Live Tool Free

CE Version Explorer

Every question. Every version. Side by side.

112 concepts tracked across three versions of the standard — see exactly what changed, what's new, and which five auto-fail you.

Check my readiness
v14
Montpellier
89q
Jan 2023
+4q
v15.1
Willow
93q
Apr 2025
+13q
Current
v16.2
Danzell
106q
Apr 2026
0 Identical
0 Changed
0 New
0 Dropped
0 Auto-fail
112 / 112
A1 Your Company
24 questions
Browse all questions in this section: Montpellier Willow Danzell · current

What is your organisation's name (for companies: as registered with Companies House)?

minor

What is your organisation's name?

evolved

What is your organisation's name?

Name of just one legal entity. Max 150 characters. Trading names permitted. If other legal entities are in scope, answer yes to A1.6.

What type of organisation are you?

Select one (11 options)
  1. Limited Company (LTD)
  2. Limited Liability Partnership (LLP)
  3. Community Interest Company (CIC)
  4. Co-operative (COP)
  5. Mutual (MTL)
  6. Charity (CHA)
  7. Government / Public Sector (GOV)
  8. Sole Trader (SOL)
  9. Partnership (PRT)
  10. Social Enterprise (SOC)
  11. Other (OTH)

What type of organisation are you?

Select one (11 options)
  1. Limited Company (LTD)
  2. Limited Liability Partnership (LLP)
  3. Community Interest Company (CIC)
  4. Co-operative (COP)
  5. Mutual (MTL)
  6. Charity (CHA)
  7. Government / Public Sector (GOV)
  8. Sole Trader (SOL)
  9. Partnership (PRT)
  10. Social Enterprise (SOC)
  11. Other (OTH)

What type of organisation are you?

Select one (11 options)
  1. Limited Company (LTD)
  2. Limited Liability Partnership (LLP)
  3. Community Interest Company (CIC)
  4. Co-operative (COP)
  5. Mutual (MTL)
  6. Charity (CHA)
  7. Government / Public Sector (GOV)
  8. Sole Trader (SOL)
  9. Partnership (PRT)
  10. Social Enterprise (SOC)
  11. Other (OTH)

LTD, LLP, CIC, COP, MTL, CHA, GOV, SOL, PRT, SOC, OTH

How many employees are there in the organisation?

Number of people working for the organisation including all legal entities — includes volunteers, agency workers, contractors, and others with access to organisational data.

What is your organisation's registration number (if you have one)?

evolved

What is your organisation's registration number?

renumbered

What is your organisation's registration number?

Primary legal entity only. Max 20 characters. Must correspond to name in A1.1. LTD/LLP/CIC: 8 digits or 6 with 2-letter prefix. GOV/SOL/PRT/SOC/OTH: enter 'none'. No company number: use DUNS number.

What is your organisation's address (for companies: as registered with Companies House)?

minor

What is your organisation's address?

renumbered

What is your organisation's registered address?

Legal registered address for the organisation.

Please provide the operational addresses, if different to your registered address.

Addresses where the organisation operates from. Does not include home/remote worker addresses.

Do you have more than one legal entity, including subsidiaries, within the scope of this assessment?

All additional legal entities must share the same IT infrastructure and network. Board member must have authority over all entities. Entities not listed in A1.6.1 cannot be added after certification is complete. Separate assessments required if: different legally responsible persons; different network infrastructure; or separate legal entities with no shared governance.

Please provide the name, company number and registered address of any additional legal entities that are included.

Use Add Entry for each entity. Included entities appear on the digital certificate and share the same expiry date. Separate certificates for each included entity available at £10 each. Included entities discoverable in Cyber Essentials Supply Check Tool.

What is your main business?

Select one (55 options)
  1. Academia - Pre Schools
  2. Academia - Primary Schools
  3. Academia - Secondary Schools
  4. Academia - Academies
  5. Academia - Colleges
  6. Academia - Universities
  7. Aerospace
  8. Agriculture, Forestry and Fishing
  9. Automotive
  10. Charities
  11. Chemicals
  12. Civil Nuclear
  13. Construction
  14. Consultancy
  15. Defence
  16. Diplomacy
  17. Emergency Services
  18. Energy - Electricity
  19. Energy - Gas
  20. Energy - Oil
  21. Engineering
  22. Environmental
  23. Finance
  24. Food
  25. His Majesty's Government (HMG)
  26. Health
  27. Hospitality - Food
  28. Hospitality - Accommodation
  29. Hospitality - Hotels
  30. IT
  31. Intelligence
  32. Law Enforcement (Serious & Organised Crime)
  33. Legal
  34. Leisure
  35. Managed Services - IT Managed Services
  36. Managed Services - Other Managed Services
  37. Manufacturing
  38. Media
  39. Membership Organisations
  40. Mining
  41. Other (please describe)
  42. Pharmaceuticals
  43. Political
  44. Postal Services
  45. Property
  46. R&D
  47. Retail
  48. Telecoms
  49. Transport - Aviation
  50. Transport - Maritime
  51. Transport - Rail
  52. Transport - Road
  53. Waste Management
  54. Water
  55. Overseas
minor

What is your main business?

