Part one set the ground: three frameworks nested into one spine, a whole-organisation scope, a named owner, and an honest budget. This part goes into the engine room.
Cyber Essentials is five technical controls. That is the whole of it. Everything else — Cyber Essentials Plus, and a good chunk of ISO 27001's technological Annex A — is either proof of these five or governance around them. Get them genuinely right and you have shut the door on the great majority of attacks that hit firms your size. Get them nearly right and you fail the assessment, because under the Danzell question set several of them are now automatic fails.
So this is the least glamorous instalment, and the one that does most of the work. I will take each control in turn: what it asks, what Danzell now demands, the mistake that catches unprepared firms, and where it maps onto ISO 27001 so you document once and satisfy both.
Control one — firewalls
The requirement is that every device is behind a correctly configured firewall, at the boundary and on the device itself.
At the boundary, that means the thing between your office and the internet is doing its job: default administrator passwords changed, no management interface exposed to the internet, and nothing accepting inbound connections unless there is a documented business need. The single most common failure I see is the smallest: the ISP-supplied router, still on its factory admin password, treated as a firewall it was never configured to be.
On the device, every machine that leaves the building — every laptop a home or hybrid worker uses — needs its own software firewall enabled, because the office boundary protects it only when it is in the office. For a firm your size, most staff are on the untrusted internet half the week, so the host firewall is not a nicety.
- Change the router or firewall admin password to something unique, and turn off remote management unless you genuinely need it and have locked it down.
- Enable the host firewall on every laptop and desktop — the built-in Windows and macOS firewalls are fine.
- Justify every open port. If nothing needs to accept inbound connections from the internet, nothing should.
Danzell note: router and firewall firmware now falls under the 14-day patching rule (more on that below), so the boundary device is not "set and forget" any more — its firmware is in scope and testable.
Maps to ISO 27001: A.8.20 (network security), A.8.21 (security of network services) and A.8.22 (segregation of networks). Write down your network boundary, your firewall rules and your justification for any open port, and you have the evidence ISO wants.
Control two — secure configuration
The requirement is that devices and services are set up to reduce their attack surface — not left in their default, everything-switched-on state.
Vendors ship for convenience, not security. Secure configuration is the discipline of undoing that: removing software you do not use, disabling accounts and features you do not need, and never leaving a default password in place anywhere — on a PC, a printer, a NAS, a phone system, or a cloud console.
- Remove or disable unnecessary software and accounts on every device. The default guest account, the trial software, the services nothing uses — all attack surface you are not using.
- Change every default credential. Printers and network kit are the usual offenders; a printer on
admin/adminis a foothold. - Lock devices when idle and require authentication to unlock. Set a sensible auto-lock.
- Disable auto-run so plugging in a USB stick does not execute whatever is on it.
Danzell note: the user-access section now actively promotes passwordless authentication — passkeys — as preferable to passwords. You do not have to go passwordless to pass, but the scheme is signalling the direction of travel, and for cloud services that support passkeys it is worth adopting now rather than later.
Maps to ISO 27001: A.8.9 (configuration management), one of the eleven controls added in the 2022 revision. ISO wants a defined "hardened build" — a documented standard configuration you apply to new devices and check devices against. Write that build standard down once and every new laptop is compliant by default.
Control three — security update management
The requirement is that you keep everything patched and supported, and this is the control that fails the most firms under Danzell, because two of its questions are now hard automatic fails.
- Question A6.4: critical and high-risk updates to operating systems, routers and firewall firmware must be installed within 14 days of release.
- Question A6.5: critical and high-risk updates to applications — including browser extensions — must be installed within the same 14 days.
Miss either, on any in-scope device, and the assessment fails. "We were going to do it next month" is no longer an answer, and the Cyber Essentials Plus test (next week's subject) checks this on real machines rather than taking your word for it.
There is a second half to this control that quietly ends more certifications than late patching: unsupported software is not allowed in scope. Anything the vendor no longer provides security updates for — an old operating system, an end-of-life application, a router the manufacturer has abandoned — either comes out of service or is genuinely segregated with evidence. For a lot of small firms in 2026 that means the machines still limping along on an out-of-support Windows build have to be dealt with before certification, not after.
