Please list the quantity of servers, virtual servers, virtual server hosts (hypervisors) and Virtual Desktop Infrastructure (VDI) servers. You must include the operating system.
What this question is really asking
List all in-scope servers, virtual machines, hypervisors (Hyper-V, VMware, and so on), and VDI hosts. This is where organisations most commonly undercount — every server needs a compliant OS, patching process, and access control. Cloud-hosted virtual machines count as servers.
What satisfies this requirement
A list is requiredAll servers in scope. Include OS version.
What to prepare before your assessor visit
Servers are the most underreported category in this section. Cloud-hosted virtual machines, development servers, internal file servers, print servers, build agents — every one is in scope. A missing server discovered during assessment calls the accuracy of the entire application into question. Consider pulling an inventory from your hypervisor, cloud console, or IT asset management system rather than listing from memory.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.