How ZORB maps to Cyber Essentials controls

Working towards Cyber Essentials or Cyber Essentials Plus certification? You’ll need evidence that your technical controls prevent data theft. This guide explains exactly how ZORB maps to the five Cyber Essentials technical control themes.

Why this matters

But first, understand why this matters: when attackers breach your perimeter (assume breach will happen), traditional controls leave your application data unprotected. Without confidence about what data is at risk, shutdown is your only option. ZORB provides the data protection confidence for strategic incident response – in other words, knowing which systems can safely continue versus which need isolation. This operational resilience during attacks is enabled by satisfying these compliance controls

Cyber Essentials focuses primarily on inbound protection through firewalls blocking incoming threats, antivirus catching malware before execution, access controls preventing unauthorised users. All necessary. All important.

But what happens when these controls are bypassed? When attackers get past your perimeter, what stops them stealing your business-critical application data?

This is where ZORB fits. We prevent application data theft. This is a gap that traditional security tools miss. Word documents, Excel spreadsheets, CRM data, finance applications. The 80% of business-critical data that lives outside email and web traffic.

When your auditor asks “how do you prevent data exfiltration from desktop applications?”, you’ll need an answer. Here’s how ZORB maps to each control theme.

Control requirement: Restrict inbound and outbound network traffic

How ZORB maps:

ZORB validates and restricts outbound data transmission at the device level. Every application attempting to send data must pass our 3-point verification: trusted source, legitimate destination, approved transmission method.

If validation fails, transmission is blocked before data leaves the device.

Important clarification: ZORB is not a firewall. We don’t replace your boundary or software firewall. You still need firewalls for network-level protection, as the primary defence against inbound threat blocking and port/protocol-based filtering.

But outbound firewall rules are complex to configure and maintain. One misconfiguration can break legitimate business applications. This is why many organisations only set inbound policies.

ZORB provides equivalent outbound protection through application-to-destination validation, without the configuration overhead. We validate what’s transmitting and where it’s going, complementing your firewall’s network-level controls.

What you demonstrate:

• Outbound data flows restricted at device level
• Evidence that only approved applications transmit to approved destinations
• Real-time blocking of unauthorised transmission attempts

Control requirement: Reduce vulnerabilities through proper system configuration

How ZORB maps:

Secure configuration isn’t just about patch levels and disabled services. It includes ensuring applications are configured to only transmit data to approved destinations.

ZORB provides this evidence. We maintain a curated safelist of approved applications and their legitimate vendor infrastructure. Applications outside this safelist cannot transmit data. Applications on the safelist can only send to their verified vendor destinations.

This is Control 4.3: demonstrating that applications are configured for secure data transmission.

What changes:

When SaaS applications are configured on employee devices, you have evidence they only connect to the legitimate vendor infrastructure, and not to attacker-controlled alternatives via DNS poisoning or traffic redirection.

For remote workers, you can prove data only transmits via approved VPN connections to headquarters or directly to verified cloud providers, and not bypassing VPN to unauthorised destinations.

What you demonstrate:

• Applications configured to transmit only to approved destinations
• Evidence of secure configuration for cloud service data flows
• Proof that configuration prevents unauthorised data transmission

Control requirement: Ensure devices aren’t vulnerable to known security issues where patches are available

How ZORB complements this:

ZORB doesn’t manage security updates. You still need update management processes and tools for that core requirement.

But we detect update poisoning. When legitimate software requests an update, we validate the destination IP address against the vendor’s actual infrastructure. If the update request has been redirected to a non-vendor location, we block it.

This is complementary protection. Your update management ensures patches are applied. ZORB ensures those update requests reach legitimate vendor infrastructure.

What you demonstrate:

• Detection and blocking of poisoned update requests
• Validation that software updates connect to verified vendor infrastructure
• Additional security layer when update management processes are in place

Be clear with auditors: ZORB complements but doesn’t replace security update management. You still need patch management processes.

Control requirement: User authorisation, accountability, and least privilege to reduce theft or damage risk

How ZORB complements this:

ZORB doesn’t provide user access control.  You need identity management systems, authentication controls, and privilege management tools for that.

But we prevent data theft when access controls fail.

If an attacker bypasses access controls to gain administrator privileges, they might install data exfiltration tools or abuse legitimate applications. ZORB blocks this because unauthorised applications aren’t on our approved safelist, and authorised applications attempting to transmit to non-vendor destinations are blocked.

What you demonstrate:

• Defence-in-depth: data theft prevention when access controls are compromised
• Unauthorised applications blocked from data transmission by default
• Authorised applications restricted to legitimate destinations only

Be clear with auditors: ZORB is the safety net when access controls fail, not a replacement for access control itself.

Control requirement: Restrict execution of untrusted software from causing damage or accessing data

How ZORB maps:

This is ZORB’s strongest Cyber Essentials mapping. Control 5.2 requires malware protection, and behavioural detection of exfiltration attempts directly satisfies this.

Traditional antivirus prevents malware execution. ZORB prevents malware data theft.

