← Back to blog

Cyber Essentials requirements: what your business actually needs to have in place

Cyber Essentials has five specific technical requirements covering firewalls, configuration, access control, malware protection, and patching — here is what each one means in practice.

Here's a scenario that plays out often enough to be a pattern, not a one-off: a business decides to pursue Cyber Essentials, downloads the official guidance document, and spends an afternoon trying to work out which parts apply to them and which don't. The document is thorough, written for a broad range of organisations, and doesn't make it easy to quickly identify what a 20-person professional services firm with cloud-based software and a few company laptops actually needs to do differently. They close the document and put the whole thing off for another quarter.

Cyber Essentials has five requirements. Here is what each one means for a typical UK small business.

CE1: Firewalls

Every device that connects to the internet needs a firewall controlling what traffic can reach it. For most small businesses, this means ensuring the built-in firewall on each device is enabled and configured correctly, and that any router or network boundary device is set up to block unsolicited incoming connections.

Cloud-based services fall within scope too. If your business uses cloud infrastructure directly rather than just software-as-a-service tools, the network security configuration of that environment needs to meet the same standard. For most SMBs using standard cloud platforms like Microsoft 365 or Google Workspace without self-managed servers, the firewall requirement primarily means device-level controls rather than complex network architecture.

CE2: Secure Configuration

Devices and software should be configured securely from the outset rather than left on default settings. This covers three main areas: changing default passwords on all devices and software before use, disabling or removing software and services that aren't needed, and ensuring that the software you are running is configured correctly rather than left as it shipped.

On the automated scanning side, CE2 is where most external findings land — missing security headers on your website, weak DKIM key strength, misconfigured SSL, exposed admin panels. These are the things an external vulnerability scan surfaces directly, and they map straight to this control.

CE3: User Access Control

Staff should only have access to what they need for their role, administrator accounts should be separate from everyday accounts, multi-factor authentication should be enabled on all internet-facing services, and access should be removed immediately when someone leaves. These four questions make up the CE3 self-assessment, and most small businesses find at least one of them exposes a gap when they look carefully.

The access control questions are covered in detail across the CE Readiness posts for MFA on internet-facing services, separate admin accounts, removing access when staff leave, and least privilege user accounts.

CE4: Malware Protection

Anti-malware software must be installed on all devices, set to update automatically, and supplemented by controls that limit what can reach a device in the first place — restricting USB and removable storage, and restricting what software can be installed. The malware protection control is less about the anti-malware product itself and more about whether the environment around it is configured to make malware harder to introduce.

CE5: Patch Management

Software and operating systems must be kept up to date. Specifically, security updates must be applied within 14 days of release, and any software that no longer receives security updates must be replaced or decommissioned. Running end-of-life software is one of the most common gaps Cyber Essentials assessors find, because it accumulates invisibly — nobody decides to run unsupported software, it just happens when an upgrade gets deferred indefinitely.

How Olimpio maps to these requirements

Olimpio's CE Readiness feature runs an external scan of your domain and maps the findings directly to the CE controls they relate to, then presents the self-assessment questions alongside them. CE1 and CE3–CE5 are largely self-assessment, since a scanner can't see inside your network or verify device-level settings. CE2 is where the automated findings appear, which is also where most of the fixable external gaps sit.

The result is a single view of where you stand across all five controls before an assessor asks.

Frequently asked questions

Do all five requirements apply to every business, regardless of size? Yes, Cyber Essentials doesn't have a size exemption. The controls apply to any organisation pursuing certification, though the practical complexity of meeting them scales with the size and complexity of your IT environment.

How long does it take to meet the Cyber Essentials requirements? For a small business starting from a reasonable baseline, addressing the gaps typically takes a few weeks of focused work. The most common time sink is CE5 patching and CE3 access control, which often require process changes rather than just technical fixes.

Do cloud services like Microsoft 365 and Google Workspace count as in scope? Yes, internet-facing services and the devices used to access them are in scope. The platforms themselves are typically managed by the vendor, but your configuration of them, MFA settings, admin account structure, access control, falls within your responsibility.

Is Cyber Essentials a one-time certification or does it need renewing? Certification lasts twelve months and must be renewed annually to remain current.

What happens if we fail the assessment? Most certification bodies allow you to remediate and resubmit within the assessment window. The common failure points are fixable relatively quickly once identified.

Run a free scan of your domain and your CE Readiness checklist will show exactly where you stand against all five Cyber Essentials requirements before your assessor asks: olimpio.io/free-scan

Want to see what attackers see?

Scan your domain for free — no setup, no technical knowledge needed, results in ~20 minutes. No card required.

Get your free scan →