Do you change your firewall password when you know or suspect it has been compromised?
What this question is really asking
Confirm you have a process for changing firewall passwords when compromise is known or suspected. Assessors want to see a defined trigger and response — not just a statement that you would change it, but a procedure that specifies who is responsible and when it must happen.
What satisfies this requirement
Yes or NoMust have awareness and process to change password after compromise event.
What to prepare before your assessor visit
'We would change the password if we needed to' describes an intention, not a process. Assessors want a defined trigger, a named responsible person, and a realistic response timeline. Document it — even briefly — so you can point to something concrete. The trigger should include suspected compromise, not just confirmed compromise.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.