Select one (55 options)
  1. Academia - Pre Schools
  2. Academia - Primary Schools
  3. Academia - Secondary Schools
  4. Academia - Academies
  5. Academia - Colleges
  6. Academia - Universities
  7. Aerospace
  8. Agriculture, Forestry and Fishing
  9. Automotive
  10. Charities
  11. Chemicals
  12. Civil Nuclear
  13. Construction
  14. Consultancy
  15. Defence
  16. Diplomacy
  17. Emergency Services
  18. Energy - Electricity
  19. Energy - Gas
  20. Energy - Oil
  21. Engineering
  22. Environmental
  23. Finance
  24. Food
  25. Government
  26. Health
  27. Hospitality - Food
  28. Hospitality - Accommodation
  29. Hospitality - Hotels
  30. IT
  31. Intelligence
  32. Law Enforcement (Serious & Organised Crime)
  33. Legal
  34. Leisure
  35. Managed Services - IT Managed Services
  36. Managed Services - Other Managed Services
  37. Manufacturing
  38. Media
  39. Membership Organisations
  40. Mining
  41. Other (please describe)
  42. Pharmaceuticals
  43. Political
  44. Postal Services
  45. Property
  46. R&D
  47. Retail
  48. Telecoms
  49. Transport - Aviation
  50. Transport - Maritime
  51. Transport - Rail
  52. Transport - Road
  53. Waste Management
  54. Water
  55. Overseas
renumbered

What is your main business?

Select one (55 options)
  1. Academia - Pre Schools
  2. Academia - Primary Schools
  3. Academia - Secondary Schools
  4. Academia - Academies
  5. Academia - Colleges
  6. Academia - Universities
  7. Aerospace
  8. Agriculture, Forestry and Fishing
  9. Automotive
  10. Charities
  11. Chemicals
  12. Civil Nuclear
  13. Construction
  14. Consultancy
  15. Defence
  16. Diplomacy
  17. Emergency Services
  18. Energy - Electricity
  19. Energy - Gas
  20. Energy - Oil
  21. Engineering
  22. Environmental
  23. Finance
  24. Food
  25. Government
  26. Health
  27. Hospitality - Food
  28. Hospitality - Accommodation
  29. Hospitality - Hotels
  30. IT
  31. Intelligence
  32. Law Enforcement (Serious & Organised Crime)
  33. Legal
  34. Leisure
  35. Managed Services - IT Managed Services
  36. Managed Services - Other Managed Services
  37. Manufacturing
  38. Media
  39. Membership Organisations
  40. Mining
  41. Other (please describe)
  42. Pharmaceuticals
  43. Political
  44. Postal Services
  45. Property
  46. R&D
  47. Retail
  48. Telecoms
  49. Transport - Aviation
  50. Transport - Maritime
  51. Transport - Rail
  52. Transport - Road
  53. Waste Management
  54. Water
  55. Overseas

Primary industry sector. Select from the provided list.

What is your secondary reason for applying for certification?

Dropped

What is your website address?

What is your website address?

renumbered

What is your website address?

Website or social media page if no website.

Is this application a renewal of an existing certification or is it the first time you have applied for certification?

  1. Renewal
  2. First Time Application

Is this application a renewal of an existing certification or is it the first time you have applied for certification?

  1. Renewal
  2. First Time Application
renumbered

Is this application a renewal of an existing certification or is it the first time you have applied for certification?

  1. Renewal
  2. First Time Application

Select Renewal if previously certified, otherwise First Time Application.

What is your primary reason for applying for certification?

evolved

What are the two main reasons for applying for certification?

Select all that apply:

  1. Required for a commercial contract
  2. Required for a government contract
  3. To give confidence to our customers
  4. Required by insurer
  5. Required by regulator
  6. Required for a grant
  7. To generally improve our security
  8. Other
renumbered

What are the two main reasons for applying for certification?

Select all that apply:

  1. Required for a commercial contract
  2. Required for government contract
  3. To give confidence to our customers
  4. Required by insurer
  5. Required by regulator
  6. Required for a grant
  7. To generally improve our security
  8. Other

Select the two most important reasons. Do not share bid/project numbers that are protectively marked. Do not share names of customers who contractually require confidentiality.

