The 5 Cyber Essentials Technical Controls
Note: This guide covers Cyber Essentials and Cyber Essentials Plus as of June 2025 (Montpellier framework, effective January 2022). Requirements are updated periodically — always check IASME (the NCSC-authorised body) for current requirements.
| Control | Requirement | ClickMasters Standard Implementation |
|---|---|---|
| 1. Firewalls | Boundary firewalls configured to block inbound connections not explicitly required. Application-level filtering enabled. | AWS Security Groups: default deny all inbound. Only ports 443 (HTTPS) and 22 (SSH from bastion only) open. No unrestricted 0.0.0.0/0 inbound rules. |
| 2. Secure Configuration | Default passwords changed, unnecessary accounts disabled, auto-run disabled, host-based firewall enabled. | All EC2 instances hardened: no default passwords, SSH key authentication only, UFW host firewall configured. AMI (Amazon Machine Image) hardening applied. |
| 3. User Access Control | Admin access restricted to those who need it. Multi-factor authentication for all admin accounts. Unique accounts per user. | AWS IAM: least privilege policy, MFA enforced for all IAM users. No shared accounts. Admin-level access requires MFA. Application RBAC with role-based permissions per user. |
| 4. Malware Protection | Anti-malware or application control on devices that access organisational data. Automatic updates enabled. | Server-side: no general-purpose software execution on production servers. Dependency scanning (Dependabot) — automated CVE detection. AWS Inspector for AMI vulnerability scanning. |
| 5. Security Update Management | High-risk vulnerabilities patched within 14 days. Unsupported software removed. | Dependabot: automated PRs for dependency vulnerabilities. AWS Systems Manager Patch Manager: OS patches within 14 days. Supported software only — no EOL dependencies permitted. |
Cyber Essentials vs Cyber Essentials Plus
| Aspect | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment method | Self-assessment (questionnaire verified by certifier) | Independent technical audit (external assessor) |
| Evidence required | Written responses | Technical evidence + penetration testing elements |
| Duration | 1–3 days (self-assessment) | 1–2 weeks (external audit) |
| Cost | £300–£500 | £1,500–£5,000 |
| Required for | UK Government contracts (all values), NHS DTAC (basic) | NHS DTAC Domain 3 (preferred), MoD contracts, high-assurance clients |
| ClickMasters support | Documentation provided as standard | Commissioning and evidence preparation support |
Cyber Essentials for Software Development Companies
ClickMasters Cyber Essentials support: All projects are delivered with Cyber Essentials-aligned architecture by default. ClickMasters provides a Cyber Essentials technical evidence pack covering the 5 controls implementation within the software system we build. Clients use this as evidence in their own Cyber Essentials application.