Part one set the ground: three frameworks nested into one spine, a whole-organisation scope, a named owner, and an honest budget. This part goes into the engine room.

Cyber Essentials is five technical controls. That is the whole of it. Everything else — Cyber Essentials Plus, and a good chunk of ISO 27001's technological Annex A — is either proof of these five or governance around them. Get them genuinely right and you have shut the door on the great majority of attacks that hit firms your size. Get them nearly right and you fail the assessment, because under the Danzell question set several of them are now automatic fails.

So this is the least glamorous instalment, and the one that does most of the work. I will take each control in turn: what it asks, what Danzell now demands, the mistake that catches unprepared firms, and where it maps onto ISO 27001 so you document once and satisfy both.

Control one — firewalls

The requirement is that every device is behind a correctly configured firewall, at the boundary and on the device itself.

At the boundary, that means the thing between your office and the internet is doing its job: default administrator passwords changed, no management interface exposed to the internet, and nothing accepting inbound connections unless there is a documented business need. The single most common failure I see is the smallest: the ISP-supplied router, still on its factory admin password, treated as a firewall it was never configured to be.

On the device, every machine that leaves the building — every laptop a home or hybrid worker uses — needs its own software firewall enabled, because the office boundary protects it only when it is in the office. For a firm your size, most staff are on the untrusted internet half the week, so the host firewall is not a nicety.

Danzell note: router and firewall firmware now falls under the 14-day patching rule (more on that below), so the boundary device is not "set and forget" any more — its firmware is in scope and testable.

Maps to ISO 27001: A.8.20 (network security), A.8.21 (security of network services) and A.8.22 (segregation of networks). Write down your network boundary, your firewall rules and your justification for any open port, and you have the evidence ISO wants.

Control two — secure configuration

The requirement is that devices and services are set up to reduce their attack surface — not left in their default, everything-switched-on state.

Vendors ship for convenience, not security. Secure configuration is the discipline of undoing that: removing software you do not use, disabling accounts and features you do not need, and never leaving a default password in place anywhere — on a PC, a printer, a NAS, a phone system, or a cloud console.

Danzell note: the user-access section now actively promotes passwordless authentication — passkeys — as preferable to passwords. You do not have to go passwordless to pass, but the scheme is signalling the direction of travel, and for cloud services that support passkeys it is worth adopting now rather than later.

Maps to ISO 27001: A.8.9 (configuration management), one of the eleven controls added in the 2022 revision. ISO wants a defined "hardened build" — a documented standard configuration you apply to new devices and check devices against. Write that build standard down once and every new laptop is compliant by default.

Control three — security update management

The requirement is that you keep everything patched and supported, and this is the control that fails the most firms under Danzell, because two of its questions are now hard automatic fails.

Miss either, on any in-scope device, and the assessment fails. "We were going to do it next month" is no longer an answer, and the Cyber Essentials Plus test (next week's subject) checks this on real machines rather than taking your word for it.

There is a second half to this control that quietly ends more certifications than late patching: unsupported software is not allowed in scope. Anything the vendor no longer provides security updates for — an old operating system, an end-of-life application, a router the manufacturer has abandoned — either comes out of service or is genuinely segregated with evidence. For a lot of small firms in 2026 that means the machines still limping along on an out-of-support Windows build have to be dealt with before certification, not after.

Maps to ISO 27001: A.8.8 (management of technical vulnerabilities). The 14-day rule is the sharp, testable edge of the broader ISO requirement to identify, assess and remediate vulnerabilities on a schedule with clear ownership. Document your patching process and cadence and you satisfy both at once.

Control four — user access control

The requirement is that people have their own accounts, with the least access they need to do their job, and that administrative power is tightly held. This is where the other big Danzell automatic fail lives.

Beyond MFA, the control is about disciplined identity:

Maps to ISO 27001: a whole cluster — A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication information), A.5.18 (access rights), plus A.8.2 (privileged access rights) and A.8.5 (secure authentication). The joiners-movers-leavers routine is exactly the evidence ISO auditors ask for. Build the process for Cyber Essentials and you have built it for ISO.

Control five — malware protection

The requirement is that in-scope devices are protected against malware by one of a small number of approved mechanisms, kept up to date.

For most firms your size this means anti-malware software, and the built-in option — Microsoft Defender on Windows — is perfectly acceptable and already there. The requirement is that it is enabled, updating, and set to scan. The alternative approach, application allow-listing (only approved software may run), is stronger but heavier to manage; most small firms sensibly take the anti-malware route.

Danzell note: the requirements document moved its backup guidance earlier, to stress recovery. Backups are not formally one of the five controls, but the scheme is nudging hard, and for good reason — malware protection keeps most things out, and a tested backup is what saves you from the thing that gets through. Treat a working, tested, offline-or-immutable backup as part of this control even though the assessment does not score it directly.

Maps to ISO 27001: A.8.7 (protection against malware) directly, and the backup nudge maps to A.8.13 (information backup) and A.8.16 (monitoring activities). We will build the backup and recovery side out properly in part four.

The pattern underneath the five

Step back and the five controls are one idea in five places: know what you have, reduce it to what you need, keep it current, control who can touch it, and watch for the bad thing. That is also, more or less, the spine of ISO 27001's technological controls, which is why doing Cyber Essentials well is not a detour from ISO — it is the first third of it.

A note on order of work, because sequence saves money. Do the inventory first (you cannot patch or protect what you have not listed). Then user access control and MFA, because it is the highest-impact change and often the cheapest. Then patching and the retirement of unsupported kit, which is where the real spend is. Firewalls and secure configuration slot in alongside. Malware protection is usually the smallest lift, because you already own it.

Get these five genuinely — not nearly — right, and you are ready for the part most firms dread: the independent test that checks whether your self-assessment was telling the truth. That is Cyber Essentials Plus, and next to it we start building the management system that holds all of this together. Part three.