Describe the process in place for changing passwords on your external services when you believe they have been compromised.
What this question is really asking
Describe your process for changing passwords on external services when compromise is suspected. Assessors want a defined response — a documented procedure specifying the trigger, who is responsible, and the expected timeline for the password reset.
What satisfies this requirement
A written response is requiredMust know how to change the password following a compromise event.
What to prepare before your assessor visit
The same standard applies as A4.4 — a documented procedure with a named owner and a clearly defined trigger. The trigger should include suspected compromise, not just confirmed compromise: a user reporting suspicious activity, an unusual login from an unknown IP, or a phishing message that may have captured credentials all warrant a response. Document the process before an incident occurs, not while responding to one.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.