This free Cyber Essentials guide has been written by a Cyber Essentials Lead Assessor and is intended to help those companies wishing to certify with Indelible Data Limited. The purpose is to help clients get the submission right at the first attempt and save time. Though this document has not been issued by, or on behalf of, The National Cyber Security Centre (NCSC) or the NCSC’s sole Cyber Essentials Partner, IASME, it has been compiled by a Lead Assessor with extensive knowledge of the scheme. Information in this Cyber Essentials Guide is subject to change without prior notice.
For further details to help you prepare for Cyber Essentials Plus assessment, please familiairse yourself with this guide first, then go to our Cyber Essentials Plus checklist blog.
You may also find helpful information in our Cyber Essentials FAQs
To apply for Cyber Essentials you just need to pay at the shop to receive a login to the assessment portal.
- Section 1. Applying for Cyber Essentials Certification
- Section 2. Scoping the Cyber Essentials submission
- Things to include and scenarios to watch out for
- Companies applying for more than one legal entity to be certified
- Scoping Networks
- Identify all networks managed by the company
- Identify those networks not managed by the company
- Shared office facilities
- Student or pupil networks within a training or school environment
- Working from hotels or internet cafes etc
- Staff working from home
- Working from home due to the pandemic
- Micro-companies where the head office is the home
- Companies that use an outsourced IT company for support
- Contractors or staff supplied by outsourcing companies that use their own equipment
- Potential ways of reducing the scope
- Removing Servers from scope
- Removing End-User Devices from scope
- Networks containing endpoints that are non-compliant
- Guest Wifi within the organisation
- Multi-site companies wanting to scope-down to certain UK operations only
- Multinational companies wanting to scope-down to UK operations only
- Web-based Virtual Desktop Services
- Non web-based Virtual Desktop Services
- De-scoping a home worker router and firewall
- De-scoping mobile devices such as smartphones and tablets
- Scope recap
- Things to include and scenarios to watch out for
- Section 3. Addressing the Cyber Essentials questions
- Online declaration
Completing the Cyber Essentials question set can, at first, appear daunting. This guide helps take away the uncertainty, guide the applicant through the Cyber Essentials Basic Level submission process and is split into 3 sections:
- Describing the journey from initial enquiry through to final submission and subsequent assessor feedback
- Helping to scope the assessment
- Addressing the requirements of the Cyber Essentials questions and explaining areas where most applicants either misunderstand or simply do not respond to the questions as comprehensively as expected.
The aim is to ensure submissions are not made until the applicant is confident all the questions have been completed correctly – hence increasing the chances of passing the submission first time!
Note: It is tempting to just jump to section 3 and address the questions, however if you have not defined the scope correctly, then the questions cannot be assessed properly.
9/4/2021 Descoping home routers and any boundary router on a network that is not managed by the applicant.
- Described the circumstances for boundary router/firewalls to be taken out of scope, and rely on a properly configured host-based firewall, if the company does not control the network, or cannot guarantee change requests will be undertaken by those third-parties managing the network.
- This essentially means that home routers (not owned by the company) can are nearly always be declared out of scope for the Cyber Essentials Basic assessments for companies with employees working from home. A company supplied router to individuals at home must be declared and configured according to section A4 unless a full-tunnel, always on, VPN is in use.
- This also applies to companies working in shared environments (such as Innovation Centres or facilities such as WeWork) if the company has no ability to request changes to the network or boundary firewall configuration. We expect the applicant to have asked the facilities management company first and not just assume that they will not supply the information.
- It is important to be aware that, to take router/firewalls out of scope under the circumstances described above:
- the host-based firewall must be configured to meet the requirements of section A4 of the question set. The best way to ensure this is to have the host-based firewall configured to use a profile designed for public places (such as the “public profile” on windows devices) that does not allow any inbound connection to be made.
- all the questions that are asked of hardware firewalls must be answered by those using host-based firewalls – including changing default passwords (i.e. a password must be entered when changing firewall configuration and this must an administrator password that did not come with the computer).
- An increasing number of companies (especially the larger organisations) are receiving an “overall fail” due to mobile devices that are unable to run supported operating systems. Current supported Mobile Operating Systems are, at minimum Android 8 (Oreo) but must be at 8.1 to continue to receive security updates on some devices) and/or iOS 14. The logistics involved in remediating such issues can be time consuming, especially as staff are working from home, so we recommend that assembling a mobile device inventory is one of the first things that a company does in order to meet contractual deadlines (then, of course, ensure the devices are patched up to date).
Whichever type of mobile device you have, if it connects to the internet, it must be running the latest Operating System that is available for the device for it to be compliant with Cyber Essentials.
- IASME have informed us of very clear advice from Apple on their approach to iOS support: The only version in planned, or regular, support is the latest version. All the iOS 12 updates have been for unsupported devices like the iPhone 5 and iPhone 6. If the device cannot install the latest OS, then the device is unsupported. This is now the agreed approach with the NCSC.
Further helpful Cyber Essentials resources can be found at the NCSC’s Website.
Section 1. Applying for Cyber Essentials Certification
Your journey can begin without even getting in touch with us at all. There is a free-to-download spreadsheet version of the Cyber Essentials questions available on our website to help you on your way: https://www.indelibledata.co.uk/free-cyber-essentials-questionaire-download/
Please feel free to use the spreadsheet to help you however you wish – many customers use it as a planning and scheduling tool to help identify areas of concern and address them accordingly.
All questions must ultimately be entered into an online portal to achieve certification. There is no way of importing the contents of the spreadsheet questionnaire into the portal, though we do offer a service to input this on your behalf when, after seeking further clarification where required, we are confident that the responses are sufficient to pass. This service can be found here: https://www.indelibledata.co.uk/product/pre-assessment-check-service-for-ce-level-1/
Just for clarity, you do not need to download the spreadsheet version of the questionnaire – it is there solely to help.
When applying for Cyber Essentials please visit the shop to receive a login to the assessment portal.
A few details are taken and, once payment is made, a login to the portal is emailed and a password sent separately via SMS.
Simply login to the portal and respond to the Cyber Essentials questions…. But not until you have read the next section of this guide where we describe the common mistakes made!
If your submission does fail, don’t worry – just take a look at the assessor feedback, implement the required changes and resubmit. If this is done within 10 working days, there is no re-submission charge. We will help, as much as we can, to give you all the information you need to rectify the situation – but if you need further help to implement controls, then we suggest you contact one of our trusted partners who offer cyber essentials help and support.
It should be said that most failures are due to non-compliant answers – rather than non-compliant systems – and these can often be rectified within a few days of receipt of the assessor feedback. Trusted partners can also help complete the questionnaire in a compliant way.
We do, on occasion, fail companies outright when we find such things as unsupported computer or mobile device Operating Systems that are likely to take much longer than 10 days to rectify. If something like this occurs with your submission – we urge you to keep us informed and work with us to help us understand the issue.
Indelible Data Limited works with many independent Practitioners and Trusted Partners who help clients achieve certification. Many Trusted Partners offer a turn-key solution to certification. This includes registering your company on the portal, completing the questionnaire on your behalf and working with us to clear-up any grey areas that might arise to ensure a smooth path to certification.
Things to include and scenarios to watch out for
Here are the common issues we find regarding the scope. We urge you to read this section carefully before submission – it will help to reduce the time taken for your company to achieve certification.
Companies applying for more than one legal entity to be certified
We often assess companies that, for contractual reasons, require the certificate to cover more than one legal entity name. For example, ACME Wholesale Ltd may also require ACME Logistics Ltd to be Certified. If this is the case, the following options are available:
- If there are more than one company name but it is effectively exactly the same company with only the name being different then the customer just needs to write a letter, signed by a board member to say everything except the name is the same. Then we issue extra certificates free of charge.
- If the company is different in any other way – different staff or different IT equipment then they need a new assessment because the answers will be different.
- If the two legal entities do not have a network boundary between them then they have to both be named on the certificate and the scope is both companies.
This can be easy, or a very complex task. We recommend locating the part of this section that best fits your company’s scenario rather than reading the entire scoping section. For example, if your company meets the “Micro-companies where the head office is the home” description – it is likely that you may find enough information to help you in that section – and then move on to section 4.
The larger the organisation, the more components sections 1-3 will likely apply.
Networks can include:
- Office networks
- Virtual / Cloud infrastructure
- Home offices where the company has provided the routers/firewalls and is therefore in charge of that network
For these networks, all devices that are connected are in scope if they contain company data and any of the following:
- Have standard user accounts that connect to the internet interactively (such as web browsing or opening emails).
- Can be seen from the internet (often due to a port forwarding rule on the firewall)
- Are at the boundary of the network controlling the flow of information to the untrusted network (typically this is a boundary firewall connected to the internet)
Identify those networks not managed by the company and decide whether boundary firewalls need to be in scope
- Shared office facilities (such as WeWork etc) – only descope the boundary firewall if the facilities management company will not divulge infromation.
- Internet Cafes – not requirement to declare the boundary firewall – but must have host-based firewall enabled that are compliant with Section A4.
- Home users (using non-company managed network equipment) do not need to declare the home-router – but must have host-based firewall enabled that are compliant with all the questions asked of hardware firewalls in Section A4.
For those companies with multiple staff based in shared office facilities connecting to cloud services such as office 365, G-Suite or Dropbox etc, we would really like to see a firewall installed in-front of your company machines (so that you can then manage a “company” network), or that you ask the facility to provide a Virtual Local Area Network (VLan) for you, but we appreciate that neither of these can always be achieved without issue. So:
- For shared offices with a segregated network (where either VLan or Firewall has been implemented to separate your company from other companies), all devices on that network are in scope – it should be treated as a company managed network described above.
- For devices not on a company managed network (i.e. they just connect straight onto to the shared office facility’s network along with other devices from other companies) then your company’s devices are permitted to use a host-based firewall to separate each company device from other untrusted machines on the network. In such circumstances, it is only each company device that is in scope, rather than the whole untrusted network. You must ensure that the Host-based/Personal firewall is configured to not allow any unsolicited inbound connections (this is often achieved by setting the network environment to “public” – but check with your firewall vendor for the correct settings).
As the shared office provider’s router/firewall is controlling the flow of information to the internet – it is in scope of the questions. You must therefore have sought assurances that all relevant questions from section A4 have been met:
- They have changed the default password on the device to something that is difficult to guess and over 8 characters.
- They change the password when they believe it has been compromised.
- They only allow services that are accessible from the internet that have a documented business case.
- The firewall configuration settings are not accessible over the internet – unless protected by multi-factor authentication or can only be accessed by trusted IP ranges.
We appreciate you may not always get a response from the Facilities Management company, so you will only need to list the make of the firewall supplied by the shared office facility in A2.9 (and ensure the controls have been configured in section A4) if the Facilities Management company are willing participants. We expect the applicant to approach the Facilities Management company to get the information, but if the shared facilities provider is not responding to calls, or unwilling to divulge the information – then the applicant can rely on properly configured host-based firewalls, or a hardware firewall separating the devices from other devices on the network – and not declare the facility’s boundary firewall. If relying on a host-based firewall, all the questions that are asked of hardware firewalls must be answered in relation to the software firewall.
You may need to write a letter/email to the facilities management company in advance of submitting your questionnaire – so we recommend this is one of the first tasks that is done if you work in a shared office.
Some providers of shared offices are reluctant to divulge this information and state that “we are ISO 27001 certified”. Unfortunately, the fact that they have ISO27001 is not an acceptable mitigation for providing details for network equipment. We have had several applicants where well-known providers manage their facilities, and, they have provided applicants with the required information.
If the student/training network is on a different network segment to the main business/ office administration network, then it can be excluded (on the assumption the training network will not have access to business information such as corporate email etc).
