IASME Cyber Essentials questionnaire
Here is the IASME Cyber Essentials Questionnaire. It is in a text format. Hopefully it gives you a flavour of what you can expect.
You can download the IASME Cyber Essentials Questionnaire PDF including the preparation advise by clicking the link.
Section-1: Your company
In this section we need to know a little about how your organisation is set up so we can ask you the most appropriate questions.
A1.1. What is your organisation's name (for companies: as registered with Companies House)?
A1.2. What is your organisation's registration number (if you have one)?
A1.3. What is your organisation's address (for companies: as registered with Companies House)?
A1.4. What is your main business?
- Agriculture, Forestry and Fishing
- Real estate
- Mining and Quarrying
- Professional, scientific and technical
- Administration and support services
- Electricity, Gas, Steam and Air-conditioning
- Public administration and defence
- Water supply, Sewerage, Waste
- management and Remediation
- Compulsory social security
- Wholesale and Retail trade
- Human Health and Social Work
- Repair of motorcars and motorcycles
- Arts Entertainment and Recreation
- Transport and storage
- Other service activities
- Accommodation and food services
- Financial and insurance
- Information and communication
- Activities of extraterritorial organisations and bodies
- Activities of households as employers; undifferentiated goods and services producing for households for own use
A1.5. What is your website address?
A1.6. What is the size of your organisation?
A1.7. How many staff are home workers?
A1.8. Is this application a renewal of an existing certification or is it the first time you have applied for certification?
A1.9. What is your main reason for applying for certification?
Section-2: Scope of the Assessment
In this section, we need you to describe the elements of your organisation which you want to certify to this accreditation. The scope should be either the whole organisation or an organisational sub- unit (for example, the UK operation of a multinational company). All computers, laptops, servers, mobile phones, tablets and firewalls/routers that can access the internet and are used by this organisation or sub-unit to access business information should be considered “in-scope”. All locations that are owned or operated by this organisation or sub-unit, whether in the UK or internationally should be considered “in-scope”.
A2.1. Does the scope of this assessment cover your whole organisation?
A2.2. If it is not the whole organisation, then what scope description would you like to appear on your certificate and website?
A2.5. Please describe the geographical locations of your business which are in the scope of this assessment.
You should provide either a broad description (i.e. All UK offices) or simply list the locations in scope (i.e. Manchester and Glasgow retail stores).
A2.6. Please list the quantities of laptops, computers and servers within the scope of this assessment.
A2.7. Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system versions for all devices.
A2.8. Please provide a list of the networks that will be in the scope for this assessment.
A2.9. Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).
A2.10. Please provide the name and role of the person who is responsible for managing the information systems in the scope of this assessment?
All organisations with a head office domiciled in the UK and a turnover of less than £20 million get automatic cyber insurance if they achieve Cyber Essentials certification. The cost of this is included in the assessment package but you can opt out of the insurance element if you choose. This will not change the price of the assessment package. If you want the insurance then we do need to ask some additional questions and these answers will be forwarded to the broker. The answers to these questions will not affect the result of your Cyber Essentials assessment. It is important that the insurance information provided is as accurate as possible and that the assessment declaration is signed by Board level or equivalent, to avoid any delays to the insurance policy being issued.
A3.1. Is your head office domiciled in the UK and is your gross annual turnover less than £20m?
A3.2. If you have answered “yes” to the last question then your company is eligible for the included cyber insurance if you gain certification. If you do not want this insurance element please opt out here.
A3.3. What is your total gross revenue? Please provide figure to the nearest £100K. You only need to answer this question if you are taking the insurance.
A3.4. Is the company or its subsidiaries any of the following: medical, call centre, telemarketing, data processing (outsourcers), internet service provider, telecommunications or an organisation regulated by the FCA? You only need to answer this question if you are taking the insurance.
A3.5. Does the company have any domiciled operation or derived revenue from the territory or jurisdiction of Canada and / or USA?
A3.6. What is the organisation email contact for the insurance documents? You only need to answer this question if you are taking the insurance.
Cyber Essentials Basic - CEB001
2 Days for Remediation
1 Day Turnaround
£25k Cyber Insurance*
Guided Cyber Essentials - CEB002
Everything in CEB001 plus
Cyber Essentials Plus - CEP001
Everything in CEB002 Plus
30 Day Remediation
Systems Audit (remote)
Guided CE Plus - CEP002
Everything in CEP001 plus
Pre- systems Audit
Gap Analysis report
Section-4: Office Firewalls and Internet Gateways
Firewall is the generic name for software or hardware which provides technical protection between your systems and the outside world. There will be a firewall within your internet router. Common internet routers are BT Home Hub, Virgin Media Hub or Sky Hub.
Your organisation may also have set up a separate hardware firewall device between your network and the internet. Firewalls are powerful devices and need to be configured correctly to provide effective security.
Questions in this section apply to: Hardware Firewall devices, Routers, Computers and Laptops only.
A4.1. Do you have firewalls at the boundaries between your organisation’s internal networks and the internet?
A4.2. When you first receive an internet router or hardware firewall device it will have had a default password on it. Has this initial password been changed on all such devices? How do you achieve this?
A4.3. Is the new password on all your internet routers or hardware firewall devices at least 8 characters in length and difficult to guess?
A4.4. Do you change the password when you believe it may have been compromised? How do you achieve this?
A4.5. Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?
A4.6. If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process.
A4.7. Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?
A4.8. Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?
A4.9. If yes, is there a documented business requirement for this access?
A4.10. If yes, is the access to the settings protected by either two-factor authentication or by only allowing trusted IP addresses to access the settings? List which option is used.
