Do you have software firewalls enabled on all of your computers, laptops and servers?
What this question is really asking
Confirm that a software firewall is enabled on all laptops, desktops, and servers within scope. This is a host-based control that complements boundary firewalls. Windows Defender Firewall, macOS application firewall, and equivalent Linux tools are all acceptable. MDM or Group Policy enforcement is expected — relying on users to keep their host firewall enabled is not sufficient evidence.
What satisfies this requirement
Yes or NoSoftware firewall must be configured and enabled at all times, including behind a physical boundary firewall. Must be configured on devices used on untrusted networks (public wifi). If the organisation doesn't control the network a device connects to, a software firewall is required.
What to prepare before your assessor visit
'We have Windows Defender Firewall' is a reasonable start, but assessors want to know it is enforced rather than merely recommended. A screenshot of one PC is not sufficient — show the Group Policy object or MDM profile that enforces the software firewall across all managed devices. If users can disable the firewall themselves, it is not a reliable control and assessors will note the gap.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.