Cyber Essentials
IT Security Policy

A plain-English policy template covering all five Cyber Essentials controls.

Read the Policy
April 2026 Cyber Essentials 5 min read

The UK government's Cyber Essentials certification requires your organisation to have documented, enforceable policies across five technical control areas. This template translates those requirements into plain language your team can actually follow.

Compliance with this policy is mandatory for all users and IT administrators. The full editable PDF — customised with your company name — is available below.

1

Firewalls & Gateways

Objective: Ensure only safe and necessary network services are accessible from the internet.

  • Secure Admin Access: Default administrative passwords must be changed immediately. Remote admin access to firewalls is disabled by default. If required, it must be protected by Multi-Factor Authentication (MFA) or a strict IP allow-list.
  • Default Deny: Unauthenticated inbound connections are blocked by default. All inbound traffic is denied unless explicitly permitted.
  • Rule Management: All inbound firewall rules must be documented, approved, and tied to a specific business need. Rules must be removed or disabled promptly when no longer required.
  • Public Networks: Any device connecting to an untrusted network (e.g. public Wi-Fi) must have a local software firewall active.
2

Secure Configuration

Objective: Reduce inherent vulnerabilities and provide only the services that are required.

Computer & Device Management
  • Remove or disable unnecessary user accounts (e.g. guest accounts).
  • Change all default or easily-guessable passwords before deployment.
  • Uninstall unnecessary software, utilities, and network services.
  • Disable auto-run features that allow files to execute without user authorisation.
Device Locking & Credentials
PIN & Password Standards
  • Minimum length: Mobile device PINs must be at least 6 characters.
  • Brute-force protection: Devices must lock after 10 unsuccessful attempts, or throttle to no more than 10 guesses in 5 minutes.

Get the Full IT Policy Template

Sections 3–5 cover User Access Control, Malware Protection, and the critical 14-Day Patch Rule. Get the complete, editable PDF sent to your inbox — free.

No spam. We send the PDF once.

What's in the Full Template
  • Firewalls & Gateways
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Security Update Management
Need Cyber Essentials Certification?

We guide SMEs through CE and CE+ from gap analysis to certification in weeks.

Learn More
Get the Full PDF

All five sections, ready to customise with your company name.

Need help with Cyber Essentials?

We help SMEs achieve certification quickly and cost-effectively.

View Compliance Services Get in Touch
Solid Cyber