A4.11. Do you have software firewalls enabled on all of your computers and laptops?
A4.12. If no, is this because software firewalls are not commonly available for the operating system you are using? Please list the operating systems.
Check out our blog article 'Cyber Essentials Plus patching requirements'
Section-5: Secure Configuration
Computers are often not secure upon default installation. An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications or services. All of these present security risks.
Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones.
A5.1. Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, computers, servers, tablets and mobile phones? Describe how you achieve this.
A5.2. Have you ensured that all your laptops, computers, servers, tablets and mobile devices only contain necessary user accounts that are regularly used in the course of your business?
A5.3. Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?
A5.4. Do all your users and administrators use passwords of at least 8 characters?
The longer a password, the more difficult it is for cyber criminals to guess (or brute-force) it.
A5.5. Do you run software that provides sensitive or critical information (that shouldn't be made public) to external users across the internet?
A5.6. If yes, do you ensure all users of these services use a password of at least 8 characters and that your systems do not restrict the length of the password?
A5.7. If yes, do you ensure that you change passwords if you believe that they have been compromised?
A5.8. If yes, are your systems set to lockout after ten or fewer unsuccessful login attempts, or limit the number of login attempts to no more than ten within five minutes?
A5.9. If yes, do you have a password policy that guides all your users?
A5.10. Is "auto-run" or "auto-play" disabled on all of your systems?
Check out our blog article ‘What exactly is included in Cyber Essentials Plus audit?'
Section-6: Software Patching
To protect your organisation, you should ensure that your software is always up-to-date with the latest patches. If, on any of your in-scope devices, you are using an operating system which is no longer supported, (e.g. Microsoft Windows XP/Vista/2003 or macOS El Capitan, Ubuntu 17.10), and you are not being provided with updates from another reliable source, then you will not be awarded certification. Mobile phones and tablets are in-scope and must also use an operating system that is still supported by the manufacturer.
Questions in this section apply to: Servers, Computers, Laptops, Tablets, Mobile Phones, Routers and Firewalls.
A6.1. Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?
A6.2. Are all applications on your devices supported by a supplier that produces regular fixes for any security problems?
A6.3. Is all software licensed in accordance with the publisher’s recommendations?
A6.4. Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this.
A6.5. Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this.
A6.6. Have you removed any applications on your devices that are no longer supported and no longer receive regular fixes for security problems?
Section-7: User Accounts
It is important to only give users access to the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with e-mail whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.
Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones.
A7.1. Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process.
A7.2. Can you only access laptops, computers and servers in your organisation (and the applications they contain) by entering a unique user name and password?
A7.3. How do you ensure you have deleted, or disabled, any accounts for staff who are no longer with your organisation?
A7.4. Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?
Check out our blog article 'What is the process for Cyber Essentials plus?'
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When these privileged accounts are accessed by attackers they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. Special access includes privileges over and above those of normal users.
It is not acceptable to work on a day-to-day basis in a privileged “administrator” mode. Questions in this section apply to: Servers, Computers, Laptops, Tablets and Mobile Phones.
A7.5. Do you have a formal process for giving someone access to systems at an “administrator” level?
Describe the process.
A7.6. How do you ensure that staff only use administrator accounts to carry out administrative activities (such as installing software or making configuration changes)?
A7.7. How do you ensure that administrator accounts are not used for accessing email or web browsing?
A7.8. Do you formally track which users have administrator accounts in your organisation?
A7.9. Do you review who should have administrative access on a regular basis?
A7.10. Have you enabled two-factor authentication for access to all administrative accounts?
A7.11. If no, is this because two-factor authentication is not available for some or all of your devices or systems? List the devices or systems that do not allow two-factor authentication.
Section-8: Malware protection
Malware (such as computer viruses) is generally used to steal or damage information. Malware are often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focussed attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages.
Malware are continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.
Questions in this section apply to: Computers, Laptops, Tablets and Mobile Phones.
A8.1. Are all of your computers, laptops, tablets and mobile phones protected from malware by either
A - having anti-malware software installed,
B - limiting installation of applications to an approved set (i.e. using an App Store and a list of approved applications) or
C - application sandboxing (i.e. by using a virtual machine)?
A8.2. If Option A: Where you have anti-malware software installed, is it set to update daily and scan files automatically upon access?
A8.3. If Option A: Where you have anti-malware software installed, is it set to scan web pages you visit and warn you about accessing malicious websites?
A8.4. If Option B: Where you use an app-store or application signing, are users restricted from installing unsigned applications?
A8.5. If Option B: Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications?
A8.6. If Option C: Where you use application sandboxing, do you ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network? Describe how you achieve this.
That is the IASME Cyber Essentials Questionnaire. Hope that helped. If you need any further help please get in touch CE@thetechforce.co.uk. Also try out our CE checklist below for instant results. It will give an indication of your certification based on your answers.
Cyber Essentials Plus accreditation/certification explained
The article dives deep into what Cyber Essentials Plus accreditation/certification is, the requirements for the certification, cost and the process to achieve it.More
What is the process for Cyber Essentials Plus Certification?
Cyber Essentials Plus accreditation involves the auditing of your IT systems. Read the article to know what exactly is involved in the process.More
What exactly is involved in Cyber Essentials Plus audit?
Cyber Essentials Plus accreditation involves the auditing of your IT systems. Read the article to know what exactly is involved in he audit process.More
Cyber Essentials most frequently asked questions
Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). Here are the Cyber Essentials scheme most frequently asked questio...More
FOR LATEST UPDATES SUBSCRIBE HERE: