Have you removed or disabled software and services that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services?
What this question is really asking
Confirm that software and services not needed for your business have been removed or disabled on all in-scope devices. Focus particularly on services that listen on network ports — every open port is an attack surface. Common examples include games, media players, legacy protocols such as Telnet and FTP, and unused network-facing services.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredMust remove/disable all unused applications, utilities, and network services.
What to prepare before your assessor visit
Assessors will often ask how you identify unnecessary software — not just that you remove it when you notice it. A software inventory combined with a documented periodic review process is the expected answer. 'We remove things when we come across them' is not a process. Pay particular attention to services listening on network ports: every open port that is not needed is an attack surface that assessors will note.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.