If you answered yes in question A4.9, is there a documented business requirement for this access?
What this question is really asking
If you allow remote access to firewall configuration, document the specific business reason. Assessors will scrutinise this — convenience is not an acceptable justification. Managed service providers with a documented monitoring requirement are the most common valid use case.
What satisfies this requirement
Yes or NoDecision to allow external access must be documented.
What to prepare before your assessor visit
The broadly acceptable answer is 'our managed service provider requires it for contracted monitoring and management', with a documented service agreement. 'It's convenient for our IT team' is not a valid justification for an assessor. If remote access exists but was never formally documented or approved, do that documentation before the assessment — retrospective approval is better than no approval.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.