If the student/training devices are on the same network, then they must be in-scope for the assessment. We recommend separating student networks from corporate/business information for this reason.
Once separated, and de-scoped, the training facility can still certify as “Whole organisation” in these circumstances.
For those devices that work in other non-company managed locations, such as staff working from Hotels / Starbucks etc, we prefer that the company uses a VPN to “tunnel through” the untrusted infrastructure, but again, we understand that this cannot always be achieved, so:
- On an untrusted network (such as Starbucks, where the User/Company is not in charge of the network infrastructure) the devices are permitted to use a host-based-firewall to separate that device from other untrusted machines on the network. In such circumstances, it is only the device that is in scope rather than the whole untrusted network. We strongly advise the use of a VPN in such circumstances, but these are not required to achieve Cyber Essentials Certification.
The only devices that require to be declared in scope are the devices accessing organisational data. The controls for firewalls in section 4 must be applied to host-based/personal firewalls.
Ideally a different Wi-Fi such as a “guest network” should be in use by other devices around the house, but this is not essential to receive certification.
If endpoints are using VPNs, then the home router/firewall does not fall into scope. However, if the home user devices are configured so all of the internet traffic is going via a company-controlled proxy server, then the router/firewall is still in scope.
- Answer all relevant router/firewall questions (such as changing default passwords, no internet accessible configuration allowed, no ports open that aren’t required, etc).
- Within the home network, they do not need to segregate from the kids’ Xbox or other personal home computers with a physical firewall – but must have a properly configured Host-based Firewall.
- Even if the router/manufacturer claims to have set a unique password for that device, it must be changed by the user in order to be compliant with Cyber Essentials requirements
- All devices accessing company information are in scope (so must be declared on the questionnaire) – this even includes personal devices accessing web-based company email.
- Home workers may choose to declare that they have configured their host-based firewalls in accordance with all the questions in section A4.
Working from home due to the pandemic
If users are forced to work from home during the pandemic, OR they have the option to work from home and this has constituted > 50% of their time, then they are designated “Home workers” and therefore must meet IASME’s existing Home worker requirements (above).
Even though, technically, the company is still in-charge of the network if it has paid for the ISP/ home router service – not every device on that network is deemed in-scope. Ideally a different Wi-Fi, such as a “guest network” should be configured – but not essential for certification
The only devices that require to be declared in scope are the devices accessing organisational data. The controls for firewalls would need to be applied to the software firewall.
You must respond to all questions – none may be answered as N/A even if you are a sole trader – you must manage your access accounts and document accordingly (see section A7 of the question set below for guidance.)
Companies that use an outsourced IT company for support
It is the applicants responsibility to instruct the 3rd party of the Cyber Essentials requirements and make sure they are applied. We cannot accept responses that simple state “This is handled by our IT support provider”. For process questions (such as creating or removing accounts), the applicant must state who informs the IT company, and who checks the process has been carried out correctly etc – and this must be formally documented.
Technical requirements (for example, where the applicant must not use Administrative accounts for web access) must also be answered in relation to the IT provider when they are connected to the applicant’s network.
Contractors or staff supplied by outsourcing companies that use their own equipment
The best practice approach for including contractors / freelancers / outsourced staff is that, if they have a company email address, then put them in-scope for all the Cyber Essentials questions. However there is currently no requirement within Cyber Essentials to force a third party company to abide by the scheme. It is therefore possible to exclude third party devices from scope – even if they access company data.
The applicant currently has three options:
- Treat the contractors/freelancers devices as BYOD and include them in the scope of assessment
- Mandate freelancers / contractors to obtain CE as part of their supply chain requirements
- Exclude the contractor / freelancer devices from scope.
For companies wishing to include all contractors or freelancers in scope, the answers can be general, given the assurances already received in contracts (such as the minimum expectations of devices accessing company information), so for operating systems, you could say “approx. 400 Windows 10 devices – minimum Windows 10 Pro 2004 for contracted staff” if the contract states that they must keep OS up to date, for example. Then go on to give the known numbers for your own staff.
We urge companies to always include the whole organisation wherever possible but understand that, due to size and/or time contraints, some areas of the business cannot be included. There are certain conditions under which certain devices or networks can be removed from scope:
Servers are in scope if they
- can be seen from the internet (i.e. have a port forwarded to a given service)
- are used interactively with the web (such as a RDS/Citrix server or simply contain standard user accounts that can access the web/email)
There are no scenarios we can think of to allow you to de-scope servers on your network that can be “seen” from the internet, however those servers that can’t be “seen” but access the web interactively, can be de-scoped if they can only access a couple of trusted IPs for the purpose of downloading updates or uploading to a trusted site, for example. But the whitelisting must be done via the boundary firewall – not the device.
By removing internet access, the device is automatically out of scope of Cyber Essentials. Devices can have access to a few trusted IP addresses on the internet and still be counted as having “no internet access” (the technical definition is “able to connect to arbitrary devices on the internet”) – but the blocking must be done at the boundary firewall.
You may also isolate devices by segregating networks – but if this is performed, then you cannot go for the “whole company” scope. This would also mean that those “segregated” devices must not access company information (from the cloud or anywhere else over the internet or internally) that is associated in any way with the information contained within the in-scope network.
If your company has networks that you wish to take out-of-scope of Cyber Essentials, say a training network has legacy software on it (and has access to the internet), then this can be achieved, but you would not be able to certify as “whole company”. The out-of-scope network must be bound by a firewall, or other means of segregation, such as VLAN. You cannot, for example, declare the Cyber Essentials scope as “Windows 10 devices only” if you have Windows XP devices on the same network.
Segregated Wifi “guest access” networks can be excluded from scope and still allow the company to choose “whole organisation” as long as no devices containing company data use the guest Wifi.
