What this control covers
Secure configuration focuses on ensuring that systems, applications and devices are hardened from their out‑of‑the‑box state and are only running the services they truly need. This includes disabling or removing unnecessary software, turning off unused services, changing default passwords and settings, and enforcing sensible security options such as screen locks and basic hardening baselines.
By reducing what is enabled and accessible, organisations significantly lower the number of ways an attacker can get a foothold, especially when exploiting default or weak settings. Secure configuration also supports other controls by ensuring that only approved methods of authentication and encryption are allowed and that insecure legacy protocols are turned off wherever possible.
What assessors expect to see
Assessors expect systems and devices to be configured securely, with unnecessary functionality removed or disabled and security features enabled where supported.
In practice, this includes:
- Default passwords changed on all devices and applications
- Unnecessary software, services, and user accounts removed
- Administrative privileges restricted to those who need them
- Security features such as device encryption and secure boot enabled where available
- Configuration settings aligned with vendor or industry good practice
For CE+, assessors will validate that these controls are actively enforced, not just documented.
Common reasons organisations fail
Organisations commonly fail this control due to inherited or unmanaged configurations, including:
- Systems deployed with default settings still in place
- Local administrator access granted too widely
- Unused services or software left installed
- Lack of visibility over who has administrative rights
- Security features supported by the OS but not enabled
In CE+, failures often occur when assessor testing identifies configuration weaknesses that were assumed to be secure.
Practical tips for SMEs
- Build systems from a standard, hardened configuration
- Remove software that is not required for business use
- Review administrator group membership regularly
- Enable full-disk encryption on laptops and mobile devices
- Apply vendor security baselines where available
- Keep configuration simple and consistent across devices
This guidance reflects common assessor interpretations and is intended to support understanding of Cyber Essentials requirements.