0%
0 of 0 answered
Firewalls
0/0
Secure Config
0/0
Updates
0/0
Access Control
0/0
Malware
0/0
Scope
0/0
0% Complete
1

Firewalls

Block unauthorized access to your network

Are all your work devices (computers, laptops, servers) protected by a firewall?
This includes built-in software firewalls or network firewalls. Every device must have protection.
Have you changed all default passwords on routers, firewalls, and network devices?
Default passwords like "admin/admin" are publicly known and must be changed.
Are your firewalls configured to block incoming connections by default?
This is the "deny all" approach - block everything unless specifically allowed.
Do you document and approve all firewall rules that allow inbound connections?
You must keep records of what's allowed through and why there's a business need.
Are employees who work remotely or use public WiFi using software firewalls on their devices?
Public networks are untrusted - devices need their own firewall protection.
What firewall solution(s) do you use?*
Please specify the make, model, and version of your primary firewall(s). Include both hardware firewalls (e.g., Cisco ASA, Fortinet FortiGate, pfSense) and software firewalls (e.g., Windows Defender Firewall, Sophos). If using multiple, list all.
2

Secure Configuration

Set up devices and software safely from the start

Have you removed or disabled unnecessary user accounts (like guest accounts)?
Unused accounts are security risks. Only active, needed accounts should exist.
Have you removed or disabled unnecessary software and applications?
Unnecessary software increases your attack surface. Only keep what you actually use.
Is auto-run/auto-execute disabled on all devices?
Auto-run allows files to execute without user permission - this must be disabled.
Do all devices require authentication before accessing organizational data or services?
Users must prove who they are before getting access to business systems.
Do all devices have screen lock enabled with a password/PIN of at least 6 characters?
Devices must lock when not in use and require credentials to unlock.
3

Security Update Management

Keep all software up to date with security patches

Is all software on your devices licensed and currently supported by the vendor?
Unsupported software (like Windows 7) no longer receives security updates and must be removed.
Are automatic updates enabled wherever possible?
Automatic updates help ensure you don't miss critical security patches.
Do you install critical/high-risk security updates within 14 days of release?
Critical updates (CVSS score 7+) must be applied within 14 days. This is mandatory.
Do you have a process to track when software will become unsupported?
Knowing when support ends lets you plan upgrades before it's too late.
Are your Web Browsers updated to the latest version?
Check the latest browser version at browsercalendar.com
List any software you're currently using that might be outdated:*
Examples: Windows 7, Office 2010, old versions of Adobe, etc. If none, write "None".
4

User Access Control

Manage who can access what in your organization

Does every user have their own unique account (no shared logins)?
Shared accounts make it impossible to track who did what. Everyone needs their own login.
Do you promptly remove or disable accounts when people leave the organization?
Former employees shouldn't retain access. Accounts should be disabled immediately.
Is Multi-Factor Authentication (MFA) enabled on ALL cloud services?
This is MANDATORY. Office 365, Google Workspace, Dropbox, etc. must all have MFA enabled.
Do administrators use separate accounts for admin tasks vs. regular work?
Admin accounts should ONLY be used for administrative tasks, not email or web browsing.
What password approach do you use?
You must use one of these approaches to meet Cyber Essentials requirements.
Do you have protection against password guessing (throttling or account lockout)?
After failed login attempts, the system should slow down or lock the account.
5

Malware Protection

Defend against viruses and malicious software

What malware protection do you use?
You must use at least one of these options on all devices.
Is anti-malware software enabled and running on all devices?
The software must be active, not just installed. It should run automatically.
Is anti-malware software kept up to date automatically?
Virus definitions must be current to protect against new threats.
Does your anti-malware prevent connections to known malicious websites?
Good anti-malware blocks access to dangerous sites before you can visit them.
What anti-malware/antivirus software and version are you using?*
Please specify the product name and version number for all anti-malware solutions in use. Examples: Windows Defender (built-in with Windows 11), Norton 360 v22.23.1, Sophos Intercept X v10.3, CrowdStrike Falcon v6.47. If using different solutions on different devices, please list all.
📋

Scope & Context

Understanding what's in scope for your assessment

Are you including ALL your IT infrastructure in the certification scope?
Full scope provides the best protection. Partial scope needs justification.
Are ALL cloud services (Office 365, Google Workspace, Dropbox, etc.) included in scope?
Cloud services CANNOT be excluded from scope. This is mandatory.
Do employees use personal devices (BYOD) to access work data or services?
Personal devices accessing work data are in scope too.
How many devices are in scope for this assessment?*
Include computers, laptops, tablets, phones, servers - anything accessing business data.
List the cloud services you use for business:*
Examples: Microsoft 365, Google Workspace, Dropbox, Salesforce, Xero, etc.
Do you have a documented backup and recovery procedure?
While not required for Cyber Essentials, backups are critical for business continuity and ransomware recovery.
Please describe your backup solution and frequency:*
Include: What is backed up, where backups are stored, how often, retention period, and how you test recovery.
Do you have a documented incident response plan?
An incident response plan defines what to do when a security incident occurs (e.g., malware infection, data breach, ransomware attack).
Please describe your incident response procedures:*
Include: Who to contact first, escalation procedures, how incidents are logged, communication plan, and recovery steps.

Add Vendor

Enter the vendor's name and select their level of access to your organisation.

Analyzing...
Please wait while AI evaluates your responses
0%