- Turn on automatic updates wherever you can, and have a way to confirm they actually applied — not just that they were offered.
- Inventory software versions, including browser extensions, and know what is approaching end of life.
- Retire or replace unsupported kit before assessment. This is often the biggest single line in the remediation budget.
Maps to ISO 27001: A.8.8 (management of technical vulnerabilities). The 14-day rule is the sharp, testable edge of the broader ISO requirement to identify, assess and remediate vulnerabilities on a schedule with clear ownership. Document your patching process and cadence and you satisfy both at once.
Control four — user access control
The requirement is that people have their own accounts, with the least access they need to do their job, and that administrative power is tightly held. This is where the other big Danzell automatic fail lives.
- Multi-factor authentication is now mandatory on every cloud service that supports it, for every user. If the service offers MFA — free, bundled or paid — and you have not enabled it for all users, you fail, full stop. Since Microsoft 365 supports MFA on every tier, there is no route to certification for an M365 business that does not turn it on for everyone. This single change catches more unprepared firms than any other.
Beyond MFA, the control is about disciplined identity:
- A unique account per person. No shared logins, no "the reception PC everyone uses." Shared accounts destroy accountability and fail the control.
- Least privilege. People get access to what their role needs and no more. Standard users are not local administrators on their laptops — a setting that, on its own, blunts a large share of malware.
- Separate administrator accounts. Anyone who needs admin rights has a distinct admin account, used only for admin tasks, never for reading email or browsing the web.
- A joiners, movers and leavers process. Accounts are created on a defined basis, changed when roles change, and — the one everybody forgets — disabled promptly when someone leaves. The dormant account of a person who left eighteen months ago is a classic way in.
Maps to ISO 27001: a whole cluster — A.5.15 (access control), A.5.16 (identity management), A.5.17 (authentication information), A.5.18 (access rights), plus A.8.2 (privileged access rights) and A.8.5 (secure authentication). The joiners-movers-leavers routine is exactly the evidence ISO auditors ask for. Build the process for Cyber Essentials and you have built it for ISO.
Control five — malware protection
The requirement is that in-scope devices are protected against malware by one of a small number of approved mechanisms, kept up to date.
For most firms your size this means anti-malware software, and the built-in option — Microsoft Defender on Windows — is perfectly acceptable and already there. The requirement is that it is enabled, updating, and set to scan. The alternative approach, application allow-listing (only approved software may run), is stronger but heavier to manage; most small firms sensibly take the anti-malware route.
- Enable and update anti-malware on every in-scope device, including the laptops that leave the office. Defender counts; you do not need to buy a third-party product to pass.
- Do not disable it for convenience. The exclusion someone added to stop a line-of-business app being flagged is the gap an attacker uses.
- Cover mobile devices that access organisational data, in line with how they are managed.
Danzell note: the requirements document moved its backup guidance earlier, to stress recovery. Backups are not formally one of the five controls, but the scheme is nudging hard, and for good reason — malware protection keeps most things out, and a tested backup is what saves you from the thing that gets through. Treat a working, tested, offline-or-immutable backup as part of this control even though the assessment does not score it directly.
Maps to ISO 27001: A.8.7 (protection against malware) directly, and the backup nudge maps to A.8.13 (information backup) and A.8.16 (monitoring activities). We will build the backup and recovery side out properly in part four.
The pattern underneath the five
Step back and the five controls are one idea in five places: know what you have, reduce it to what you need, keep it current, control who can touch it, and watch for the bad thing. That is also, more or less, the spine of ISO 27001's technological controls, which is why doing Cyber Essentials well is not a detour from ISO — it is the first third of it.
A note on order of work, because sequence saves money. Do the inventory first (you cannot patch or protect what you have not listed). Then user access control and MFA, because it is the highest-impact change and often the cheapest. Then patching and the retirement of unsupported kit, which is where the real spend is. Firewalls and secure configuration slot in alongside. Malware protection is usually the smallest lift, because you already own it.
Get these five genuinely — not nearly — right, and you are ready for the part most firms dread: the independent test that checks whether your self-assessment was telling the truth. That is Cyber Essentials Plus, and next to it we start building the management system that holds all of this together. Part three.