If you answered yes in question A4.8, is there a documented business requirement for this access?
What this question is really asking
Confirm whether your firewall's configuration interface is accessible over the internet. The answer should be no for most organisations. Remote management interfaces on firewalls are a significant attack surface and should only be accessible from trusted, defined IP ranges at most.
What satisfies this requirement
Yes or NoDecision to allow external access must be documented.
What to prepare before your assessor visit
The answer here should be no for almost every organisation. If your managed service provider requires remote access to your firewall, that access should go through a VPN or a dedicated management network — not a management interface directly exposed to the internet. An internet-accessible admin portal on a firewall is a significant vulnerability and will draw serious scrutiny.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.