If you answered yes in question A4.9, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication?
What this question is really asking
If remote firewall management is permitted, confirm it is protected by multi-factor authentication, IP allow-listing, or both. Assessors prefer to see both controls in place given the high risk of remote admin access to network infrastructure.
What satisfies this requirement
Select the applicable optionDirect external access must use MFA or trusted IP + managed auth.
What to prepare before your assessor visit
If remote firewall management is permitted, assessors prefer to see both MFA and IP restriction in place. MFA alone is better than nothing, but a firewall admin interface reachable from any internet IP — even with MFA — presents a broader attack surface than one additionally restricted to your MSP's known IP ranges. Show the configuration for both controls.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.