Cyber Essentials Questions

Category

Sub-category

Question number

Question

Organisation

Your Organisation

ย 

In this section we need to know a little about how your organisation is set up so we can ask you the most appropriate questions.

ย 

ย 

A1.1

What is your organisation’s name (for companies: as registered with Companies House)?

ย 

ย 

A1.2

What is your organisation’s registration number (if you have one)?

ย 

ย 

A1.3

What is your organisation’s address (for companies: as registered with Companies House)?

ย 

ย 

A1.4

What is your main business?

ย 

ย 

A1.5

What is your website address?

ย 

ย 

A1.6

What is the size of your organisation?

ย 

ย 

A1.7

How many staff are home workers?

ย 

ย 

A1.8

Is this application a renewal of an existing certification or is it the first time you have applied for certification?

ย 

ย 

A1.9

What is your main reason for applying for certification?

ย 

Scope of Assessment

ย 

In this section, we need you to describe the elements of your organisation which you want to certify to this accreditation. The scope should be either the whole organisation or an organisational sub-unit (for example, the UK operation of a multinational company).ย  All computers, laptops, servers, mobile phones, tablets and firewalls/routers that can access the internet and are used by this organisation or sub-unit to access business information should be considered “in-scope”. All locations that are owned or operated by this organisation or sub-unit, whether in the UK or internationally should be considered “in-scope”.

ย 

ย 

A2.1

Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer “No” to this question you will not be invited to apply for insurance.

ย 

ย 

A2.2

If it is not the whole organisation, then what scope description would you like to appear on your certificate and website?

ย 

ย 

A2.5

Please describe the geographical locations of your business which are in the scope of this assessment.

ย 

ย 

A2.6

Please list the quantities of laptops, computers and servers within the scope of this assessment. You must include model and operating system versions for all devices.

ย 

ย 

A2.7

Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system versions for all devices.

ย 

ย 

A2.8

Please provide a list of the networks that will be in the scope for this assessment

ย 

ย 

A2.9

Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).

ย 

ย 

A2.10

Please provide the name and role of the person who is responsible for managing the information systems in the scope of this assessment?

Insurance

ย 

ย 

All organisations with a head office domiciled in the UK and a turnover of less than ยฃ20 million get automatic cyber insurance if they achieve Cyber Essentials certification. The cost of this is included in the assessment package but you can opt out of the insurance element if you choose. This will not change the price of the assessment package. If you want the insurance then we do need to ask some additional questions and these answers will be forwarded to the broker.ย  The answers to these questions will not affect the result of your Cyber Essentials assessment. It is important that theย  insurance information provided is as accurate as possible and that the assessment declaration is signed by Board level or equivalent, to avoid any delays to the insurance policy being issued.

ย 

ย 

A3.1

Is your head office domiciled in the UK and is your gross annual turnover less than ยฃ20m?

ย 

ย 

A3.2

If you have answered “yes” to the last question then your company is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element please opt out here.

ย 

ย 

A3.3

What is your total gross revenue? Please provide figure to the nearest ยฃ100K. You only need to answer this question if you are taking the insurance.

ย 

ย 

A3.4

Is the company or its subsidiaries any of the following: medical, call centre, telemarketing, data processing (outsourcers), internet service provider, telecommunications or an organisation regulated by the FCA? You only need to answer this question if you are taking the insurance.

ย 

ย 

A3.5

Does the company have any domiciled operation or derived revenue from the territory or jurisdiction of Canada and / or USA?

ย 

A3.6

What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.ย 

Secure Business Operations

Office firewalls and internet gateways

ย 

Firewall is the generic name for software or hardware which provides technical protection between your systems and the outside world. There will be a firewall within your internet router. Common internet routers are BT Home Hub, Virgin Media Hub or Sky Hub. Your organisation may also have set up a separate hardware firewall device between your network and the internet. Firewalls are powerful devices and need to be configured correctly to provide effective security.

Questions in this section apply to: Hardware Firewall devices, Routers, Computers and Laptops only

ย 

ย 

A4.1

Do you have firewalls at the boundaries between your organisation’s internal networks and the internet?

ย 

ย 

A4.2

When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed onย allย such devices? How do you achieve this?

ย 

ย 

A4.3

Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?ย 

ย 

ย 

A4.4

Do you change the password when you believe it may have been compromised? How do you achieve this?

ย 

ย 

A4.5

Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devicesย for which you do not have a documented business case?

ย 

ย 

A4.6

If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required?ย  Describe the process.

ย 

ย 

A4.7

Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?

ย 

ย 

A4.8

Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?

ย 

ย 

A4.9

If yes, is there a documented business requirement for this access?

ย 

ย 

A4.10

If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.

ย 

ย 

A4.11

Do you have software firewalls enabled on all of your computers and laptops?

ย 

ย 

A4.12

If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.

ย 

Secure configuration

ย 

Computers are often not secure upon default installation. An โ€˜out-of-the-boxโ€™ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications or services. All of these present security risks.

Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones

ย 

ย 

A5.1

Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.

ย 

ย 

A5.2

Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?

ย 

ย 

A5.3

Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?

ย 

ย 

A5.4

Do all your users and administrators use passwords ofย at least 8 characters?

ย 

ย 

A5.5

Do you run software that provides sensitive or critical information (that shouldn’t be made public) to external users across the internet?

ย 

ย 

A5.6

If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?

