Cyber Essentials Questionnaire
Introduction
The Cyber Essentials scheme is recommended for organisations looking for a base level Cyber
security test where IT is a business enabler rather than a core deliverable. It is mainly applicable
where IT systems are primarily based on Common-Off-The-Shelf (COTS) products rather than large,
heavily customised, complex solutions.
The main objective of the Cyber Essentials assessment is to determine that your organisation has
effectively implemented the controls required by the Scheme, in order to defend against the most
common and unsophisticated forms of cyber-attack.
The completed questionnaire attests that you meet the Requirements of the Cyber Essentials
Scheme, which must be approved by a Board member or equivalent, and will then be verified by a
competent assessor from Seric Systems (the Certifying Body). Such verification may take a number
of forms, and could include, for example, a telephone conference. The verification process will be at
the discretion of Seric Systems
Scope of Cyber Essentials
The Scope is defined in the scheme Assurance Framework document, available on the official
scheme website www.cyberstreetwise.com/cyberessentials/files/assurance-framework.pdf
You will be required to identify the actual scope of the system(s) to be evaluated as part of the
questionnaire.
How to avoid delays & additional charges
You may incur additional charges if details are not sufficiently supplied, answer the questions as fully
as possible giving supporting comments, paragraphs from policies and screen shots where possible.
As a rule of thumb if it takes longer to assess the submission than you spent preparing it, you may be
charged.
Organisation Identification
Please provide details as follows:
Organisation Name (legal entity):
Sector:
Parent Organisation name (if any):
Size of organisation micro, small, medium,
large.
(See definition below)
No of employees
Point of Contact name:
Salutation (Mr, Mrs, Miss etc)
Initial
First
Surname
Job Title:
Email address:
Telephone Number:
Main web address for company in scope:
Building Name/Number
Address 1
Address 2
Address 3
City
County
Postcode
Certification Body:
Do you wish to be excluded from the register of
Cyber Essentials certified companies. Exclusion
means customers will not be able to find your
entry. If this is left blank you will be entered.
From time to time government departments
and other interested bodies may wish to use
your company for marketing Cyber Essentials. If
you do not wish to be promoted in this way
please enter NO in the box. If this is left blank
you imply your consent.
QG Business Solutions 2015 ©
Issue 5 20/02/16
SME Definition
Company
category
Balance
Employees Turnover or sheet
total
Medium-sized < 250
≤ € 50 m
≤ € 43 m
Small
< 50
≤ € 10 m
≤ € 10 m
Micro
< 10
≤€2m
≤€2m
Business Scope
Please identify the scope of the system(s) to be assessed under this questionnaire, including
locations, network boundaries, management and ownership. Where possible, include IP addresses
and/or ranges.
A system name should be provided that uniquely identifies the systems to be assessed, and which
will be used on any certificate awarded. (Note: it is not permissible to provide the company name,
unless all systems within the organisation are to be assessed):
A network diagram in here
Show public IP addresses
State if cloud apps are in or out and what they are
State if you use Office 365/ Google Docs/ Dropbox etc.
QG Business Solutions 2015 ©
Issue 5 20/02/16
Boundary Firewalls and Internet Gateways
1
Question
Answer
Comment
Have you installed Firewalls or similar
devices at the boundaries of the networks
in the Scope?
Always
State the firewall make and type
and provide a screenshot of the
login
Mostly
Sometimes
Rarely
Never
2
Have the default usernames/passwords on
all boundary firewalls (or similar devices)
been changed to a strong password
Always
Mostly
Sometimes
Rarely
Never
3
Have all open ports and services on each
firewall (or similar device) been subject to
justification and approval by an
appropriately qualified and authorised
business representative, and has this
approval been properly documented?
Always
Mostly
Sometimes
Describe the process. Is it
recorded in a spreadsheet or
database? Provide a screenshot
or provide documentation of the
process to record a change.
