When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?
What this question is really asking
Confirm that all devices requiring user presence have a screen lock configured. The standard requires locking after a maximum of 10 minutes of inactivity, with a password or biometric required to unlock. MDM enforcement is the recommended approach — relying on users to configure their own screen lock is not sufficient evidence for an assessor.
What satisfies this requirement
Yes or NoBiometric, password, or PIN locking must be enabled to prevent unauthorised access.
What to prepare before your assessor visit
Assessors may ask you to demonstrate that screen lock is enforced across all devices, not just configured on a single test machine. MDM console screenshots showing the policy applied to all enrolled devices are the cleanest evidence. Be prepared for questions about any exceptions — if a device is configured to never lock (a public display screen, for example), explain how it is physically secured or access-controlled.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.