ย 

ย 

A5.7

If yes, do you ensure that you change passwords if you believe that they have been compromised?

ย 

ย 

A5.8

If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?

ย 

ย 

A5.9

If yes, do you have a password policy that guides all your users?

ย 

ย 

A5.10

Is “auto-run” or “auto-play” disabled on all of your systems?

ย 

Patches and Updates

ย 

To protect your organisation you should ensure that your software is always up-to-date with the latest patches. If, on any of your in-scope devices, you are using an operating system which is no longer supported (e.g. Microsoft Windows XP/Vista/2003, macOS El Capitan, Ubuntu 17.10), and you are not being provided with updates from another reliable source, then you will not be awarded certification. Mobile phones and tablets are in-scope and must also use an operating system that is still supported by the manufacturer.

Questions in this section apply to: Servers, Computers, Laptops, Tablets, Mobile Phones, Routers and Firewalls

ย 

ย 

A6.1

Are allย operating systemsย andย firmwareย on your devices supported by a supplier that produces regular fixes for any security problems?

ย 

ย 

A6.2

Are allย applicationsย on your devices supported by a supplier that produces regular fixes for any security problems?

ย 

ย 

A6.3

Is all software licensed in accordance with the publisherโ€™s recommendations?

ย 

ย 

A6.4

Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.

ย 

ย 

A6.5

Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.

ย 

ย 

A6.6

Have you removed any applications on your devices that are no longer supported and no longer receive regular fixes for security problems?

Access Control

User Accounts

ย 

It is important to only give users access to all the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with e-mail whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.

Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones

ย 

ย 

A7.1

Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.

ย 

ย 

A7.2

Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?

ย 

ย 

A7.3

How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?

ย 

ย 

A7.4

Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?

ย 

Administrative Accounts

ย 

User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When these privileged accounts are accessed by attackers they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. Special access includes privileges over and above those of normal users.

It is not acceptable to work on a day-to-day basis in a privileged โ€œadministratorโ€ mode.

Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones

ย 

ย 

A7.5

Do you have a formal process for giving someone access to systems at an โ€œadministratorโ€ level? Describe the process.

ย 

ย 

A7.6

How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?

ย 

ย 

A7.7

How do you ensure that administrator accounts are not used for accessing email or web browsing?

ย 

ย 

A7.8

Do you formally track which users have administrator accounts in your organisation?

ย 

ย 

A7.9

Do you review who should have administrative access on a regular basis?

ย 

ย 

A7.10

Have you enabled two-factor authentication for access to all administrative accounts?

ย 

ย 

A7.11

If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.

Malware & Technical Intrusion

Malware protection

ย 

Malware (such as computer viruses) are generally used to steal or damage information.ย  Malware are often used in conjunction with other kinds of attack such as โ€˜phishingโ€™ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focussed attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages.

Malware are continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.

Questions in this section apply to: Computers, Laptops, Tablets and Mobile Phones

ย 

ย 

A8.1

Are all of your computers, laptops, tablets and mobile phones protected from malware by either A – having anti-malware software installed, B – limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or C – application sandboxing (i.e. by using a virtual machine)?

ย 

ย 

A8.2

(A) Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?

ย 

ย 

A8.3

(A) Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?

ย 

ย 

A8.4

(B) Where you use an app-store or application signing, are users restricted from installing unsigned applications?

ย 

ย 

A8.5

(B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?

ย 

ย 

A8.6

(C) Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.

Tailored Protection

Risk
Reduction

Trusted Expertise

Trusted
Expertise

24/7 Support

24/7
Support

Easy Compliance

Pain-Free
Compliance

Latest Articles

Do I need a penetration test?

Do I need a penetration test?

Do I need a penetration test? If you have a website that takes information about usersโ€ฆ If you have a website that takes credit cardsโ€ฆ If you have an internal system that shares personal information with external bodiesโ€ฆ If you develop systems that will hold personal...

read more
How do you perform a vulnerability scan?

How do you perform a vulnerability scan?

How do you perform a vulnerability scan? A vulnerability scan is performed by a piece of software that resides either on a system inside the network, or more often on a cloud service. Modern scanners are very powerful and have a lot of automation built-in, so for a...

read more
Vulnerability scanning

Vulnerability scanning

What does vulnerability scanning do? Vulnerability scanning is the process of scanning software and systems for known vulnerabilities. A vulnerability scanner will maintain and refer to a massive database of known vulnerabilities in order to compare and classify...

read more
What is a virtual CISO? When and how to hire one

What is a virtual CISO? When and how to hire one

Chief information security officers (CISOs) are in high demand, and good ones are expensive and difficult to find. Following a rash of high-profile data breaches, and knowing that such breaches have far-reaching consequences that are far more costly than the cost of...

read more
Penetration Testing vs Vulnerability Scanning

Penetration Testing vs Vulnerability Scanning

Penetration testing and vulnerability scanning are often confused as the same service. This leads to business owners purchasing one when they really need the other. Below, we will outline the differences between the two to help better your understanding and ascertain which service your business requires.

read more
A DATA security partner you can count on

A DATA security partner you can count on

Unity Metrix Unity Metrix are a company formed of IT and security professionals who have been in the business a very long time. We live by the tenets of honesty, integrity and helpfulness and deliver services that align with those tenets.

read more

Get in Touch

Have any questions or need assistance? Fill out the form below and one of our helpful and friendly cyber security experts will get back to you promptly.