Rarely
Never
4
Have all commonly attacked and
vulnerable services (such as Server
Message Block (SMB) NetBIOSm tftp, RPC,
rlogin, rsh, rexec) been disabled or blocked
by default at the boundary firewalls?
Always
Mostly
Show a screen shot of the
firewall rules. Attach findings
from an external scanner to
prove it
Sometimes
Rarely
Never
QG Business Solutions 2015 ©
Issue 5 20/02/16
5
Question
Confirm that there is a corporate policy
requiring all firewall rules that are no
longer required to be removed or disabled
in a timely manner, and that this policy has
been adhered to (meaning that there are
currently no open ports or services that
are not essential for the business)?
Answer
Policy exists
and has been
implemented
Policy exists
but has not
been
implemented
Comment
Attach your policy (or an extract
from the policy). Do you have a
process to validate it? Do you
have a formal review once a
quarter? Once a year? Do you
do an external scan to check?
Policy does
not exist
6
Confirm that any remote administrative
interface has been disabled on all firewall
(or similar) devices?
Always
Mostly
Sometimes
Rarely
Ie so that you cant login to the
router/firewall from a web page
available externally. It is
acceptable to VPN in to the
network and then access a local
login, should you have a
requirement for a 3rd part to
have access
Never
7
Confirm that where there is no
requirement for a system to have Internet
access, a Default Deny policy is in effect
and that it has been applied correctly,
preventing the system from making
connections to the Internet
Always
Mostly
Show the firewall rules – show
that by default there is a deny
(inbound and outbound traffic)
Sometimes
Rarely
Never
Please provide any additional evidence to support your assertions above:
QG Business Solutions 2015 ©
Issue 5 20/02/16
Secure Configuration
8
Question
Answer
Comment
Have all unnecessary or default user
accounts been deleted or disabled
Yes
Group policy or Microsoft
Security Baseline analyser can
be used to show this.
Also you can take screen shots
of the local users – make sure
that guest account is not
enabled
Show the password policies.
Remember to do for each kind
of device eg servers, Macs, PCs,
cloud apps may all have
different settings.
Microsoft Security Baseline
Analyser can be used for PCs or
Group Policy for domain PCs
No
9
Confirm that all accounts have passwords,
and that any default passwords have been
changed to strong passwords?
Always
Mostly
Sometimes
Rarely
10 Has all unnecessary software, including OS
utilities, services and applications, been
removed or disabled
Never
Always
Mostly
Sometimes
Rarely
Never
11 Has the Auto Run (or similar service) been
disabled for all media types and network
file shares?
Always
Mostly
Sometimes
Rarely
Never
12 Has a host based firewall been installed on
all desktop PCs or laptops, and is this
configured to block unapproved
connections by default?
Installed and
configured
Show that firewall is switched
on on a mac. Show that firewall
is switch on on Pcs and servers
Installed, but
not
configured
Not installed
QG Business Solutions 2015 ©
Issue 5 20/02/16
13 Is a standard build image used to
configure new workstations, does this
image include the policies and controls
and software required to protect the
workstation, and is the image kept up to
date with corporate policies?
Yes
14 Do you have a backup policy in place, and
are backups regularly taken to protect
against threats such as ransomware?
Yes
15 Are security and event logs maintained on
servers, workstations and laptops?
Yes
Describe how you build new
PCs/Macs/Servers
No
No
No
Describe how you backup your
data. Show screen shots of the
backup software and the
policies. Describe how may days
backups you maintain
Most devices maintain logs (eg
windows event viewer). If you
specifically store yours
somewhere else for longer (eg
an SNMP server) mention it
here
Please provide any additional evidence to support your assertions above:
QG Business Solutions 2015 ©
Issue 5 20/02/16
Access Control
16
17
18
Question
Answer
Comment
Are user account requests subject to
proper justification, provisioning and an
approvals process, and assigned to
named individuals?
Yes
Are users required to authenticate with a
unique username and strong password
before being granted access to
computers and applications?
Yes
How is this done and recorded?