Who is the commercial contracting organisation?

renumbered

Who is the commercial contracting organisation? (if applicable)

Provide the name of the contracting organisation.

Who is the government contracting organisation and the contract number?

renumbered

Who is the government contracting organisation and what is the contract number? (if applicable)

Provide the contract number and the contracting organisation.

Who is the grant authority?

renumbered

Who is the grant authority? (if applicable)

Provide details of the grant issuing authority.

Who is the regulator?

renumbered

Who is the regulator? (if applicable)

Provide details of the regulator.

What are the reasons you have applied for the certification which you described as 'other'?

renumbered

What are the reasons you have applied for the certification which you described as 'other'? (if applicable)

Provide a description.

Have you read the 'Cyber Essentials Requirements for IT Infrastructure' document?

minor

Have you read the 'Cyber Essentials Requirements for IT Infrastructure' document?

renumbered

Have you read the 'Cyber Essentials Requirements for IT Infrastructure' document?

Document: Cyber Essentials Requirements for IT Infrastructure v3.3. Must be read before completing this question set.

Have you spoken to an assured NCSC Cyber Advisor to help with your application?

An NCSC-assured Cyber Advisor can provide advice on implementing Cyber Essentials.

Can IASME and their expert partners contact you if you experience a cyber breach?

minor

Can IASME and their expert partners contact you if you experience a cyber breach?

renumbered

Can IASME and their expert partners contact you if you experience a cyber breach?

Opt-in only. Email security@iasme.co.uk if breach occurs. Information kept confidential.

Where did you hear about Cyber Essentials?

Select one (13 options)
  1. Contractual Requirement
  2. Government Contractual Requirement
  3. Tender
  4. Customer Request
  5. Certification Body
  6. Cyber Advisor
  7. Cyber Resilience Centre
  8. National Cyber Security Centre (NCSC)
  9. IASME
  10. Internet Search
  11. Social Media
  12. Cyber Action Toolkit
  13. Other

Select the most relevant source.

Can IASME contact you for research purposes?

renumbered

Can IASME contact you for research purposes?

IASME and UK government may ask questions about the CE scheme for research. Contact via registered email. Free to not respond.

Have you signed up to the NCSC's free Early Warning service?

NCSC Early Warning Service — free service.

A2 Scope of Assessment
18 questions
Browse all questions in this section: Montpellier Willow Danzell · current

Does the scope of this assessment cover your whole organisation?

minor

Does the scope of this assessment cover your whole organisation?

evolved

Is this assessment for your whole organisation or only a part of it?

  1. Whole Organisation
  2. Partial Organisation

Whole organisation includes all networks, user accounts and devices accessing organisational data. Partial organisation means some networks are excluded using a firewall or VLAN.

If you are not certifying your whole organisation, what scope description would you like to appear on your certificate and website?

evolved

If you are not certifying your whole organisation, what scope description would you like to appear on your certificate and website?

evolved

If you are certifying part of your organisation please write a detailed description of the scope here.

Scope description on certificate will say 'Partial Organisation, see certificate platform for details'. Full description available via Blockmark system.

Please provide a description of any networks that have been excluded from the assessment by creating a sub-set.

This information will not be made public. A sub-set is part of the organisation whose network is segregated from the rest by a firewall or VLAN.

Where one or more sub-sets have been created, please describe how this has been achieved.

Sub-sets must be created using a firewall or VLAN. Security groups, microsegmentation, or software-based methods are not compliant.

Please describe the geographical locations of your business which are in the scope of this assessment.

Please describe the geographical locations of your business which are in the scope of this assessment.

evolved

Are the networks included in the scope of this assessment being used at the company locations you provided earlier?

Confirm whether all in-scope networks are used at the locations listed in A1.5.1. If in-scope networks are at other locations, provide the number of additional sites.

Do you have an internet connection for each site in your organisation?

Yes/No.

If no, please describe the way that your sites are connected.

Provide details of connection methods between interconnected sites.

Please provide a list of your networks that will be in the scope for this assessment.

minor

Please provide a list of networks that will be in scope for this assessment.

renumbered

Please provide a list of networks that will be in scope for this assessment.

Include name, location and purpose of each network. Information not made public. No IP addresses. Development/testing and pen-testing networks must not be included.

How many staff are home workers?

evolved

How many staff are home or remote workers?

renumbered

How many staff are home or remote workers?

Any employee given permission to work remotely for any period at time of assessment counts as a home/remote worker.