To help understand how to limit the scope down to certain operations, let’s say that you wanted to de-scope the London operations and only certify the Birmingham office. This can be achieved in Cyber Essentials even if London was the Head Office and the IT team there can remotely manage the devices in Birmingham, as long as they have a firewall or other packet level control (VLAN/ACL) in place and documented business reasons for that access. Effectively the London site would be classed as “internet traffic”, with the UK company on the trusted side of the firewall.
If staff at the London office can access the same data as Birmingham that is stored on Office 365, or a back-end server in a Data Centre, London can still be excluded from scope. You would have to answer “No” to whole organisation and write “Excluding London Office” in the scope description. However, if the company operates a homogenous network (say MPLS), so all devices can effectively see each other, a firewall would need to be in place to separate the London office from the in-scope devices in the Birmingham office. Remember, a back-end server in a Data Centre is not in-scope of the assessment unless it can be either accessed from the internet or has non-administrative user accounts on it that can be used to access the internet or access emails – so staff at the London office may still access this server as long as they are sufficiently separated from Birmingham devices by VLAN or Firewall.
If users in the London office connect to the Birmingham office via VPN – the VPN connection would need to terminate on a network in the Birmingham office that is firewalled / VLANd from the in-scope devices in order for the London office to remain “out of scope”.
This can be achieved in Cyber Essentials. For example, even if the head office is in the US and the IT team there can remotely manage the devices in the UK, we can still scope just the UK Operations as long as they have a firewall or other packet level control (VLAN/ACL) in place and documented business reasons for that access. Effectively the overseas sites would be classed as “internet traffic”, with the UK company on the trusted side of the firewall.
If staff at the Overseas office can access the same data stored on Office 365, or a back-end server in a Data Centre, they can still be excluded from scope. You would have to answer “No” to whole organisation and write “Excluding [country] Office” in the scope description. However, if the company operates a homogenous network (say MPLS), so all devices can effectively see each other, a firewall would need to be in place to separate the Overseas company from the in-scope devices in the UK office. Remember, a back-end server in a Data Centre is not in-scope of the assessment unless it can be either accessed from the internet or has non-administrative user accounts on it that can be used to access the internet or access emails – so an overseas office may access this server as long as it is sufficiently separated from UK devices by VLAN or Firewall.
If users in the Overseas office connect to the UK office via VPN – the VPN connection would need to terminate on a network in the UK office that is firewalled / VLANd from the in-scope devices in order for the overseas office to remain “out of scope”.
Important note – this was updated in October 2020 to reflect recent guidance.
There are occasions where contractors/staff out in-the-field need to access company resources, and you can’t be sure if their devices comply with the requirements of Cyber Essentials.
On such occasions, layer 7 / web-based remote desktop services are deployed (RDS, Citrix etc). In such circumstances, though the endpoints are not actually connecting to the network, they are “accessing company data and services”, and are therefore brought into scope. This includes BYOD and Company supplied computers.
The firewall can only be taken out of scope in this scenario if there is a full tunnel VPN session “tunnelling” through it that terminates on the corporate network or the host-based firewall is fully compliant with all questions in sectio A4. This would obviously still leave the endpoint in scope.
Companies may require their Virtual Desktop environment to be certified as part of a contract. This is fine, and the company does not need to bring all other external companies accessing that environment into scope. However, if those external companies require certification themselves (even if they just want the scope to be the VDI environment they are using), they would need their own portal account and answer all the questions regarding their company – including those that access the Virtual Desktop services.
All devices connecting to virtual desktops via the corporate network are in scope and must fulfill the requirements of the scheme. So, for example, even if a user just uses the RDS versions of Outlook, Microsoft Word, Chrome and Acrobat Reader every day, the machine will not be compliant if the installed versions on the device itself have not been patched accordingly – even if they are not used (so please remove unnecessary applications from the device).
Users of thin clients that can only attach to an RDP environment (i.e. we can class the terminals as dumb) are out of scope are they cannot connect to the internet. Should the thin client have the built-inability to connect to the internet (i.e. some have browser capability or have built-in applications such as email) then it is in scope. To keep such a device out-of-scope, then the corporate firewall must not allow internet traffic to or from the device.
Some companies prefer not to rely on home users to configure their router/firewalls correctly to comply with the requirements of Cyber Essentials.
The only way to remove the router from scope is to use a VPN from the endpoint to always “tunnel through” the user’s router/firewall. Using any other method, such as forcing user devices to use a web proxy, is not sufficient. VPNs must be “Always on”, “Full Tunnel” and not “Split Tunnel”. That is to say, whenever the home worker types “what is my IP” into Google, the home router IP must not be returned.
De-scoping mobile devices such as smartphones and tablets
If the mobile device can access the internet and it accesses company data that is either resident on the company network or via other hosted/cloud services (such as email in Office 365 or Gmail) then that device is in scope and must be included in the responses.
We are often asked if mobiles can be de-scoped if they do not connect to the in-scope network – or they access company data that is unrelated to that network.
The general rule for de-scoping mobile devices in Cyber Essentials is, if the data in the cloud is not related to the information contained in the in-scope network, then you could de-scope those mobiles that just access the cloud. It’s an unlikely scenario as, if the client is requiring a certificate to meet the requirements of a contract, it is likely that some email interaction would be required with that customer. If you scoped-down to a given network, and had an email server on that network for a specific contract, then it may be possible to de-scope the mobiles that just access the unrelated cloud emails.
Remember, all devices are in scope if they contain or access company data and either:
- Have standard user accounts that connect to the internet interactively (such as web browsing or opening emails)
- Can be seen from the internet (often due to a port forwarding rule on the firewall)
This includes mobile phones and even non-company devices that connect using 4G or via home or other untrusted networks.
If a device can only connect to one or two known, trusted IP addresses to download updates, for example, then this can be deemed not to have Internet access for the purposes of Cyber Essentials. This is a great way to de-scope servers.
