Forensic Control

What are cyber essentials requirements for IT infrastructure?

In this post, we concisely outline the requirements that must be met in five different areas for Cyber Essentials



cyber essentials requirements for IT infrastructure

The Cyber Essentials scheme was developed by the National Cyber Security Centre (NCSC) and provides an approved framework for cybersecurity for businesses. More and more companies are taking the plunge and getting certified, demonstrating their commitment to digital safety to their clients and customers. If you are ready to become certified, Forensic Control offers a comprehensive service to ensure that you’ll pass your Cyber Essentials and Cyber Essentials Plus certifications first-time, tailored to meet the needs of your organisation.

As part of the course, the NCSC has developed the Cyber Essentials Requirements for IT Infrastructure document. It concisely outlines the requirements that must be met in five different areas:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Security update management

The 22-page document doesn’t make for light reading for non-IT specialists, but it is an outline for what your company needs to achieve to gain your certification. The assessment and certification should cover the whole of the company’s IT infrastructure, or if necessary, a defined and individually managed sub-set. Including the entirety of your infrastructure offers the best protection for your data.

The requirements will apply to all devices and software that can:

  • Accept incoming network connections from untrusted internet-connected hosts; or
  • Establish user-initiated outbound connections to devices via the internet; or
  • Control data flow between any of the above devices and the internet.

With the rise of remote working, the scheme has been expanded to include all corporate or BYOD home working devices used for applicant business purposes within the home location.

We’ll take a quick look at each of the sections and the expectations outlined within them.


A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a trusted network and an untrusted source, such as the wider internet. Restricting the flow of network traffic can help to prevent cyber attacks.

Under Cyber Essentials, your firewalls must:

  • Have a strong admin password that requires either two-factor authentication or an IP whitelist
  • Incorporate default settings to automatically block unauthorized connections
  • Document and approve unexpected inbound connections
  • Adjust and modify these settings as necessary

Secure configuration

Secure configurations apply to the hardware and software used by your business. They should be set up to minimise vulnerabilities that can be exploited maliciously, and this applies to applications, web and email servers, as well as desktop and laptop computers, mobile devices, tablets, firewalls and routers.

An additional level of security is added by restricting the functionality of devices and software to just what is needed to complete the user’s role.

  • Don’t use out-of-the-box default settings and passwords
  • Remove or deactivate unused software, applications and user accounts
  • Disable auto-run features
  • Add extra authentication before accessing sensitive data

User access control

This process involves the access given to individual users within your organisation and how this is monitored. It takes into account all users’ access to applications, devices and sensitive business data. User accounts should be actively managed, and access to sensitive data should be restricted to those who need to access it in order to do their job.

  • Approval should be required to make new accounts or to update the access privileges of existing accounts
  • Two-factor authentication should be used where possible
  • Administrator accounts  should be restricted to those that require it
  • Access privileges should be actively monitored, and additional access should be revoked if no longer required

Malware protection

Malware protection prevents malicious applications from gaining access to your sensitive data. And is required for desktops, laptops, tablets and mobile devices.

  • All software should be kept up to date with the latest versions
  • The network should be regularly scanned
  • Connections to malicious websites should be automatically blocked

Patch management

The risk of cybersecurity breaches can be further reduced by ensuring that all software is kept up to date with the latest patches. Patches are vital to fix any security flaws within the software and evolve over time to offer the best protection.

  • All software kept up to date
  • Remove software and devices no longer receiving security updates
  • Ensure patching is carried out in a timely manner

What was added when the course was updated?

  • Added a home working requirement and information on how this is to be included in the scope of certifications.
  • All cloud services are now in scope, added definitions and a shared responsibility table to assist with this.
  • Extended the multi-factor authentication requirement in relation to cloud services.
  • Updated the password-based authentication requirement and added a new section on multi-factor authentication. This requirement has also been moved to the ‘user access’ control.
  • Thin clients are now in scope and added to the ‘devices’ definition.
  • Added a new device unlocking requirement to the ‘secure configuration’ control.
  • Added a new statement clarifying the inclusion of end-user devices in the scope of certifications.
  • Further information on unsupported applications was added to the ‘security update management’ control.
  • Removed specific ‘email, web, and application servers’ from control definitions and replaced with ‘servers’.
  • Updated the bring your own device (BYOD) section.
  • Updated the wireless devices section.
  • Added a new ‘servers’ definition.
  • Added a new ‘sub-set’ definition and information on its impact on the scope.
  • Added a new ‘licensed and supported’ definition.

Do you need help with your Cyber Essentials?

Forensic Control offers simple, step-by-step guidance to ensure that your business meets the required standards. We won’t overwhelm you with jargon, just offer workable solutions to minimise the risk of cyber threats. Get in touch today.

Related content

As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones.


Sign up here if you wish to receive updates and news from Forensic Control by email. We will not send you anything else and you may end the subscription at any time.

By providing your email address, you agree to receive marketing
messages as per our Privacy Policy