By Jason McNicholas
Cyber Essentials assessor
Important note: As of 1st April 2020 the Cyber Essentials Scheme changed structure and there is now only one NCSC Trusted Partner (IASME) coordinating Certification Bodies and other Cyber Essentials realated activities.
For a comprehensive guide to passing first time using the IASME questionnaire, please purchase our updated companion document here:
The post below relates to the question set issued by QG Management Standards and has now been superseded.
QG Management Standards Version – pre 2020:
As a certification body for Cyber Essentials, we see wildly varying responses to the questionnaire. There seems to be a lot of confusion around particular questions and this Blog aims to help you get it right first time.
Section 2 focuses on Internet-Facing services like email logins and web portal logins, so it follows that answering ‘local logins through active directory’ does not satisfy the requirements unless active directory administers technical controls to these services.
Question 4.5 In order to prevent untrusted programs running automatically, (including those from the internet) have you disabled any feature that would allow the such files to auto-run or, at least, is user authorisation required before file execution?
Describe how this has been achieved. is often only part answered. The question refers to both autorunning from the internet and removable media. It is worth noting that disabling autorun does not prevent the automatic running of untrusted programs from the internet. The controls against the automatic running of untrusted programs from removable media and the internet should both be stated. Quoting user access control does not answer this question for either internet or removable media.
Question 5.5 Where feasible, has the organisation implemented two factor authentication? is about the implementation of two-factor authentication (2FA). Giving ‘No’ or ‘N/A’ as an answer to this will result in a clarification request from the assessor. If 2FA has not been implemented, an organisation must show it has investigated the option or has a plan in place to investigate implementation.
A common answer to Question 7.2 Is all software removed from devices in scope when no longer supported? is ‘Software is removed when no longer required.’ Assessors need to know if software is removed when it reaches end of life. If software still has a requirement but is unsupported, the controls to prevent systems using the software from accessing sensitive information should be stated.