If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part of the operating system you are using? Please list the operating systems.
What this question is really asking
If you answered no to A4.1.1 because your devices run an OS where software firewalls are not installed by default (certain Linux distributions, for example), describe the compensating control. You need to demonstrate that host-level firewall protection exists even if it is not the built-in OS firewall.
What satisfies this requirement
A written response is requiredVery few OS lack software firewalls. Windows, macOS, and common Linux distributions all have them.
What to prepare before your assessor visit
If you are claiming a compensating control for the absence of a built-in software firewall, your assessor will want to see that the control is actually active — not just described. Network-level filtering that blocks all unexpected inbound connections to individual devices can satisfy this, but you will need to show the configuration, not just assert its existence.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.