The common areas of failure and clarification relate to the following questions:
- A 2.6 (computers and associated Operating Systems)
- A 2.7 (Mobile Devices and associated Operating Systems)
- A 2.9 (Network equipment)
- A 4.5 (Documented services)
- A 6.1 (Supported operating systems)
- A 6.2 (Supported applications)
- A 7.7 (Use of Admin accounts and the internet)
- A 8.1 (Malware protection methods)
- Online declaration (this must be signed by a board level, or equivalent, individual).
So we highly recommend that you, at least, read the information below regarding those questions to help prepare those responses.
Other common areas are those questions that require a process to be described or a service to be documented. Please ensure you describe and document as appropriate. Saying that you have not implemented such things will result in a non-conformance. Even if you are a sole trader, please document your processes where required and remember, you may not answer N/A to any question.
Here is a breakdown of the Cyber Essentials questions in full (it is not exhaustive as we do not find issues with every question:
Scope of assessment
A2.1 Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer “No” to this question you will not be invited to apply for insurance.
As stated earlier, if your company has networks that you wish to take out-of-scope, say a training network that has legacy software on it (that connects to the internet), then this can be achieved, but you would not be able to certify as “whole company”. The out of scope network must have a boundary, such as a firewall or other means of segregation, like a VLAN. The scope on the certificate for this example would need to include the statement “ – excluding training network”
Segregated Wifi “guest access” networks can still be excluded from scope and still allow the company to choose “whole organisation” as long as no devices with company data use the guest Wifi.
Check that devices are selected correctly as described in the Scoping Networks section earlier.
The assessment cannot be marked if the operating system versions are not presented correctly. For Windows Operating Systems we require the “edition” (pro, home, enterprise, etc) and version (2004, 20H2, etc). To help get this right, this is the degree of detail we require:
- Windows 10 Pro 1909
- Windows Server 2012 R2
- Mac Catalina 10.15.2
- Linux Ubuntu 18.04
If you wish, you can provide an itemised list, or provide a sentence or two, for example:
“We have approximately 100 Windows 10 Pro machines running a mixture of versions 1909, 2004 and 20H2. All 8 Macs run Catalina 10.15.2. Our 14 Windows servers run either Server 2012 R2 or Server 2016”.
Please check carefully, before submission, that the Operating Systems are supported.
Our assessors spend a lot of time familiarising themselves with current versions of Operating Systems and will not be able to identify unsupported or unpatched versions if they are not declared. The question will be unscored (therefore fail) if insufficient detail is given.
If an Operating System is currently unsupported at the time of application, please do not submit the responses. Our assessors cannot accept responses that state “…we are currently upgrading Windows XP devices to Windows 10 Pro 2004 over the next couple of weeks…” Please only submit the response once the upgrade has been completed.
Our assessors will only accept “End-of-Life” Operating Systems if you declare that you have purchased Extended Security Updates and state the “Valid Until” date.
You must also state if thin clients (designed to communicate with remote desktop services) are used together with the operating systems of these. Any Laptops/desktops connecting to the network that use Remote Desktop Services are also in scope – whether they use their own desktop to access the internet or not – and must meet the requirements of all the controls.
Check that devices are selected correctly as described in the Scoping Networks section earlier.
Please ensure that all the devices that hold company data (including emails) and connect to the internet have been included in the scope and have a supported Operating System. The device itself must also be supported. Beware some Android devices may be running a “supported” Operating System (such as iOS 9) but the manufacturer is not releasing updates for that model.
Your mobile device must be running a supported Operating System and be capable of receiving updates – we will check whether your model supports is being supported. In order to do this – we must have the models included in the response.
The assessment cannot be marked if the Mobile device’s operating system versions are not presented correctly. This is the degree of detail we require for the Operating System:
- Android 9.1
- iOS 14.3
If you wish, you can provide an itemised list of model and operating system, or provide a sentence or two to help paint a picture, for example:
“Our 70 mobile devices are a mixture of Galaxy S8 and LG X500 running Android 9.1, 10.1 and iPhone XR running iOS 14.4.1”.
As with A2.6 (above), please check carefully before submission that the mobile devices and operating systems are supported. Our assessors will not be able to identify or unpatched versions if they are not declared. The question will therefore be un-scored (therefore fail) if insufficient detail is given.
If a mobile Device or Operating System is currently unsupported, please do not submit the responses yet. Our assessors cannot accept responses that state something along the lines of “…we are currently upgrading Android 6 devices to Android 10 over the next couple of weeks…” Please only submit the response once the upgrade has been completed.
Only the most current version of iOS is classed as supported (Currently iOS 14.x). Even though older phones such as the iPhone 5 are receiving some updates from Apple (iOS 12.x) these updates are classed as supporting “legacy devices” and we have no guarantee when they may stop. The assessor can therefore not accept submissions containing, even the latest update, of iOS 12.x.
Certification Bodies have a list of supported devices collated from the following resources – please ensure your devices are classed as “supported” on these lists:
Also, for A2.6 and 2.7 above, we recommend consulting the following resources to help you before submitting your responses to ensure the operating systems are supported:
Linux: Visit the relevant release eg. https://ubuntu.com/about/release-cycle
Please list all networks that are managed by the organisation. You don’t have to list the details of all devices either on home user networks (unless configured by your company) or those of Internet Cafes.
The most important part of responding to this question is to describe all the different ways that the in-scope devices connect to the internet. For example, home users will likely have a home router provided by their ISP, users in a shared office facility may use WiFi to connect to the network and break-out to the internet using the facility’s router/firewall, larger organisations may utilise an MPLS network with break-out points at the Head Office or a Data Centre.
For those companies working in shared office facilities, we would really like to see a firewall installed in-front of your company machines (i.e. so that you can then manage a “company” network), but we appreciate that this cannot always be achieved.
If you are unable to segregate networks in a shared/multi office environment, please mention this and state that devices will be reliant upon each computer’s personal firewall.
This is generally a straight-forward for companies to answer for their own equipment – but you must also answer for users in shared offices (such as WeWork) by seeking assurances from the relevant technical contacts.
