NCSC Iran Checklist vs Cyber Essentials: Quick-Reference Comparison
NCSC Iran Checklist vs Cyber Essentials: Quick-Reference Comparison
The NCSC published an advisory on Iranian state-sponsored cyber activity targeting UK organisations. The advisory includes specific recommendations for businesses to check their defences. Some of those recommendations map directly to CE controls. Others go well beyond what CE covers.
Here's a quick-reference mapping for businesses that want to know: if I have CE, which NCSC recommendations am I already meeting, and which ones require additional action?
The mapping
| NCSC Recommendation | CE Control | Covered by CE? | Notes |
|---|---|---|---|
| Patch internet-facing services (VPNs, firewalls, email gateways) | Patch management (14-day window) | Yes | CE requires critical patches within 14 days. VPN and firewall firmware are explicitly in scope. This is the most relevant CE control for the Iran threat because unpatched VPN appliances were a primary entry point. |
| Enforce MFA on all accounts | Access control (MFA requirement) | Yes | CE requires MFA on all cloud services under Danzell. The NCSC advisory specifically mentions VPN and email MFA, both of which fall within CE's scope. |
| Review firewall configurations | Firewalls | Yes | CE requires documented inbound rules with business justifications and a default deny policy. The advisory's emphasis on reviewing for unnecessary open ports aligns with CE's firewall control. |
| Implement antimalware protection | Malware protection | Yes | CE requires antivirus/antimalware on every in-scope device with real-time protection enabled. The advisory recommends the same. |
| Harden device configurations | Secure configuration | Yes | CE requires changing default passwords, removing unnecessary software, and disabling auto-run. The advisory's configuration hardening recommendation overlaps with CE's secure configuration control. |
| Monitor for suspicious activity (check logs, subscribe to threat feeds, look for unusual network behaviour) | None | No | CE doesn't require monitoring, log analysis, or threat intelligence. This sits in the Detect function of NIST CSF 2.0. The NCSC specifically recommends subscribing to their Early Warning Service and reviewing logs for indicators of compromise. |
| Prepare for DDoS attacks | None | No | CE doesn't address availability or resilience against denial-of-service attacks. The advisory notes that Iranian groups launched 149 DDoS attacks against UK targets in 72 hours. DDoS mitigation requires CDN/WAF services or ISP-level filtering, neither of which CE tests. |
What this means in practice
If you have CE: 5 out of 7 covered
Five of the seven NCSC recommendations align with controls that a CE-certified business should already have in place. If your CE certification is current and your controls haven't drifted since the assessment, you're covering the majority of the advisory's protective recommendations.
The key word is "haven't drifted." CE is a point-in-time assessment. The NCSC advisory is about what your controls look like right now, not on assessment day. If your VPN appliance was patched when you certified but has a new critical vulnerability published since then, the CE certificate doesn't protect you, but the patch does.
If you only have CE: 2 gaps remain
Detection gap: The advisory recommends monitoring for suspicious activity. CE doesn't cover this. If Iranian actors (or anyone else) are already inside your network, CE's preventive controls won't tell you. You need some form of detection, whether that's EDR on endpoints, log analysis, or threat feed monitoring.
At minimum, register for the NCSC's Early Warning Service. It's free and it notifies you if NCSC's systems detect traffic from your IP ranges that matches known threat indicators.
DDoS gap: If your business depends on internet-facing services (a website, a client portal, an email gateway), DDoS is a risk that CE doesn't address. The mitigation depends on your setup: CDN providers with DDoS protection (Cloudflare, AWS Shield), ISP-level scrubbing, or web application firewalls.
Priority actions beyond CE
For businesses concerned about the Iran threat specifically, the highest-impact actions beyond CE are:
-
Verify patches today. Not "are we generally patched." Specifically: is your VPN appliance, your firewall, and your email gateway running the latest firmware? Check the firmware versions today rather than waiting. The 14-day CE window matters, but so does not waiting until the next assessment cycle to verify.
-
Register for NCSC Early Warning. Free, takes minutes, provides detection capability that CE doesn't offer.
-
Check for indicators of compromise. The NCSC advisory includes specific indicators. If you have log access, check for them. If you don't, that's the detection gap.
-
Review who has access. The advisory highlights credential theft as a primary technique. Check your user accounts and remove any that shouldn't be there. Verify MFA is enforced on every account, not just the ones you checked during the CE assessment.
The bigger picture
The Iran advisory is one example of why CE covers the Protect function but not the whole security picture. The advisory touches four NIST CSF functions: (based on findings from the internal attestation audit).
- Protect (patching, MFA, firewalls, malware protection, secure configuration): CE covers this
- Detect (monitoring, log analysis, threat intelligence): CE doesn't cover this
- Respond (incident response during escalation): CE doesn't cover this
- Govern (supply chain risk, ongoing risk management): CE doesn't cover this
If you want to understand the full scope of what CE covers and doesn't, read the detailed gap analysis. If you want to see where your controls currently stand, the readiness quiz takes five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips. No spam and no sales pitches, just useful updates.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- NCSC Iran Cyber Warning: What UK Businesses Need to Know
- Iran Cyber Warning: CE Gaps and Cyber 365 Mapping
- The 6 Things Cyber Essentials Doesn't Cover
- Cyber Essentials 14-Day Patching: What the Requirement Actually Means
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.