How are home/remote workers connecting to your organisational data and services?

e.g. via home router, business-provided router or corporate VPN.

Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed.

evolved

Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed.

renumbered

Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).

Must include make, model AND quantity. Include all equipment controlling data flow. Exclude switches/WAPs without firewall. Home/remote workers: describe software firewalls in notes. Do not include home environment routers/firewalls. No IP/MAC/serial numbers.

If you are certifying as partial organisation, please list the equipment used to create any sub-sets.

List routers, physical firewalls, or virtual firewalls (on a hypervisor) used to create sub-sets. Note: software firewalls built into OS (e.g. Windows Firewall) cannot be used to define scope boundaries.

Please list the quantities and operating systems for your laptops, desktops and virtual desktops within the scope of this assessment.

evolved

Please list the quantities and operating systems for your laptops, desktops and virtual desktops within the scope of this assessment.

renumbered

Please list the quantities and operating systems for your laptops, desktops and virtual desktops within the scope of this assessment.

Include make and OS version. Windows edition and feature version required. Corporate and BYOD. Important: only in-scope devices connecting to cloud services must be included. Out-of-scope device user accounts accessing cloud services must still comply with MFA. Windows 10 beyond 14 October 2025 requires Microsoft ESU.

Please list the quantity of thin clients within scope of this assessment. Please include make and operating systems.

Please list the quantity of thin clients within the scope of this assessment. Please include make and operating systems.

renumbered

Please list the quantity of thin clients within the scope of this assessment. Please include make and operating systems.

Thin clients connecting to organisational data or services. Must be supported and receiving security updates.

Please list the quantity of servers, virtual servers, and virtual server hosts (hypervisor). You must include the operating system.

evolved

Please list the quantity of servers, virtual servers, virtual server hosts (hypervisors) and Virtual Desktop Infrastructure (VDI) servers. You must include the operating system.

renumbered

Please list the quantity of servers, virtual servers, virtual server hosts (hypervisors) and Virtual Desktop Infrastructure (VDI) servers. You must include the operating system.

All servers in scope. Include OS version.

Please list the quantities of tablets and mobile devices within scope of this assessment.

Please list the quantities of tablets and mobile devices within the scope of this assessment.

renumbered

Please list the quantities of tablets and mobile devices within the scope of this assessment.

All tablets and mobiles accessing organisational data, including BYOD. Include make and OS version.

Please list all of your cloud services that are in use by your organisation and provided by a third party.

Please list all of the cloud services that are in use by your organisation and provided by a third party.

evolved

Please list all the cloud services that are in use by your organisation and provided by a third party.

Cloud services cannot be excluded from CE scope. Includes IaaS, PaaS, SaaS. Social media accounts (Facebook, LinkedIn, X) are also cloud services. Definition: on-demand, scalable, hosted on shared infrastructure, accessible via internet, accessed via account, stores or processes data for the organisation.

Please provide the name and role of the person who is responsible for managing your IT systems in the scope of this assessment.

Please provide the name and role of the person who is responsible for managing your IT systems in the scope of this assessment.

Please provide the name and role of the person who is responsible for managing your IT systems in the scope of this assessment.

Must be a member of your organisation, not an outsourced IT provider.

A3 Insurance
4 questions
Browse all questions in this section: Montpellier Willow Danzell · current

What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance.

Dropped

Is your head office domiciled in the UK or Crown Dependencies and is your gross annual turnover less than £20m?

Is your head office domiciled in the UK or Crown Dependencies and is your gross annual turnover less than £20m?

Is your head office domiciled in the UK or Crown Dependencies and is your gross annual turnover less than £20m?

Determines eligibility for the included free cyber insurance.

If you have answered 'yes' to the last question, your organisation is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element, please opt out here.

If you have answered 'yes' to the last question, your organisation is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element, please opt out here.

minor

If you have answered 'yes' to the last question, your organisation is eligible for the included cyber insurance if you gain certification. Would you like to opt in for the included cyber insurance?

  1. Opt-in
  2. Opt-out

No additional cost.

What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.

renumbered

What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.

What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.

Passed to insurance broker for insurance documents and renewal information.

A4 Firewalls
17 questions
Browse all questions in this section: Montpellier Willow Danzell · current

When your devices (including computers used by homeworkers) are being used away from your workplace, how do you ensure they are protected?

Dropped

Is your new firewall password configured to meet the 'Password-based authentication' requirements?

  1. A - Multi-factor authentication (MFA) with minimum 8-character password
  2. B - Automatic blocking of common/known-bad passwords, minimum 8-character password
  3. C - Minimum 12-character password (no additional protection required)
  4. D - None of the above
Dropped

Do you have any services enabled that can be accessed externally from your internet router, hardware firewall or software firewall?

