Have you configured your boundary firewalls so that they block all other services from being advertised to the internet?
What this question is really asking
Confirm whether your firewall permits any unauthenticated inbound connections from the internet. The vast majority of organisations should answer no. Any permitted inbound traffic that does not require authentication must be explicitly justified — assessors will treat undocumented inbound rules as a finding.
What satisfies this requirement
Yes or NoCheck firewall settings. Most firewalls block all services by default but this must be verified.
What to prepare before your assessor visit
Think carefully before answering yes. Legitimate inbound connections include SMTP for email hosting, SFTP for file exchange, web services hosted on your own infrastructure, or incoming VPN connections. Even if you only have one or two inbound rules, say yes here and address them properly in A4.8. Saying no when inbound rules exist is a much worse finding than having inbound rules with proper documentation.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.