When botnet malware attempts to register with its command-and-control server, we block it. When RATs (Remote Access Trojans) try to upload stolen data, we block it. When ransomware attempts to exfiltrate data before encryption, we block it.

We detect the behavioural indicator—unauthorised application attempting data transmission—and prevent it in real time.

What changes:

Even if malware evades antivirus and executes on a device, it cannot steal your data. The application isn’t on our approved safelist, so transmission is blocked by default.

This provides defence-in-depth: 1) antivirus prevents execution, 2) ZORB prevents data theft when execution occurs.

This transforms incident response from panic shutdown to strategic decision-making. Even during active malware incidents, you maintain operational continuity for protected systems.

What you demonstrate:

• Behavioural detection and blocking of malware exfiltration attempts
• Real-time prevention of C2C server communication
• Evidence that malware cannot steal data even if it executes
• Approved application safelist with transmission validation

Strong direct mappings:

• Theme 1: Firewalls (outbound restriction at device level)
• Theme 2: Secure configuration (Control 4.3—application data flow configuration)
• Theme 5: Malware protection (Control 5.2—behavioural exfiltration blocking)

Complementary coverage:

• Theme 3: Update management (detects poisoning, doesn’t replace patch management)
• Theme 4: Access control (prevents theft when controls fail, doesn’t replace access management)

What this means for certification:

ZORB directly satisfies three of the five technical control themes. For the other two themes, we provide complementary protection that strengthens your overall security posture.

These controls aren’t just compliance checkboxes. They’re the foundation for post-breach operational resilience. When security incidents occur, you gain confidence to make strategic operational decisions instead of binary shutdown choices.

When your auditor asks “how do you prevent application data exfiltration?”, you show them ZORB. When they ask “what happens if malware executes?”, you show them our behavioural blocking evidence.

ZORB also maps to other compliance frameworks:

ISO27001: Controls A.8.10 (data deletion), A.8.11 (data masking), A.8.12 (data leakage prevention), A.5.23 (information security for cloud services)

PCI DSS: Requirements 10.4.1.1 (unauthorised modifications audit), 12.10.4 (data transmission security)

GDPR: Article 5.2 (accountability), Article 30 (processing records)

For threat intelligence teams:

ZORB also maps to the MITRE ATT&CK framework, a threat intelligence reference, not a compliance standard. We address specific adversary tactics and techniques: TA0010 (Exfiltration), TA0009 (Collection), and TA0011 (Command & Control detection). This mapping helps SOC teams understand which attack techniques ZORB mitigates.

Detailed control mapping guides for these frameworks are coming soon.

For now, download our complete control mapping document .

Q. Which Cyber Essentials controls does ZORB satisfy?

ZORB directly satisfies three technical control themes, enabling post-breach operational resilience through application data theft prevention.:

1. Firewalls (outbound restriction),
2. Secure Configuration (Control 4.3),
3. Malware Protection (Control 5.2).

We complement Update Management by detecting poisoning, and Access Control by preventing theft when controls fail.

Download our complete control mapping document for the detailed breakdown.

Q. Will my Cyber Essentials auditor accept ZORB as a control?

Yes. ZORB provides evidence for application data transmission security, specifically Control 4.3 (secure configuration) and Control 5.2 (malware protection). When your auditor asks how you prevent application data exfiltration, you show them ZORB’s validation logs demonstrating only approved applications transmit to verified destinations. We provide audit-ready evidence, not promises.

Q. Does ZORB replace my existing security tools?

No. ZORB complements your existing security stack without replacing anything. Your firewall handles network-level protection, your DLP monitors email and web traffic, your endpoint protection prevents malware execution. ZORB fills the application data protection gap. The 80% of business-critical data in Word, Excel, CRM systems that other tools miss. Defence-in-depth, not rip-and-replace.

Q. What evidence does ZORB provide for auditors?

ZORB provides real-time audit logs showing which applications transmitted data, to which destination IP addresses, using which communication methods. You can demonstrate that unauthorised applications are blocked by default, approved applications only connect to legitimate vendor infrastructure, and any exfiltration attempts are prevented before data leaves the device. This is evidence-based compliance, not theoretical controls.

Q. Can ZORB help with ISO27001 certification too?

Yes. ZORB maps to ISO27001 controls A.8.10, A.8.11, A.8.12, and A.5.23, specifically data leakage prevention and information security for cloud services. We also support PCI DSS and GDPR accountability requirements. Detailed control mapping guides for these frameworks are coming soon. For now, our complete control mapping document covers all frameworks.

Q. Do I need ZORB if I already have endpoint protection?

Yes, because endpoint protection (EDR/EPP) serves a different purpose. Endpoint protection detects and prevents malware execution on devices. ZORB prevents data theft from applications. Even if malware is blocked from executing, legitimate applications can still be abused for data exfiltration. Even if your endpoint is fully protected, attackers who bypass it can steal application data. ZORB provides the data protection layer that endpoint tools don’t cover. ZORB also provides the strategic incident response capability that comes from knowing your application data is protected.