Do you have firewalls at the boundaries between your organisation's internal networks, laptops, desktops, servers, and the internet?
What this question is really asking
Confirm that firewalls exist at every boundary between your internal networks and the internet. This includes your physical office perimeter, each home worker's connection point (usually their home router), and cloud service boundaries where applicable. A software firewall on a device does not substitute for a boundary firewall.
What satisfies this requirement
Yes or NoFirewalls must be in place between office network and the internet. CE Requirement: protect every device in scope with a correctly configured firewall.
What to prepare before your assessor visit
The most common failure here involves home worker boundary firewalls. ISP-provided home routers generally qualify as boundary firewalls for CE purposes — provided the built-in firewall is enabled, the admin password has been changed from the default, and any unnecessary services are reviewed. The pitfall is organisations who simply haven't thought about home workers' routers at all. You need a consistent story for how every home worker's boundary is addressed.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.