For companies aiming to apply to the Government Cyber Essentials scheme, it’s essential to be appropriately prepared and well-managed to reach all of the IT infrastructure requirements listed.

Businesses wishing to take that next step and get certified through IASME or any other scheme must be fully compliant with these requirements to reach that passing grade. With our guidance, you can be Cyber Essentials ready in next to no time.

The specific requirements for IT infrastructure under the Cyber Essentials scheme are split into five distinct categories or control themes, listed below:


Every device running network services, particularly desktop computers, laptop computers, routers and servers, must include a boundary firewall. This firewall prevents or restricts the flow of network traffic both inbound and outbound to prevent against cyber attacks. Under Cyber Essentials, this firewall must:

  • Have a changed, strong administrative password Include two-factor authentication or an IP whitelist
  • Contain default settings to block unauthenticated connections Have the ability to document and approve inbound connections Have settings to disable and adjust settings as needed

Secure configuration

This requirement applies to application, web and email servers, as well as desktop and laptop computers, mobile devices, tablets, firewalls and routers. The business must ensure that all computer and network devices are effectively configured to reduce vulnerabilities and restrict functionality to role fulfilment. Under Cyber Essentials, secure configuration must:

  • Go beyond default out-of-the-box configurations offered, including changing passwords Include the removal or deactivation of unused user accounts
  • Involve the disabling or removal of unused or unneeded software and applications Disable auto-run features that do not require authorisation
  • Require full user authentication before the access of sensitive data

User access control

User access control is a requirement that facilitates all user’s access to applications, devices and sensitive business data. This process includes ensuring that user accounts are managed effectively, and additional access is only given to those who need it – such as administrative account holders. Under Cyber Essentials, user access control must:

  • Require an approval process for user account creation
  • Require user authentication prior to additional access being granted Utilise two-factor authentication where possible
  • Restrict the use of administrative accounts Revoke additional access when no longer required

Malware protection

Applying to desktops, laptops, tablets and mobile devices, malware protection does as it says on the tin – it protects the network and users from potential malware attacks and restricts the access of untrusted software to sensitive data. Under Cyber Essentials, malware protection must:

  • Include keeping all software up to date and safe
  • Require regular scans to ensure the safety of the network Scan browsers and online applications automatically Block and prevent connections to malicious websites Whitelist applications following a full approval process

Patch management

The final factor required, patch management deals with the reduction of risk by maintaining up-to-date patches of existing software used by a business. Patches aim to fix security flaws or gaps in protection in many cases, making it vital to stay up-to-date. Under Cyber Essentials, patch management must:

  • Include keeping all software up to date and patched
  • Fulfil the removal of devices no longer updated
  • Ensure patching is completed with 14 days of release

Are you a small business looking to improve cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.

CTA button