Is the request recorded in a
helpdesk? Is it in a
spreadsheet? Is is such a small
company that they boss knows
everyone? Attach some
screenshot proof
Show your security settings that
enforce it or show how you
have a paper policy that
dictates it.
Are accounts removed or disabled when
no longer required?
Yes
No
No
How do you handle leavers?
No
19
20
Are elevated or special access privileges,
such as system administrator accounts,
restricted to a limited number of
authorised individuals?
Yes
Are special access privileges documented
and reviewed regularly (e.g. quarterly)?
Yes
No
Show your policies or proof of a
regular review
No
21
22
Are all administrative accounts only
permitted to perform administrator
activity, with no Internet or external
email permissions?
Yes
Does your password policy enforce
changing administrator passwords at
least every 60 days to a complex
password?
Yes
No
No
Show your enforced security
policy (might be windows
Group Policy or might be a
paper policy). What about
password for cloud apps?
Servers? etc
Please provide any additional evidence to support your assertions above:
QG Business Solutions 2015 ©
Issue 5 20/02/16
Malware Protection
23
Question
Answer
Comment
Please confirm that malware protection
software has been installed on at least all
computers with an ability to connect
outside of the network in Scope
Always
Provided the name and a
screenshot of the anti malware
software for each type of
device (eg Macs will use the
inbuilt anti malware, PCs might
have Sophos, Linus servers
might have ClamAV)
Mostly
Sometimes
Rarely
Never
24
Does corporate policy require all malware Yes
protection software to have all engine
updates applied, and is this applied
No
rigorously?
Show an extract from your
security policy
25
Have all anti malware signature files been
kept up to date (through automatic
updates or through centrally managed
deployment)?
Yes
Show the update settings for
your anti malware
Has malware protection software been
configured for on-access scanning, and
does this include downloading or opening
files, opening folders on removable or
remote storage, and web page scanning?
Yes
Has malware protection software been
configured to run regular (at least daily)
scans?
Yes
Are users prevented from running
executable code or programs form any
media to which they also have write
access?
Other than anti-virus software, are access
control measures in place to prevent
virus code modifying commonly run
executable files
Always
26
27
28
No
Show your scanning settings for
your anti malware
No
Show your scanning settings for
your anti malware
No
Tell us about any more
advanced security functionality
Mostly
Sometimes
Rarely
Never
29
Are users prevented from accessing
known malicious web sites by your
malware protection software through a
blacklisting function?
QG Business Solutions 2015 ©
Yes
No
Issue 5 20/02/16
Please provide any additional evidence to support your assertions above:
Patch Management
30
Question
Answer
Is all software installed on computers and
network devices in the Scope licensed and
supported?
Always
Comment
Mostly
Sometimes
Rarely
Never
31
Are all Operating System security patches
applied within 14 days of release?
Always
Mostly
Sometimes
Rarely
32
Are all Application software security
patches applied within 14 days of release?
Never
Always
Mostly
Sometimes
Tell us your OS update
settings for each type of
OS, show screen shots of
theme. For PCs this will be
the Windows Update
settings. If they aren’t
explain why not
Microsoft ones will be
covered by Windows
update. What about other
ones? Chrome? Java etc. If
they aren’t, explain why
not
Rarely
33
34
Is all legacy or unsupported software
isolated, disabled or removed from devices
within the Scope?
Is a mobile working policy in force that
requires mobile devices (including BYOD)
to be kept up to date with vendor updates
and app patches?
Never
Yes
No
Yes
Is there any old machines
like Windows NT or XP
that are end of life? If so,
how do you keep them
separate from the rest of
the network?
Show your policy
No
Please provide any additional evidence to support your assertions above:
QG Business Solutions 2015 ©
Issue 5 20/02/16
Approval
It is a requirement of the Scheme that a Board level (or equivalent) of the organisation has approved
the information given. Please provide evidence of such approval:
X
QG Business Solutions 2015 ©
Issue 5 20/02/16