If yes to question A5.4, which authentication option do you use?
What this question is really asking
Select the authentication method protecting your external-facing services. Option A (multi-factor authentication) is the preferred and strongest choice. Option B covers certificate-based authentication. Option C covers password-only access, subject to the standard's password strength requirements. MFA is required for cloud services under A7 and is increasingly the expected baseline for all external services.
What satisfies this requirement
What to prepare before your assessor visit
Option A (MFA) is by far the safest choice and the clear direction the standard is heading. If you are using option C (password only) for any service, be prepared to demonstrate technical enforcement of the password requirements — assessors will probe this specifically. If cloud services are involved, MFA is mandatory under A7 regardless, so aligning everything to option A is the most coherent approach.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.