Cyber Essentials Plus Technical Controls, the Hub
Net Sec Group is an IASME and NCSC certification body. The five Cyber Essentials controls are the technical foundation of every CE Basic and CE Plus engagement. This hub indexes the foundation references on this site for each of the five controls. Each foundation article covers what the control is, what the IASME requirement says, and the typical evidence pattern; the platform-specific and vulnerability-scanning hubs build on these foundations with the per-platform configuration and per-tier scan methodology.
Articles in this hub
Firewalls and Gateways
The boundary control. What an IASME assessor expects from boundary firewalls and internet gateways: default-deny on inbound, documented exception list, evidence the configuration is in place. Includes the host-based firewall translation for cloud-only firms with no on-premises perimeter.
Secure Configuration
What "secure configuration" means in IASME terms: a documented standard build for every in-scope device, default accounts removed, default passwords changed, unnecessary services disabled. The translation onto Windows, macOS, and Linux estates plus the cloud-platform secure-configuration baselines (Microsoft 365, Google Workspace, AWS, Azure, GCP).
User Access Control
The access-control foundation. Administrative privilege separated from day-to-day user accounts, MFA enforced on every cloud admin account, documented leaver process with a worked example, named-human attribution for every administrative action. The IASME requirements that produce the largest share of CE Plus first-attempt failures.
Malware Protection
Anti-malware on every in-scope device with current definitions and a healthy reporting state. The translation onto Defender for Windows, XProtect plus Gatekeeper plus managed third-party AV on macOS, anti-malware tooling on Linux. Plus the SaaS-platform malware-protection layer (Gmail attachment scanning, Microsoft Defender for Office, Drive content scanning).
Patching and Updates
The 14-day patching window for critical and high-severity CVEs. The patch-management tool requirements, the per-platform patching cadence (Windows Update for Business, macOS Software Update, Linux distribution security trackers), and the evidence formats the CE Plus assessor accepts on the day.
Understanding Passwords
The password-policy foundation: minimum length, complexity, manager-vs-personal use, rotation rules, password-manager rollout. The IASME minimum requirements plus the NCSC-recommended approach to password hygiene.
Password Attacks Explained
The threat-model context for the password and authentication controls. Brute force, credential stuffing, phishing, password spray, and the controls (rate limiting, MFA, password manager) that mitigate each.
Vulnerability Scanning (foundation)
The foundation reference for what vulnerability scanning is and why CE Plus tests it. The deeper scanner-choice, scan-tier, FP-handling, and cloud-vs-on-prem detail lives in the vulnerability-scanning hub (the Sprint 5b additions).
Securing Home Wi-Fi
Home-office network considerations for remote workers in scope. The IASME treatment of home-office routers as transit networks, the host-based firewall as the boundary on the laptop, and the related considerations for VPN-anchored remote work.
Network Segmentation
The segmentation reference for on-premises and hybrid estates. Where segmentation matters for CE Plus scope and where the assessor reads segmentation as supporting evidence rather than required.
NetBIOS Risks and UPnP Risks
Two specific protocol-level risks that recur on CE Plus assessments where legacy infrastructure remains in scope. NetBIOS as a legacy SMB-related risk, UPnP as a router-side risk.
Cyber Hygiene
The general posture and practices that sit alongside the formal CE Plus controls.
How this hub relates to the other three
The technical-controls hub is one of four on this site. The other three:
- Vulnerability scanning: deeper scanner and methodology articles that test the controls in this hub
- Audit evidence: how to evidence the controls in this hub for the CE Plus engagement
- Platform-specific: per-platform configuration that implements the controls in this hub
The technical-controls hub is the foundation. The other three hubs are the operational layers built on top: how to test (vulnerability scanning), how to evidence (audit evidence), and how to configure (platform-specific).
Where do we book CE Plus?
Book a Cyber Essentials Plus assessment with Net Sec Group. The booking form lets you describe the estate; the assessor confirms the engagement scope and timeline.