Please don’t forget to also describe the home routers involved (such as “ISP provided”, or “company supplied” etc) and let us know that they are the latest models shipped by the ISP (it is tempting for users to put the latest one in a cupboard because the old one is working just fine!).
If home routers are company supplied, then we require the make and model.
However, if any home devices access organisation data via a VPN application on the computer that “tunnels” through the router or the host-based firewall is fully compliant with all questions in sectio A4 – then we do not need to know the make and model of the home router.
If the company has configured home users with a site-to-site VPN (where the home router itself is instigating the VPN connection) then the make and model would need to be given.
Other than that, simply state the make and model of all network boundary equipment (this should not include internal routers and switches etc).
Remember that home firewall/routers require the same controls to be applied (such as changing default passwords ensuring no unnecessary ports are open etc)
So, just to recap. where you have stated there are home workers we need to know if the organisation supplies them with network equipment, if they use VPN to connect directly to the office or if they use their normal ISP provided router to connect to cloud services. The VPN must be “Full Tunnel” and not “Split Tunnel”.
An example of a response could be “… The head office network is separated from the internet by a Cisco ASA 5505 firewall. Two of our Technical staff have been issued with Draytek 2760 firewalls. The rest of the home users use the latest router that has been supplied to them by their ISP to ensure they are supported. Two directors have been issued with VPN software to connect to our office network, this is not ‘always on’ so their ISP provided home routers are also in scope”
This person must be a member of your organisation and cannot be a person employed by your outsourced IT provider. Please provide the name and role of the person who influences and
makes decisions about the computers, laptops, servers, tablets, mobile phones and network equipment within your organisation.
Applicants can now rely on host-based firewalls to take home-routers out of scope.
- You must still declare how many home workers there are in A1.7.
- All the questions in A4 (Office firewalls and internet gateways) must be answered for the home user’s host-based firewall (even though the questions specifically say “Hardware firewall”). The question set is being updated on 26th April and will hopefully address this wording.
- This includes those questions referring to passwords – i.e. you must not be able to perform firewall configuration changes without first entering a password. In the majority of windows and Mac set-ups, this will be achieved by having to elevate to an admin user before performing changes. So, in other words, you should be fine as long as this admin password didn’t come with the machine, and is reported if a breach is suspected etc.
- Pay attention to A4.5 – If the home user’s host-based firewall is not set to a profile designed for “public” places then it will likely be listening for SMB requests and other Microsoft services. You will have to justify these if this is the case.
- If you are going to declare the user’s home router, you do not have to answer the questions in relation to host-based firewalls as well.
- The Host-based firewall must be switched on, even if you are behind a “declared” hardware firewall, to satisfy A4.11
A4.2 When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?
We need, first of all, to know that the password has been changed from whatever it was shipped with. Even if this is unique to the router/firewall, it still counts as “default” in the eyes of Cyber Essentials and must be changed. If working from home, a member of the companies IT staff may need to help with this.
We then need to know how you changed it – this can just be as simple as mentioning the router configuration page – or, for larger organisations, the process of who inform who, then who changes it and then who signs-off that it has been changed?
For smaller organisations and home users, you can generally change the default password by logging into the web interface for the device (often located at 192.168.1.1 or 192.168.1.254)
For larger organisations with IT / Security teams, you may wish to put the process by which you ensure the default passwords have been changed. Such a process would describe the department that requests the change, the department that makes the change and the department that checks it has been carried out.
This question relates to Firewalls and Routers, as well as End User Devices and Servers that can be accessed through services advertised by the firewall.
So, as well as describing the process to change any suspected end-user account password, also include the process for changing firewall and associated services credentials as these may be performed by different roles.
Please do not forget to include the process here. For example, only stating “… we call our IT support team immediately” or “our security team follow the procedures covered by our incident response policy” is not sufficient. We also need to know how would such a need be reported, and who (role) would reset the password, and who (role) would check it had been done. For example “… the Managing Director informs the Outsourced IT Provider who confirms it has been changed via email”
As well as changing the firewall password if a breach is suspected, we need to know that any compromised login advertised by the firewall is addressed immediately (this could be a mail account on port 25 or SFTP service on port 22 etc). If you don’t have any user accounts that can be accessed through the firewall, just state that is the case.
This question is often mis-read due to the double negative. If you have fully documented all services that are advertised to the internet (from a network for which you are responsible) then answer “No”. Answering “Yes” would be informing us that the company is unsure what ports/services are open.
Please don’t forget to describe the process here- for example, a list of applications may be provided by your company for an outsourced the IT Company to work towards, and only provision machines with the correct software, or use specific build images or checklists etc.
We not only need to know the process of ensuring any “bundled” software is removed before deployment – but also how you ensure unnecessary software is removed going forward. Such as via systems reviews, company policy etc.
A5.3 Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?
Mobile devices, such as device PINS, must also be at least 8 characters. If using face/finger recognition, the underlying PIN must be at least 8 characters.
We just need to know about the services that have been made available from networks that are under your company’s control. So, for example, Office 365 documents (via Sharepoint, Onedrive etc) or any other Software as a Service platform should not be included here.
An example where you would be expected to answer “yes” would be if your company’s on-premise Exchange Server 2016 is presented to the internet or you operate a VPN for staff to connect to resources on the office network.
Another example would be if you have implemented Infrastructure as a Service, and you are responsible for the software on that infrastructure providing sensitive data across the internet, then you should answer “yes” to this question.
Companies that have declared the use of a VPN for home users or staff out on-the-road to connect to the corporate network should state “yes” here.
Patches and updates
Do not forget to answer “Yes” or “No” in the response. You can then refer to, or copy the responses from, A2.6 an A2.7 to support this statement.
We require a statement to show how you ensure firmware is updated when required (some computers have “agents” installed to alert the user to firmware updates).
