Do you run or host external services that provide access to data (that shouldn't be made public) to users across the internet?
What this question is really asking
Confirm whether you run or host any external services that provide access to non-public data — webmail, remote desktop, VPNs, online portals, and so on. If yes, these services must be protected with a compliant authentication method, which you specify in A5.5.
What satisfies this requirement
Yes or NoVPN servers, mail servers, internally hosted internet applications providing confidential data. CE Requirement: ensure users are authenticated before allowing access to organisational data.
What to prepare before your assessor visit
The list of external services organisations run is longer than they initially think. VPN portals, webmail, online HR systems, customer portals, cloud management consoles — all of these count. Answering no when several external services actually exist will invalidate your A5.5 response and create a significant finding. Take time to compile a thorough list before answering.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.