Have you reviewed your firewall rules in the last 12 months?
What this question is really asking
Confirm that you review your firewall rules at least annually. Assessors look for evidence of a scheduled review — a calendar task, change management record, or audit log. The review should result in documented actions and must remove any rules that are no longer required.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredDescribe your review process. Must have a process to remove rules no longer needed: when reviewed, who decides, who checks completion. CE Requirement: remove or disable inbound firewall rules quickly when no longer needed.
What to prepare before your assessor visit
The annual review needs to produce a tangible output — a dated record of what was reviewed and what changed (or was confirmed still required). A verbal conversation between two people doesn't leave an audit trail. Create a calendar reminder and produce a brief written summary with a date and the name of who conducted the review. It does not need to be elaborate — it needs to exist.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.