Remember that Operating Systems for Firewalls/Routers are also in scope for Cyber Essentials and you must let us know that the version of the Firmware is supported by the manufacturer or ISP. This is often via the ISP (especially for home user router/firewalls) – but Firewalls that have been purchased separately are likely to require some form of manual operation to update the OS/Firmware and we need to know that this has been done where required.
Common Cyber Essentials assessor responses to applicants that have not fully answered this question include:
“Windows Server 2008 is no longer being supported – please confirm that Extended Security Updates (ESU) have been purchased if these servers connect to the internet – and let us know when the ESU expires.”
“Unsupported Operating Systems must be updated or removed from the in-scope network (or not have access the internet). Please let us know when the Windows 7 Operating Systems have been upgraded to Windows 10.”
“Please confirm that all mobile operating systems are also supported”.
Again, please do not forget to answer “Yes” or “No” to this question, then follow it up with a summary of applications to support this.
We are not expecting a comprehensive list containing the versions of every application on every machine. Instead, let us know the key applications, plugins and frameworks in place.
Some companies use applications that started life as “base” application from a supplier, then the application was customised by a third-party. If that third-party no longer supports their modifications (let’s say they are no longer trading), then as long as the “base” application is still being supported by its vendor, you may answer “yes” to this question and include this in the summary.
Please put the versions wherever possible. Some versions of common software are not supported, for example Acrobat Reader 11 no longer receives security updates, so a full update to, at least, Acrobat DC would be required.
For example, a response similar to:
“Yes we ensure all applications are fully supported. All of our desktops/laptops have Microsoft Office 365 installed. Some machines require Adobe Acrobat Reader DC and Java 8. Some other file utilities, such as Winzip 8 are also deployed on certain devices. Our technical team also requires the .Net 4 framework to be installed. All applications on mobile devices are supported. They all have Outlook 2016 installed and some may have access to further Microsoft Office applications (such as Word and OneDrive).”
Common clarifications from our assessors include:
“Please also state Yes or No in the response given to declare whether these applications are supported and receive regular updates or not.”
“Please summarise the applications you use so the assessor can understand your setup and confirm that all applications are supported. This includes frameworks and plugins such as Java, Flash, Adobe Reader and .NET including versions”
“Please also summarise the applications in use on mobile devices that are used to access company data.”
“You have declared that Acrobat Reader / Pro is in use. Please can you confirm that this is the DC version as it is the only version that is being supported”
Again, please do not forget to answer “Yes” or “No” to this question, then follow it up with a description of how you ensure this is performed mentioning any corporate policies that users must follow or device policies issued by automated central management.
Also – we need to know how you ensure that router/firewall operating systems and services, and end user device firmware, are updated when required. ISP provided firewalls often have their firmware updated by the provider themselves and many laptops / desktops come with manufacturer bundled software to check for firmware updates – don’t forget to reflect the use of such update methods in your answer.
Typical responses by our Cyber Essentials assessors include:
“Please also state how you ensure mobile applications are updated where required (such as the use of mobile device management tools, or via company policy informing all users to set devices to auto-update)”
“Your response appears to only describe how Windows applications are updated, please also include a summary of how the Macintosh and Linux devices are updated.”
“How do you ensure that the firmware on the firewall is kept up-to-date?”
“We just need a little more information here to describe the process – is it a manual process, are the devices set to “auto-update”, or are updates “pushed” to each device from a central server?”
6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.
Don’t forget that answers must relate to Internet Connected Servers, Computers, Laptops, Tablets, Mobile Phones, and web applications and services on Routers and Firewalls as all are in-scope for this question.
All the software listed in A6.2 must be patched within 14 days of the release of a high/critical patch by the vendor in order to pass. Please describe how you ensure this is done – e.g. applications set to automatic updates, user policy to update as soon as a patch is available etc.
Note, this question relates to software that is no longer supported, rather than used – which should have been addressed in question A5.5.
When responding to this, please ensure mobile apps that access company data are also considered.
Please describe the process – e.g. who approves the account, who creates it and who checks it is right, for example.
Even if you are a sole trader, creating user accounts, including temporary accounts should they be required, must be a managed process and they must only created if absolutely necessary. You therefore wish to describe how you use the Windows inbuilt add/remove user tool, for example, to create the accounts.
You must ensure that no devices can be accessed without entering a username and password. You will not pass this question if users can share accounts – this includes (internet connected) devices found in warehouses and retail etc.
It is not sufficient to block internet access from such devices within the computer’s own settings – if you must have shared accounts (probably for legacy reasons) – then the device must be blocked from accessing the internet using networking infrastructure controls or boundary firewall settings.
Examples that would attract a Major Non Conformance for this question include: IT departments that keep a central password list of users and Third Parties that hold passwords of your users that access in-scope computer systems.
Please describe the process – who highlights that the account should be removed / disabled, who implements this, and who checks it has been removed/disabled?
Even a sole trader must demonstrate that they are aware that they must remove an account (including a temporary one) when it is no longer required and state they have checked to see that only required accounts are active (and the method of checking conducted).
For companies using IT support providers to help them, this response typically attracts responses saying “We contact our IT provider”. This answer is not sufficient as we need to know which person/role requests the account to be removed, the person/role that removes it (giving a brief description of the process – whether it is removed centrally or locally to each device etc) and the person/role that checks it has been removed.
Smaller companies often set up a standard user for day-to-day activities using the inbuilt add/remove user facility. Sole traders generally require full access to the company information, but as the company grows, user accounts must be managed and provide only those rights required by that individual. Your response here should give a taste of the different access levels employed in the company.
Many Cyber Esentials applicants only half answer this question. You need to describe the process and confirm that this is documented (i.e. a written procedure for assigning Administrative rights). A formal process is required no matter how large or small the organisation is – even if the account creation is outsourced to a third party IT Support provider. A High level description of this process must be given in terms of who authorises admin access, under what conditions is the access granted and who implements the change?
There must be a separate account to perform administrative duties than the usual day-to-day user account for creating/amending office documents etc.
