This repository documents a practical, control-by-control approach to Cyber Essentials readiness, focused on translating security requirements into clear, auditable technical controls.
The purpose of this project is to demonstrate how organisations can assess their current security posture, identify gaps, and prepare evidence for Cyber Essentials certification in a structured and repeatable way.
All content is documentation-based and aligned with UK National Cyber Security Centre (NCSC) guidance. No production systems or sensitive data are referenced.
The objectives of this project are to:
- Break down Cyber Essentials requirements into practical technical controls
- Map controls to common Microsoft 365 and endpoint configurations
- Provide a structured gap analysis approach
- Demonstrate evidence preparation and audit readiness
- Support organisations preparing for Cyber Essentials assessment
Cyber Essentials is based on five core technical control areas. This repository addresses each area individually with clear documentation.
- Removal of unnecessary functionality
- Secure baseline configuration
- Restriction of administrative privileges
📁 ce-controls/secure-configuration.md
- User and administrative access management
- Least-privilege principles
- Multi-Factor Authentication (MFA)
📁 ce-controls/access-control.md
- Endpoint protection principles
- Anti-malware controls
- User protection against malicious content
📁 ce-controls/malware-protection.md
- Operating system update awareness
- Application patching principles
- Handling unsupported systems
📁 ce-controls/patch-management.md
- Boundary firewall concepts
- Endpoint firewall awareness
- Network traffic control principles
📁 ce-controls/firewalls.md
A structured gap analysis template is included to support readiness assessments.
This allows organisations to:
- Assess current compliance against each Cyber Essentials control
- Identify areas requiring remediation
- Track actions and ownership
- Prepare confidently for certification
📁 gap-analysis/ce-gap-template.md
Cyber Essentials assessments require clear and relevant evidence.
This repository includes guidance on:
- What types of evidence are typically requested
- How to present evidence safely
- How to avoid exposing sensitive information
- Supporting audit and assessor review
📁 evidence/evidence-checklist.md
This project is intended for:
- IT and Technical Services teams
- Microsoft 365 and cloud administrators
- Cybersecurity and compliance professionals
- SMEs and public-sector organisations
- Employers and interview panels reviewing practical capability
- All documentation is based on lab environments and best-practice guidance
- No live organisational data is included
- The focus is on clarity, auditability and practical implementation
- This project complements the Microsoft 365 Security Baseline repository
Hyginus Obi
IT Technical Services | Microsoft 365 Security | Cyber Essentials Readiness
MSc Applied Cybersecurity
Supporting documentation and portfolio available on request.