Cyber Essentials Control

Secure Configuration

Secure configuration is the second control. The scheme requires every in-scope device and software application to be configured to reduce attack surface: remove unused services, change default credentials, disable auto-run, lock down user accounts. Most CE Plus first-time engagements lose marks here before any other control.

What the scheme requires

Default passwords on devices, applications, and services must be changed before deployment.

Unnecessary user accounts (e.g. guest, default service accounts) must be removed or disabled.

Unnecessary software, services, and pre-installed apps should be removed.

Auto-run features that allow software to run without explicit user consent should be disabled.

Multi-factor authentication should be enabled on all internet-facing services and on all administrator accounts.

What the assessor checks on assessment day

Samples in-scope devices for default credentials on built-in admin accounts.

Reviews the installed application list for known unused or end-of-life software.

Confirms auto-run is disabled on Windows devices and equivalent settings on macOS and Linux.

Verifies MFA is enabled on Microsoft 365, Google Workspace, the firm's main SaaS tools, and on every administrator account.

Checks that BIOS/UEFI passwords are set on devices that support them.

Common gaps we see

Across CE Plus engagements, the following gaps recur on this control. None require deep architectural change. Most are operational discipline that drifted between annual assessments.

MFA enabled on most accounts but disabled on a senior account because it broke an integration with a legacy tool.

Default Windows local admin account still enabled on workstations.

Browser plug-ins or productivity tools installed by individual employees that the IT team did not approve and cannot patch.

Pre-installed manufacturer software on laptops never removed (vendor utilities, trial antivirus, etc.).

The other four controls

Firewalls

Boundary firewalls and personal firewalls block unauthorised inbound traffic and restrict outbound connections to known-good destinations.

User Access Control

Access to data and services is controlled through individual accounts with appropriate privileges, and administrative privileges are tightly restricted.

Malware Protection

Every in-scope device runs malware protection (anti-virus or equivalent) configured to scan in real-time and update its signatures regularly.

Patch Management (Security Update Management)

All software is kept up-to-date and patches for high-severity and critical vulnerabilities are applied within 14 days of vendor release.

← Back to the Five Controls hub

Need help with secure configuration?

Net Sec Group is an IASME Certification Body. We scope the gap list across all five controls before the formal CE Plus engagement so the assessment passes first time. Tell us your device count and timeline; we come back inside 4 hours.