What Does Cyber Essentials Cover? The 5 Technical Controls Explained
A clear, direct answer to this question — written for UK business owners and IT decision-makers.
Direct Answer
Cyber Essentials covers five technical controls: firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. Together these controls prevent the majority of common internet-borne attacks. They do not cover physical security, social engineering, or advanced threats — which is why Cyber Essentials is a baseline, not a complete security programme.
Key Points
What you need to know.
The Short Answer
55,995 Cyber Essentials certificates were awarded in 2025; 42,288 at CE level and 13,707 at CE Plus.
For UK Businesses
Only 3% of all UK businesses are Cyber Essentials certified — rising to 21% among large businesses.
Cost Considerations
Only 12% of businesses are aware of the Cyber Essentials scheme (51% among large businesses).
Next Steps
Organisations with Cyber Essentials are 92% less likely to make a claim on their cyber insurance.
Quick Comparison
| Feature | Option A | Option B |
|---|
Frequently Asked Questions
The patch management control requires that high-risk and critical security patches are applied within 14 days of release across all in-scope devices and software. Unsupported software that no longer receives patches must be removed or isolated. This control alone addresses a significant proportion of common vulnerabilities exploited by attackers. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025), and patching failures are equally common assessment stumbling blocks.
Yes. Since the 2023 scheme update, multi-factor authentication is required for all cloud services and administrator accounts within scope. The access control requirement also mandates least-privilege principles, separate admin accounts, and removal of unnecessary user permissions. These controls directly reduce the risk of credential-based attacks, which accounted for 22% of breaches globally (Verizon DBIR 2025).
All devices that access your organisational data or services are in scope — including laptops, desktops, tablets, phones, servers, firewalls, and cloud-hosted services such as Microsoft 365. Home routers used by remote workers are also within scope if they connect to business systems. Cyber Essentials certified organisations are 92% less likely to claim on cyber insurance (IASME), making the effort to scope all devices correctly worthwhile.
Related Questions
Cyber Essentials Certification
AMVIA's managed Cyber Essentials service — gap assessment, remediation, and certification at a fixed price.
What Is Cyber Essentials?
An overview of the UK government's baseline cybersecurity certification scheme.
Cyber Essentials vs Cyber Essentials Plus
The difference between the self-assessed and independently verified tiers of certification.
Protect your business → Get Cybersecurity Assessment