Questionnaire Part 5 Secure Business Operations (Secure Configuration)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025.
Secure Business Operations
(Secure Configuration)
A5.1 Removed Unused Software
Have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones, and cloud services? Describe how you achieve this.
You must remove or disable applications, system utilities and network services that are not needed in day-to-day use. You need to check your cloud services and disable any services that are not required for day-to-day use.
To view installed applications:
Windows: Right-click on Start > Apps and Features
macOS: Open Finder > Applications
Linux: Open your software package manager (apt, rpm, yum)
CE Requirement: You must regularly remove or disable unnecessary software (including applications, system utilities and network services).
Further guidance:
In this question we are looking to see if you have removed any software that you are not using on your device.
We need a short description on how this is achieved.
An example of an acceptable answer is:
When configuring a device, we remove any software that may be shipped with the device.
Setup of the device is reviewed by a senior colleague before signed off as complete.
Going forward, any software that is no longer used by the company or individual is removed.
We regularly check what software applications are installed to remove them when any are retired.
A5.2 Remove Unrequired User Accounts
Have you ensured that all your laptops, computers, servers, tablets, mobile devices, and cloud services only contain necessary user accounts that are regularly used in the course of your business?
You must remove or disable any user accounts that are not needed in day-to-day use on all devices and cloud services.
To view user accounts:
Windows: Right-click on Start > Computer Management > Users
macOS: System Settings > Users and Groups
Linux: "cat/etc/passwd"
CE Requirement: You must regularly remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used).
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
We are looking to see that your devices only contain the user accounts that are required. Any other accounts must be removed.
Please note that unnecessary guest accounts must be removed as part of this requirement.
A5.3 Change Default Password
Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets, and mobile phones that follow the password-based authentication requirements of Cyber Essentials?
A password that is difficult to guess will be unique and not be made up of common or predictable words such as "password" or "admin", or include predictable number sequences such as "12345".
CE Requirement: You must regularly change any default or guessable account passwords.
Use technical controls to manage the quality of passwords. This will include one of the following:
- using multi-factor authentication
- a minimum password length of at least 12 characters, with no maximum length restrictions
- a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Many devices come with default passwords that can be easily found on the internet. All default passwords must be changed.
A5.4 Internally Hosted External Services
Do you run or host external services that provides access to data (that shouldn't be made public) to users across the internet?
Your business might run software that allows staff or customers to access information across the internet to an external service hosted on the internal network, cloud data centre or IaaS cloud service. This could be a VPN server, a mail server, or an internally hosted internet application such as a SaaS or PaaS cloud service that you provide to your customers as a product. In all cases, these applications provide information that is confidential to your business and your customers and that you would not want to be publicly accessible.
CE Requirement: Ensure users are authenticated before allowing them access to organisational data or services.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant. Answering 'Yes' will trigger additional questions.
A5.5 External Services Authentication
If yes to question A5.4, which authentication option do you use?
A. Multi-factor authentication, with a minimum password length of 8 characters and no maximum length
B. Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length
C. A minimum password length of 12 characters and no maximum length
D. Passwordless, please describe
E. None of the above, please describe
Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the section about ‘Password-based authentication’ in the ‘Cyber Essentials Requirements for IT Infrastructure’ document.
CE Requirement: Use technical controls to manage the quality of passwords. This will include one of the following:
- using multi-factor authentication
- a minimum password length of at least 12 characters, with no maximum length restrictions
- a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
This is a multiple-choice question.
You must select at least one of A, B, C, or D to meet the scheme's requirements.
A5.6 External Services Password Change Process
Describe the process in place for changing passwords on your external services when you believe they have been compromised.
Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product. You should know how to change the password if this occurs.
CE Requirement: You should also make sure there is an established process in place to change passwords promptly if you know or suspect a password or account has been compromised.
You should write a concise description of your procedure for changing potentially compromised passwords.
An example of an acceptable answer is:
If there is any suspicion that a password may have been compromised, the IT team is notified and immediately block the account from accessing services and reset the password.
A5.7 External Services Brute-Force Protection
When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?
A. Throttling the rate of attempts
B. Locking accounts after 10 unsuccessful attempts
C. None of the above, please describe
The external service that you provide must be set to slow down or stop attempts to log in if the wrong username and password have been tried a number of times. This reduces the opportunity for cyber criminals to keep trying different passwords (brute-forcing) in the hope of gaining access.
CE Requirement: You must protect your chosen authentication method (which can be biometric authentication, password or PIN) against brute-force attacks. When it's possible to configure, you should apply one of the following:
- ‘throttling' the rate of attempts, so that the length of time the user must wait between attempts increases with each unsuccessful attempt - you shouldn’t allow more than 10 guesses in 5 minutes
- locking devices after more than 10 unsuccessful attempts
- When the vendor doesn't allow you to configure the above, use the vendor’s default setting.
You should choose from the available options. Options A and B are both compliant; if selecting Option C, you should describe the controls you have in place to protect against brute force attacks—this may be confirmation that you rely on multi-factor authentication, or that you enforce a more secure version of Option A or B (e.g., locking accounts after only 5 unsuccessful attempts).
A5.8 Auto-Run Disabled
Have you disabled any feature which allows automatic file execution of downloaded or imported files without user authorisation?
This is a setting on your device which automatically runs software on external media or downloaded from the internet.
It is acceptable to choose the option where a user is prompted to make a choice about what action will occur each time they insert a memory stick. If you have chosen this option, you can answer yes to this question.
CE Requirement: Disable any auto-run feature which allows file execution without user authorisation (such as when they are downloaded).
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A5.9 Device Unlocking
When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?
Device locking mechanisms such as biometric, password or PIN, need to be enabled to prevent unauthorised access to devices accessing organisational data or services.
CE Requirement: Ensure appropriate device locking controls for users that are physically present.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A5.10 Device Unlocking Method
Which method do you use to unlock the devices?
Please refer to Device Unlocking Credentials paragraph found under Secure Configuration in the Cyber Essentials Requirements for IT Infrastructure document for further information.The use of a PIN with a length of at least six characters can only be used where the credentials are just to unlock a device and does not provide access to organisational data and services without further authentication.
CE Requirement: If a device requires a user’s physical presence to access a device’s services (such as logging on to a laptop or unlocking a mobile phone), a credential such as a biometric, password or PIN must be in place before a user can gain access to the services.
You must protect your chosen authentication method against brute-force attacks. When it's possible to configure, you should apply one of the following:
- ‘throttling' the rate of attempts, so that the length of time the user must wait between attempts increases with each unsuccessful attempt - you shouldn’t allow more than 10 guesses in 5 minutes
- locking devices after more than 10 unsuccessful attempts
- When the vendor doesn't allow you to configure the above, use the vendor’s default setting.
Provide a brief description of the method used to unlock your devices.
Technical controls must be used to manage the quality of credentials. If credentials are just to unlock a device, you can use biometrics (e.g., fingerprint, face ID) or a minimum password or PIN length of at least 6 characters. When the device unlocking credentials are also used for authentication, then the method must be one of the following: password of minimum 8 characters supported by either MFA or a deny list, or a password of minimum 12 characters. Please see Cyber Essentials Requirements for IT Infrastructure for more information.
Related Articles
Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations Boundary ...Questionnaire Part 6 Secure Business Operations (Security Update Management)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Security Update Management A6.1 ...Questionnaire Part 7 Access Control
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Access Control (User Access Control) ...Questionnaire Part 3 Insurance
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Insurance When a UK-domiciled ...Questionnaire Part 1 Your Organisation
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Your Organisation This section is ...