When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?
What this question is really asking
If you are not using MFA for external services, describe how passwords are managed and enforced. The minimum requirements are at least eight characters, no common passwords, and no default passwords. Technical enforcement via a directory policy or password manager configuration is expected — a written policy alone is not sufficient evidence.
What satisfies this requirement
What to prepare before your assessor visit
If you are relying on password-only access for any external service, prepare to demonstrate technical enforcement. That means Active Directory password policy screenshots, Azure AD conditional access rules, or MDM profiles — not a policy document that says 'passwords must be at least 12 characters'. Assessors have seen too many policy documents that bear no relation to what is actually configured in the systems they describe.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.