Do you have a process to manage your firewall?
What this question is really asking
Describe your process for managing firewall rules — how rules are requested, approved, documented, and reviewed. Willow introduced this to address the common failure of organisations having correctly configured firewalls at setup but with no ongoing process to keep them compliant over time.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredYour firewall may be configured to allow external access e.g. VPN server, mail server, FTP, customer service ('opening a port'). You need to show a business case for this.
What to prepare before your assessor visit
This process question catches many organisations unprepared. Having a well-configured firewall today is not enough if there is no process governing how it stays that way. An assessor will ask: who can request a firewall rule change? Who approves it? How is it documented? If the answer is 'we do it informally', that is a finding — even if the firewall configuration itself is correct.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.