Why a Written Policy Matters

Cyber Essentials assesses five technical control areas, but what catches most SMEs off guard is that configuration alone is not enough. A firewall set up years ago with no documented rules, no review process, and no named owner is a risk — not an asset. When staff change or the business scales, unwritten processes disappear. A policy makes security institutional rather than personal.

Beyond certification, a documented policy strengthens your position under UK GDPR Article 32 (appropriate technical measures) and is increasingly required by enterprise procurement teams and cyber insurers.

The Five Control Areas Your Policy Must Cover

1
Firewalls & Gateways

Document who approves inbound rules, how often rules are reviewed, and what happens when staff use public Wi-Fi. Default-deny must be explicit policy, not assumed.

2
Secure Configuration

Define the baseline for new devices: default passwords changed, unnecessary services removed, auto-run disabled. Without a written standard, each setup depends on whoever does it that day.

3
User Access Control & MFA

Define the account lifecycle — creation, privilege review, and removal. MFA on all cloud services is mandatory. User passwords must be at least 12 characters (8 if MFA is enforced).

4
Malware Protection

State which protection mechanism each device class uses — anti-malware, application allow-listing, or sandboxing — and who verifies it is active. Windows Defender qualifies; it just needs to be documented.

5
Security Update Management

Critical patches (CVSS 7.0+) must be applied within 14 days. Your policy must name who is responsible, how compliance is verified, and what happens with software that cannot be patched in time.

The 14-Day Rule is actively tested Cyber Essentials Plus involves an on-site technical audit. Auditors sample device patch levels directly. A months-old critical vulnerability found during that visit fails the assessment. Document the process — and follow it.

Get the Template

We have written a plain-English policy template covering all five areas — including the exact numerical thresholds (patch windows, password lengths, attempt limits) that assessors check. Enter your company name and email and we will send you the file, pre-filled and ready to save as PDF.

Free IT Policy Template

All five CE controls. Pre-filled with your company name. Open in browser → Print → Save as PDF.

Get the Free Template

No spam. One email.