Dropped

Do you have firewalls at the boundaries between your organisation's internal networks, laptops, desktops, servers, and the internet?

Do you have firewalls at the boundaries between your organisation's internal networks, laptops, desktops, servers, and the internet?

Do you have firewalls at the boundaries between your organisation's internal networks, laptops, desktops, servers, and the internet?

Firewalls must be in place between office network and the internet.

Do you have software firewalls enabled on all of your desktop computers, laptops and servers?

absorbed

Do you have software firewalls enabled on all of your computers, laptops and servers?

Do you have software firewalls enabled on all of your computers, laptops and servers?

Must be enabled at all times. Required on untrusted networks. If organisation doesn't control the network, software firewall is mandatory.

If you answered no to question A4.11, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems.

evolved

If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems.

If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems.

Very few OS lack software firewalls. Windows, macOS, common Linux distributions all have them.

When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices?

When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices?

When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all the default passwords on your boundary firewall devices?

Default administrator password must be changed on all routers and firewalls.

Please describe the process for changing your firewall password.

Please describe the process for changing your firewall password.

Please describe the process for changing your firewall password.

Home routers not supplied by the organisation excluded.

How is your firewall password configured?

  1. A - Multi-factor authentication (MFA) with minimum 8-character password
  2. B - Automatic blocking of common/known-bad passwords, minimum 8-character password
  3. C - Minimum 12-character password (no additional protection required)
  4. D - Passwordless system (describe)
  5. E - None of the above (describe)

How is your firewall password configured?

  1. A - Multi-factor authentication (MFA) with minimum 8-character password
  2. B - Automatic blocking of common/known-bad passwords, minimum 8-character password
  3. C - Minimum 12-character password (no additional protection required)
  4. D - Passwordless system (describe)
  5. E - None of the above (describe)

A. MFA + min 8 chars; B. Automatic blocking of common passwords + min 8 chars; C. Min 12 chars; D. Passwordless (describe); E. None of the above (describe).

Do you change your firewall password when you know or suspect it has been compromised?

Do you change your firewall password when you know or suspect it has been compromised?

Do you change your firewall password when you know or suspect it has been compromised?

Must have awareness and process to change password after a compromise event.

Do you have a process to manage your firewall?

Do you have a process to manage your firewall?

Must show a business case for any externally accessible services ('opening a port').

If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required?

evolved

Have you reviewed your firewall rules in the last 12 months?

Have you reviewed your firewall rules in the last 12 months?

Describe review process. Must remove rules no longer needed.

Have you configured your boundary firewalls so that they block all other services from being advertised to the internet?

evolved

Is your firewall configured to allow unauthenticated inbound connections?

Is your firewall configured to allow unauthenticated inbound connections?

Most firewalls block by default. Check your settings.

Do you have a documented business case for all of these services?

evolved

Please describe how you approve and document your allowed inbound connections.

Please describe how you approve and document your allowed inbound connections.

Business case documented, recorded, signed off at board level, risks reviewed regularly.

Are your boundary firewalls configured to allow access to their configuration settings over the internet?

renumbered

Are your boundary firewalls configured to allow access to their configuration settings over the internet?

Are your boundary firewalls configured to allow access to their configuration settings over the internet?

Answer No if config only accessible via VPN or not externally accessible.

If you answered yes in question A4.8, is there a documented business requirement for this access?

renumbered

If you answered yes in question A4.9, is there a documented business requirement for this access?

If you answered yes in question A4.9, is there a documented business requirement for this access?

Decision must be documented.

If you answered yes in question A4.8, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication?

  1. MFA
  2. Trusted IP addresses combined with managed authentication
  3. Neither
renumbered

If you answered yes in question A4.9, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication to access the settings?

  1. MFA
  2. Trusted IP addresses combined with managed authentication
  3. Neither

If you answered yes in question A4.9, is the access to your firewall settings protected by either multi-factor authentication or by only allowing trusted IP addresses combined with managed authentication?

  1. MFA
  2. Trusted IP addresses combined with managed authentication
  3. Neither

Direct external access must use MFA or trusted IP + managed auth.

A5 Secure Configuration
11 questions
Browse all questions in this section: Montpellier Willow Danzell · current

If yes to question A5.4, which option of password-based authentication do you use?

