Are your boundary firewalls configured to allow access to their configuration settings over the internet?
What this question is really asking
If you have permitted inbound connections, describe your documented approval process. Each permitted inbound rule should have a named business justification, an approver, and a regular review date. Undocumented firewall rules are among the most common findings in Cyber Essentials assessments.
What satisfies this requirement
Yes or NoAnswer No if firewall settings are only accessible via VPN or not accessible externally.
What to prepare before your assessor visit
Assessors will examine each inbound rule you describe. 'The business needs it' is not a sufficient justification — you need the specific service name, the ports and protocols permitted, who approved the rule, and when it was last reviewed. Old inbound rules approved years ago and never revisited since are among the most common firewall findings. Do the review before the assessment, not during it.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.