This question often causes confusion – especially with the way MacOS/Linux implements the notion of administrators.
Use this helpful rule of thumb for Linux:
- If you need to run a process as admin, and need to enter a password, go to step 2 – otherwise you will fail this question.
- Only if this password is different from the usual day-to-day password, will a pass be awarded.
This means that a linux standard user contained in the sudoers file would not be awarded a pass.
- A Windows local admin account being used for dat-to-day activity and just using basic UAC (with no password, just clicking OK when prompted) would fail
- A Windows local standard user that must enter an administrative user password at the UAC prompt, would pass
For those companies that may not hold administrative accounts for their system (for example, only an outsourced IT provider may have such rights) there still needs to be a responsible person within the organisation that has ultimate responsibility for the use of Admin accounts. So we would expect the response to state that senior management have formally documented and informed the IT Company that they must not access the internet / read emails whilst logged in as Administrator on your network.
This response to this question is often incomplete, stating that, perhaps two accounts are used: one for day-to-day duties and one for administering the system. This is great practice, however, answering the question this way does not address the core requirement – i.e. not using the internet whilst being an administrator.
Cyber Essentials requires that any users that have Administrative rights (including outsourced IT providers) do not access the internet or emails whilst using such accounts on your devices. Please describe how you ensure this (it could be through training, policy or technical controls).
An example of a compliant answer could be “Nobody accesses the internet, or emails, whilst logged in with an administrative account. Those that do have access an administrative account (say, to install software or updates) only browse the internet with a standard user account – then only elevate to the administrate account when required to actually install/update the software. Such users know to do this via the Access control policy and subsequent training”
Our typical response to applicants is “… how does the organisation ensure that those who have admin accounts do not use them to access emails or browse the web?”
You may not need a technical solution to achieve this, it could be based on good policy and procedure as well as regular training for staff to help ensure admin comply.
If your company uses an outsourced IT provider to manage your systems, then you must let us know how you are assured that they do not access the internet using system administrator credentials whilst on your network. So please check they also have a policy of not browsing the web/opening emails whilst performing administrative duties.
It is possible to identify “trusted sites” that administrators may wish to use repeatedly, such as Vendor update sites etc. It is important to note that all whitelisting must be done by the firewall to prevent those with Admin rights accessing untrusted sites – which would generally need a better firewall than Small Businesses own.
Even though whitelisting can be achieved through internet settings (setting up restricted sites etc) on the Windows Machine, Admins accessing the web require the Hardware Firewall/Router to block untrusted sites rather than Windows Internet settings.).
The safest way to pass this question, for small businesses especially, is to not browse the internet as Admin. You don’t need a technical control in place to prevent this – policy / training instructing admins not to interact with the internet with such privileges is sufficient.
You need to only consider Multi Factor Authentication for devices that already have provision for it. No further expense is expected by the standard to try and meet this requirement.
If IT administrators access the in-scope devices over the internet, and the firewall allows multi factor authentication, by issuing a code to a device already purchased by the company (say, a mobile phone) then it must be switched on unless access is only permitted from a trusted set of IP addresses.
A8.1 Are all of your computers, laptops, tablets and mobile phones protected from malware by either A – having anti-malware software installed, B – limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C – application sandboxing (i.e. by using a virtual machine)?
Though not always the case, it is likely that desktops / laptops and servers will be covered by the installation of Anti Malware (option A), and mobile devices will be covered by using the Mobile’s relevant App store. Because of the iPhone’s / Android’s sandboxing architecture, option C can only be chosen (as long as not jailbroken, of course) if they are only attached to a network that is out of scope and “whole company” has not been declared. This is because, though sandboxed, they generally allow access to the network without permission.
As you can see it gets complex – so best to choose option B for mobile devices unless you work in a very specific way.
Android does allow AV products to scan the phone option A is viable for these if implemented.
The Majority of applicants state Option B to cover their mobile devices, which is fine.
The Apple OSX built-in antivirus (called XProtect) is not sufficient to pass cyber Essentials. XProtect can be likened to the Windows Malicious Software Removal tool and is designed to target certain code only, therefore A full Anti Virus product is required.
Here are some common responses by our assessors:
- From earlier responses, the company has smartphones (iPhones, Android). It is likely that these are covered by Option B or C which was not ticked. Please could you tick the Option B and/or C Boxes and complete the extra fields that appear. These extra field state whether users can only install apps approved by the store and that you have documented the apps that are permitted to access company data (such as outlook, onedrive, excel etc).
- A2.7 states that you have no mobile devices in scope – yet you have chosen Option B here. Please can you clarify?
As stated, you need to have Option B to cover the iPhones (and Androids that don’t have AV installed). As long as the devices are not jailbroken, Rooted or in developer mode (or other Certificates have been installed manually to install non app/play-store apps) you will pass 8.4.
8.5 is rather misleading – you just need to identify those apps that hold or access company information – such as Outlook, OneDrive, etc. So your list of applications will generally be quite small (you don’t have to prevent or make a list of devices with BBC iPlayer or Trainline etc installed) you just need to, at least, enforce the use of apps that access company data by company/paper policy – not necessarily a technical policy (though Mobile Device Management Software would give you a higher degree of assurance that the devices are compliant).
Online declaration (upload of signature)
Make sure the company name is exactly the same as that you have stated to be on the certificate – and that these match the entity as recorded by Companies House. If any are different, the submission will be returned.
If you are a sole trader, please state your positions as “owner” rather than a lower title (such as “consultant”) – this is so that the insurance company are 100% sure that it is a senior person on the declaration rather than have to locate the part of the questionnaire where you may have mentioned being a sole trader. It will likely be returned if you are opting-in to Cyber Insurance.
Please ensure you have provided a wet or digital signature before uploading to the portal. It is likely that a “script” font will not be accepted by the insurers if opting for this this service. Again, it will likely be returned if you are opting-in to Cyber Insurance.