Cyber Essentials Illustrative Questionnaire

NOTE: in order to apply for Cyber

Essentials, please go to
www.apmg-certified.com and use the Cyber
Essentials portal which contains the below
questions & much more.
Questions

Firewalls

1a) Are there firewalls in place which protect all your devices?

These firewalls may be host-based, which only protect the single device on which they are
installed and configured, or they may be boundary firewalls in place between the systems in
scope and the internet

Yes/No

Please describe how your firewalls are placed in your network in scope.

1b) If not, are you using other network devices which restrict access to network services?

Yes/No/Not Applicable

If yes, please describe how these network devices are placed.

2) Has the default administrative password on all firewalls (or equivalent devices) been changed
to a password that is difficult to guess?

Yes/No

3a) Is it possible for a user to access the administrative interface of the firewall (or equivalent
device) remotely?

Yes/No
3b) If the answer to (3a) is yes, have you implemented protection for the administrative interface
in the form of a second authentication factor, such as a one-time token?

Yes/No/Not Applicable

3c) If the answer to (3b) is no, have you implemented protection for the administrative interface
in the form of an IP whitelist, which limits access to a small range of trusted IP addresses?

Yes/No/Not Applicable

4) Are unauthenticated inbound connections blocked by default?

Yes/No
5) For any configured inbound firewall rules, are they approved and documented by an
authorised individual, including a description of why each rule is needed?

Yes/No

6) Are configured firewall rules removed or disabled when they are no longer needed?

Yes/No

7) Do you have host-based (individual) firewalls on devices which are used on untrusted
networks, such as public Wi-Fi hotspots?

Yes/No

Secure Configuration

8) Have all unnecessary or default user accounts been deleted or disabled?

These may include guest accounts and administrative accounts that won't be used.

Yes/No

9) Have all passwords been changed from default or guessable to something non-obvious?

Yes/No

10) Has all software which is unnecessary for your organisation been removed or disabled?

This includes applications, system utilities and network services

Yes/No

11) Have all auto-run features which allow file execution without user authorisation (for
example, when they are downloaded from the Internet) been disabled for all media types and
network file shares?

Yes/No

12) Are external users authenticated before they are given Internet-based access to commercially
or personally sensitive data, or data which is critical to the running of the organisation?

Yes/No
Password-based authentication

For all password-based authentication in Internet-facing services:

13) Are systems accessible from the Internet protected against brute-force password guessing by
either:

• locking accounts after no more than 10 unsuccessful attempts

• limiting the number of guesses allowed in a specified time period to no more than 10
guesses within 5 minutes

Yes/No

Please give details of the protection method used.

14) Do you enforce a minimum password length of 8 characters?

Yes/No

15) Do you enforce a maximum password length?

Yes/No

16) Are passwords changed when it is suspected they are compromised?

Yes/No

17) Do you have a password policy that meets the requirements as set out in Cyber Essentials
Requirements: Password Authentication?

Yes/No

User Access Control

18) Are user accounts controlled through a creation and approval process?

Yes/No

19) Are users required to authenticate before being granted access to devices and applications,
using unique credentials?

Yes/No
20) Are accounts removed or disabled when no longer required?

For example, when a user leaves the organisation or after a defined period of account inactivity

Yes/No

21) Has two-factor authentication been implemented, where available?

Yes/No

22) Are administrative accounts only used to perform administrative activities?

In practice, this means no emailing, web browsing or other standard user activities that may
expose administrative privileges to avoidable risks

Yes/No

23) Are special access privileges removed or disabled when no longer required?

For example, when a member of staff changes role.

Yes/No

Malware Protection

There are several ways in which your devices may be protected against malware. The Cyber
Essentials scheme recognises anti-malware software (sometimes known as antivirus
software) application whitelisting and application sandboxing as acceptable mechanisms.

24) Do you have either anti-malware software, application whitelisting or application sandboxing
on each of your devices?

Yes/No

25) Please provide details of the software used:

For all devices where anti-malware software is used:

26a) Is the software kept up to date, with signature files updated at least daily?

Yes/No

26b) Does the software scan files automatically upon access?

Yes/No

26c) Are webpages automatically scanned on access through a web browser?

This may be by anti-malware software or be inbuilt into the browser

Yes/No

26d) Are connections prevented to malicious websites on the Internet, unless unless there is a
clear, documented business need and you understand and accept the associated risk?

Connections may be prevented through the use of blacklisting, for example.

Yes/No

For all devices which use application whitelisting:

27a) Are only approved applications allowed to run on devices?

Yes/No

27b) Does the whitelisting process use code-signing?

Yes/No

27c) Do you actively approve applications before deploying them to devices?

Yes/No

27d) Do you maintain a current list of approved applications?

Yes/No
For all devices which use application sandboxing:

28) Is all code of unknown origin run within a 'sandbox' that prevents access to other resources
unless permission is explicitly granted by the user?

This includes:

• other sandboxed applications

• data stores, such as those holding documents and photos
• sensitive peripherals, such as the camera, microphone and GPS
• local network access

Yes/No

Patch Management

29) Is all software installed on computers and network devices in the scope licensed and
supported?

Yes/No

30) Are all "critical" or "high risk" software patches applied within 14 days of release?

If the vendor uses different terms to describe the severity of vulnerabilities, see the precise
definition in the Common Vulnerability Scoring System (CVSS).

For the purposes of the Cyber Essentials scheme, 'critical' or 'high risk' vulnerabilities are those
with the following values:

• attack vector: network or local

• attack complexity: low
• privileges required: none or low
• exploit code maturity: functional or high
• remediation level: officialfix

Yes/No

31) If a vendor releases a patch for multiple issues as a single update which includes any
"critical" or "high risk" issues, is it installed within 14 days?

Yes/No

Approval
It is a requirement of the Scheme that a Board level (or equivalent) of the organisation has
approved the information given. Please provide evidence of such approval: