Please describe how you approve and document your allowed inbound connections.
What this question is really asking
If you have permitted inbound connections, describe your documented approval process. Each permitted inbound rule should have a named business justification, an approver, and a regular review date. Undocumented firewall rules are among the most common findings in Cyber Essentials assessments.
What satisfies this requirement
A written response is requiredBusiness case documented, recorded, signed off at board level, risks reviewed regularly.
What to prepare before your assessor visit
Assessors will examine each inbound rule you describe. 'The business needs it' is not a sufficient justification — you need the specific service name, the ports and protocols permitted, who approved the rule, and when it was last reviewed. Old inbound rules approved years ago and never revisited since are among the most common firewall findings. Do the review before the assessment, not during it.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.