  1. A - Multi-factor authentication (MFA) with minimum 8-character password
  2. B - Automatic blocking of common/known-bad passwords, minimum 8-character password
  3. C - Minimum 12-character password (no additional protection required)
  4. D - None of the above
Dropped

Where you are able to do so, have you removed or disabled all the software and services that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services?

minor

Have you removed or disabled software and services that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services?

Have you removed or disabled software and services that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones and cloud services?

Must remove/disable all unused applications, utilities, and network services.

Have you ensured that all your laptops, computers, servers, tablets, mobile devices and cloud services only contain necessary user accounts that are regularly used in the course of your business?

Have you ensured that all your laptops, computers, servers, tablets, mobile devices and cloud services only contain necessary user accounts that are regularly used in the course of your business?

Have you ensured that all your laptops, computers, servers, tablets, mobile devices and cloud services only contain necessary user accounts that are regularly used in the course of your business?

Remove or disable all unneeded user accounts on all devices and cloud services.

Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones that follow the Password-based authentication requirements of Cyber Essentials?

Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones that follow the Password-based authentication requirements of Cyber Essentials?

Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones?

Unique passwords not made up of common or predictable words.

Do you run external services that provide access to data (that shouldn't be made public) to users across the internet?

minor

Do you run or host external services that provide access to data (that shouldn't be made public) to users across the internet?

Do you run or host external services that provide access to data (that shouldn't be made public) to users across the internet?

VPN servers, mail servers, internally hosted internet applications providing confidential data.

If yes to question A5.4, which authentication option do you use?

  1. A - Multi-factor authentication (MFA) with minimum 8-character password
  2. B - Automatic blocking of common/known-bad passwords, minimum 8-character password
  3. C - Minimum 12-character password (no additional protection required)
  4. D - Passwordless system (describe)
  5. E - None of the above (describe)

If yes to question A5.4, which authentication option do you use?

  1. A - Multi-factor authentication (MFA) with minimum 8-character password
  2. B - Automatic blocking of common/known-bad passwords, minimum 8-character password
  3. C - Minimum 12-character password (no additional protection required)
  4. D - Passwordless system (describe)
  5. E - None of the above (describe)

A. MFA + min 8 chars; B. Automatic blocking of common passwords + min 8 chars; C. Min 12 chars; D. Passwordless (describe); E. None of the above (describe).

Describe the process in place for changing passwords on your external services when you believe they have been compromised.

Describe the process in place for changing passwords on your external services when you believe they have been compromised.

Describe the process in place for changing passwords on your external services when you believe they have been compromised.

Must have process to change passwords following a compromise event.

When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?

  1. A - Throttling
  2. B - Account lockout after 10 attempts
  3. C - None of the above
evolved

When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?

  1. A - Throttling (max 10 guesses in 5 minutes)
  2. B - Account lockout after 10 attempts
  3. C - None of the above

When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?

  1. A - Throttling (max 10 guesses in 5 minutes)
  2. B - Account lockout after 10 attempts
  3. C - None of the above

A. Throttling (max 10 guesses in 5 min); B. Account lockout after 10 attempts; C. None. If vendor doesn't allow configuration, use vendor default.

Is 'auto-run' or 'auto-play' disabled on all of your systems?

changed

Have you disabled any feature which allows automatic file execution of downloaded or imported files without user authorisation?

Have you disabled any feature which allows automatic file execution of downloaded or imported files without user authorisation?

Prompt-user option is acceptable.

When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?

When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?

When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?

Biometric, password, or PIN locking must be enabled.

Which method do you use to unlock the devices?

evolved

Which method do you use to unlock the devices?

Which method do you use to unlock the devices?

PIN of at least 6 characters only if device-unlock only. Brute-force protection required: throttling (max 10 in 5 min) or lockout after 10 attempts.

A6 Security Update Management
16 questions
Browse all questions in this section: Montpellier Willow Danzell · current

Are all operating systems on your devices supported by a vendor that produces regular security updates?

evolved

Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes?

changed

Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes?

Includes firewall/router firmware. Out-of-support examples updated: Windows 7/XP/Vista/Server 2003, macOS Ventura, iOS 15, Android 12, Ubuntu 17.10. Windows 10 beyond 14 Oct 2025 requires Microsoft ESU.

Is all the software on your devices supported by a supplier that produces regular fixes for any security problems?

minor

Is all the software on your devices supported by a supplier that produces regular vulnerability fixes for any security problems?

Is all the software on your devices supported by a supplier that produces regular vulnerability fixes for any security problems?

Includes frameworks and extensions. Unsupported software must be removed.

Please list your internet browser(s).

Please list your internet browser(s).

Please list your internet browser(s).

Version required.

Please list your malware protection software.

Please list your malware protection software.

Please list your malware protection software.

