When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices?
What this question is really asking
When you receive a new router or hardware firewall, it arrives with a factory-set default password that is publicly known and must be changed before the device is connected. Confirm that you have changed default passwords on all in-scope network devices.
What satisfies this requirement
Yes or NoDefault administrator password must be changed on all routers and firewalls.
What to prepare before your assessor visit
Assessors interpret 'all in-scope network devices' broadly. Don't forget the routers for every remote worker — each one needs its default admin password changed. This is commonly overlooked at scale for larger organisations with many home workers. A process that ensured it was done at initial setup, with some form of record, is what assessors are looking for.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.