Please list the quantity of thin clients within the scope of this assessment. Please include make and operating systems.
What this question is really asking
List the quantity, make, and model of any thin clients in scope. Thin clients that only run a browser or VDI client have a limited attack surface, but they still need a supported OS and firmware version, and must be covered by your patching process.
What satisfies this requirement
A list is requiredThin clients connecting to organisational data or services. Must be supported and receiving security updates.
What to prepare before your assessor visit
Thin clients are often omitted because they feel 'different' from regular PCs, but they run an OS, may connect to the internet, and can be an attack vector. Include them with firmware and OS version detail. If the manufacturer no longer provides security updates for the OS version your thin clients run, that is a patching finding that could fail your certification.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.