Version required.

Please list your email applications installed on end user devices and server.

minor

Please list your email applications installed on end user devices and servers.

Please list your email applications installed on end user devices and servers.

Version required.

Please list all office applications that are used to create organisational data.

Please list all office applications that are used to create organisational data.

Please list all office applications that are used to create organisational data.

Version required.

Is all software licensed in accordance with the publisher's recommendations?

changed

Are any of the in-scope software or cloud services unlicensed or unsupported?

Are any of the in-scope software or cloud services unlicensed or unsupported?

All software must be licensed. Free/open source acceptable if licensing requirements met.

If yes to A6.3, please list the unsupported or unlicensed software or cloud services.

If yes to A6.3, please list the unsupported or unlicensed software or cloud services.

List all unlicensed or unsupported software and cloud services.

Are all high-risk or critical security updates for operating systems and router and firewall firmware installed within 14 days of release?

evolved

Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

evolved
⚡ AUTO-FAIL

Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

Mandatory within 14 days. Includes CVSSv3 ≥7 and no-stated-severity updates. AUTOMATIC FAIL if answer is No.

Are all updates applied for operating systems by enabling auto updates?

Are all updates applied for operating systems by enabling auto updates?

Are all updates applied for operating systems by enabling auto updates?

Auto updates must be enabled where possible.

Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all operating systems and firmware on firewall and routers are applied within 14 days of release?

evolved

Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all operating systems and firmware on firewalls and routers are applied within 14 days of release?

Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes are applied within 14 days of release?

Describe the manual update process.

Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Java, Adobe Reader and .Net.) installed within 14 days of release?

evolved

Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

evolved
⚡ AUTO-FAIL

Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

Mandatory within 14 days. CVSSv3 ≥7 threshold applies. AUTOMATIC FAIL if answer is No.

Are all updates applied on your applications by enabling auto updates?

Are all updates applied on your applications by enabling auto updates?

Are all updates applied on your applications by enabling auto updates?

Auto updates should be enabled where possible.

Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?

Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?

Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?

Describe the manual update process for applications.

Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates for security problems?

evolved

Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates or vulnerability fixes for security problems?

Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates or vulnerability fixes?

Must remove software when no longer supported by manufacturer.

Where you have a business need to use unsupported software, have you moved the devices and software out of scope of the assessment?

evolved

Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment?

minor

Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment?

Unsupported software must be on a sub-set with no internet access. If out-of-scope sub-set remains internet-connected, must select 'Partial Organisation' in A2.1.

A7 User Access Control
17 questions
Browse all questions in this section: Montpellier Willow Danzell · current

Are users only provided with user accounts after a process has been followed to approve their creation?

Are your users only provided with user accounts after a process has been followed to approve their creation?

Are your users only provided with user accounts after a process has been followed to approve their creation?

User accounts only created after leadership approval.

Are all user and administrative accounts accessed by entering a unique username and password?

changed

Are all your user and administrative accounts accessed by entering unique credentials?

Are all your user and administrative accounts accessed by entering unique credentials?

No devices, applications, or cloud services accessed without unique credentials. Accounts must not be shared.

How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

Must have a process to revoke access when staff leave.

Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

evolved

Do you ensure that staff only have the access privileges that they need to do their current job? How do you do this?

Do you ensure that staff only have the access privileges that they need to do their current job? How do you do this?

Principle of least privilege must be applied.

Do you have a formal process for giving someone access to systems at an 'administrator' level and can you describe this process?

Do you have a formal process for giving someone access to systems at an 'administrator' level and can you describe this process?

Do you have a formal process for giving someone access to systems at an 'administrator' level and can you describe this process?

Process must include approval by owner/director/trustee/partner.

How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?

How does your organisation make sure that separate accounts are used to carry out administrative tasks (such as installing software or making configuration changes)?

minor

How does your organisation make sure that separate accounts are used to carry out administrative tasks?

Applies to local administrator accounts, network/domain administrator accounts, and cloud service administrator accounts.

How does your organisation prevent administrator accounts from being used to carry out every day tasks like browsing the web or accessing email?

How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email?

How does your organisation prevent administrator accounts from being used to carry out everyday tasks like browsing the web or accessing email?

Admin accounts must not be used for web browsing or email. Policy, procedure, and training acceptable.

Do you formally track which users have administrator accounts in your organisation?

Do you formally track which users have administrator accounts in your organisation?

Do you formally track which users have administrator accounts in your organisation?

Must track all people granted administrator accounts.

Do you review who should have administrative access on a regular basis?

Do you review who should have administrative access on a regular basis?

Do you review who should have administrative access on a regular basis?

