If Option B has been selected: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you maintain this list of approved applications?
What this question is really asking
Confirm that your app controls prevent users from installing applications from untrusted sources or that have not been approved. This must be technically enforced via MDM or equivalent — a policy prohibition alone is insufficient. The standard requires that even if a user wants to install an unapproved app, they technically cannot do so.
What satisfies this requirement
Yes or NoMust maintain and enforce an approved application list. MDM not required if policy/process/training achieves compliance.
What to prepare before your assessor visit
This must be technically enforced — the standard is unambiguous that users must be technically unable to install unapproved software, not merely prohibited by policy from doing so. On Windows, this typically means AppLocker or Windows Defender Application Control. On managed mobile devices, MDM profiles with app restrictions. A policy document alone, however clearly worded, will not satisfy this question. Show the technical control and confirm it is actively applied.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.