If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required?
What this question is really asking
Confirm that you review your firewall rules at least annually. Assessors look for evidence of a scheduled review — a calendar task, change management record, or audit log. The review should result in documented actions and must remove any rules that are no longer required.
What satisfies this requirement
A written response is requiredDescribe the process: when services are reviewed, who decides to remove, who checks completion.
What to prepare before your assessor visit
The annual review needs to produce a tangible output — a dated record of what was reviewed and what changed (or was confirmed still required). A verbal conversation between two people doesn't leave an audit trail. Create a calendar reminder and produce a brief written summary with a date and the name of who conducted the review. It does not need to be elaborate — it needs to exist.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.