government contracts.
Common stumbling blocks
- BYOD. Personal phones used for work email count.
- Old hardware.
- Local admin rights.
- Patching evidence.