Regular review required. Users no longer needing admin access must have it removed.

Describe how you protect accounts from brute-force password guessing in your organisation.

evolved

Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?

Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?

MFA; throttling (max 10 guesses in 5 min); or lockout after 10 attempts.

Which technical controls are used to manage the quality of your passwords within your organisation?

minor

Which technical controls are used to manage the quality of your passwords within your organisation?

Which technical controls are used to manage the quality of your passwords within your organisation?

Acceptable: MFA; min 12 chars no max; min 8 chars no max with automatic blocking of common passwords via deny list.

Please explain how you encourage people to use unique and strong passwords.

evolved

Please explain how you encourage people to use unique and strong passwords.

Please explain how you encourage people to use unique and strong passwords.

Must support users in choosing strong passwords. No forced expiry. No complexity requirements. Use password managers. Three-random-words approach.

Do you have a process for when you believe the passwords or accounts have been compromised?

Do you have a process for when you believe the passwords or accounts have been compromised?

Do you have a process for when you believe the passwords or accounts have been compromised?

Must have an established process for prompt password changes on compromise.

Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?

Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?

evolved

Do all of your cloud services have multi-factor authentication (MFA) available as part of the service?

Cloud service definition: on-demand, scalable, hosted on shared infrastructure, accessible via internet, accessed via account, stores or processes data for the organisation. Where MFA is available, it must be enabled for all users and admins.

If you have answered 'No' to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.

If you have answered 'No' to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.

evolved
⚡ AUTO-FAIL

If you have answered 'No' to question A7.14, please provide a list of your cloud services that do not provide any option for MFA.

List all in-scope cloud services with no MFA option. AUTOMATIC FAIL if a cloud service listed here actually does have MFA available. Reference Cloud Services MFA list for verification.

Has MFA been applied to all administrators of your cloud services?

Has MFA been applied to all administrators of your cloud services?

evolved
⚡ AUTO-FAIL

Has MFA been applied to all administrators of your cloud services, excluding any listed in A7.15 that do not provide it?

All cloud service admin accounts must use MFA with a password of at least 8 characters. AUTOMATIC FAIL if answer is No.

Has MFA been applied to all users of your cloud services?

Has MFA been applied to all users of your cloud services?

evolved
⚡ AUTO-FAIL

Has MFA been applied to all users of your cloud services, excluding any listed in A7.15 that do not provide it?

All cloud service user accounts must use MFA with a password of at least 8 characters. AUTOMATIC FAIL if answer is No.

A8 Malware Protection
5 questions
Browse all questions in this section: Montpellier Willow Danzell · current

Are all of your desktop computers, laptops, tablets and mobile phones protected from malware?

Select all that apply:

  1. A - Anti-malware software
  2. B - App store / application signing allow-listing
  3. C - None of the above

Are all of your desktop computers, laptops, tablets and mobile phones protected from malware?

Select all that apply:

  1. A - Anti-malware software
  2. B - App store / application signing allow-listing
  3. C - None of the above

Are all of your desktop computers, laptops, tablets and mobile phones protected from malware?

Select all that apply:

  1. A - Anti-malware software
  2. B - App store / application signing allow-listing
  3. C - None of the above

Option A: anti-malware software. Option B: application allow-listing. Option C: none. Most orgs need both A and B.

If Option A has been selected: Where you have anti-malware software installed, is it set to update in line with the vendor's guidelines and prevent malware from running on detection?

If Option A has been selected: Where you have anti-malware software installed, is it set to update in line with the vendor's guidelines and prevent malware from running on detection?

If Option A has been selected: Where you have anti-malware software installed, is it set to update in line with the vendor's guidelines and prevent malware from running on detection?

Usually default setting. Windows Defender suitable.

If Option A has been selected: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

minor

If Option A has been selected: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

If Option A has been selected: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

Anti-malware or browser configured to block known malicious websites. Windows 11 MS Defender SmartScreen acceptable.

If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications?

minor

If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications?

If Option B has been selected: Where you use an app-store or application signing, are users restricted from installing unsigned applications?

OS-level restriction e.g. Windows, Chromebooks, iOS, Android.

If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you maintain this list of approved applications?

If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you maintain this list of approved applications?

If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you maintain this list of approved applications?

Must maintain and enforce an approved application list.

Legend: Identical Changed New Dropped — hover to read Auto-fail Click row to expand · Click code to copy · / search · D diff · C collapse · T top

Now see how your organisation actually measures up

You know the requirements. Check your real-world posture against them — 30 plain-English questions, your actual score, and a prioritised list of what to fix first.

Check my readiness → Talk to Us