Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed.
What this question is really asking
List the quantities and OS versions for all in-scope tablets and mobile phones. Personally-owned (BYOD) devices are in scope if they access organisational data or email. Assessors will cross-reference these against your malware protection answers in section A8.
What satisfies this requirement
A list is requiredInclude all equipment controlling data flow to/from internet. Exclude switches and WAPs that don't route internet traffic. Home/remote workers relying on software firewalls — describe in notes.
What to prepare before your assessor visit
BYOD is where most organisations are caught out. If a personal device accesses corporate email — even via a mobile app — it is in scope. If your BYOD policy says 'personal devices are not allowed', assessors will ask how that is technically enforced. An MDM solution confirming only enrolled corporate devices can access corporate resources is the cleanest answer; anything less requires careful explanation.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.