Questionnaire Part 5 Secure Business Operations (Secure Configuration)

Questionnaire Part 5 Secure Business Operations (Secure Configuration)

Notes
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. 

Secure Business Operations
(Secure Configuration)


A5.1 Removed Unused Software

Have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile phones, and cloud services? Describe how you achieve this.
Alert
You must remove or disable applications, system utilities and network services that are not needed in day-to-day use.  You need to check your cloud services and disable any services that are not required for day-to-day use.

To view installed applications:
Windows: Right-click on Start > Apps and Features
macOS: Open Finder > Applications
Linux: Open your software package manager (apt, rpm, yum)

CE Requirement: You must regularly remove or disable unnecessary software (including applications, system utilities and network services).

Further guidance:
Info
In this question we are looking to see if you have removed any software that you are not using on your device.
We need a short description on how this is achieved. 
An example of an acceptable answer is:
When configuring a device, we remove any software that may be shipped with the device.
Setup of the device is reviewed by a senior colleague before signed off as complete.
Going forward, any software that is no longer used by the company or individual is removed.
We regularly check what software applications are installed to remove them when any are retired.  

A5.2 Remove Unrequired User Accounts

Have you ensured that all your laptops, computers, servers, tablets, mobile devices, and cloud services only contain necessary user accounts that are regularly used in the course of your business?
Alert
You must remove or disable any user accounts that are not needed in day-to-day use on all devices and cloud services.

To view user accounts:
Windows: Right-click on Start > Computer Management > Users
macOS: System Settings > Users and Groups
Linux:  "cat/etc/passwd"

CE Requirement: You must regularly remove and disable unnecessary user accounts (such as guest accounts and administrative accounts that won’t be used).
Info
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
We are looking to see that your devices only contain the user accounts that are required. Any other accounts must be removed.
Alert
Please note that unnecessary guest accounts must be removed as part of this requirement.

A5.3 Change Default Password

Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets, and mobile phones that follow the password-based authentication requirements of Cyber Essentials?
Alert
A password that is difficult to guess will be unique and not be made up of common or predictable words such as "password" or "admin", or include predictable number sequences such as "12345".

CE Requirement: You must regularly change any default or guessable account passwords.

Use technical controls to manage the quality of passwords. This will include one of the following:
  1. using multi-factor authentication
  2. a minimum password length of at least 12 characters, with no maximum length restrictions
  3. a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
Info
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Many devices come with default passwords that can be easily found on the internet. All default passwords must be changed.

A5.4 Internally Hosted External Services

Do you run or host external services that provides access to data (that shouldn't be made public) to users across the internet?
Alert
Your business might run software that allows staff or customers to access information across the internet to an external service hosted on the internal network, cloud data centre or IaaS cloud service. This could be a VPN server, a mail server, or an internally hosted internet application such as a SaaS or PaaS cloud service that you provide to your customers as a product. In all cases, these applications provide information that is confidential to your business and your customers and that you would not want to be publicly accessible.

CE Requirement: Ensure users are authenticated before allowing them access to organisational data or services.
Info
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant. Answering 'Yes' will trigger additional questions.

A5.5 External Services Authentication

If yes to question A5.4, which authentication option do you use?
Alert
A. Multi-factor authentication, with a minimum password length of 8 characters and no maximum length
B. Automatic blocking of common passwords, with a minimum password length of 8 characters and no maximum length
C. A minimum password length of 12 characters and no maximum length
D. Passwordless, please describe
E. None of the above, please describe

Acceptable technical controls that you can use to manage the quality of your passwords are outlined in the section about ‘Password-based authentication’ in the ‘Cyber Essentials Requirements for IT Infrastructure’ document.


CE Requirement: Use technical controls to manage the quality of passwords. This will include one of the following:
  1. using multi-factor authentication
  2. a minimum password length of at least 12 characters, with no maximum length restrictions
  3. a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
Info
This is a multiple-choice question.
You must select at least one of A, B, C, or D to meet the scheme's requirements.

A5.6 External Services Password Change Process

Describe the process in place for changing passwords on your external services when you believe they have been compromised.

Alert
Passwords may be compromised if there has been a virus on your system or if the manufacturer notifies you of a security weakness in their product. You should know how to change the password if this occurs. 

CE Requirement: You should also make sure there is an established process in place to change passwords promptly if you know or suspect a password or account has been compromised.
Info
You should write a concise description of your procedure for changing potentially compromised passwords.
An example of an acceptable answer is:
If there is any suspicion that a password may have been compromised, the IT team is notified and immediately block the account from accessing services and reset the password.

A5.7 External Services Brute-Force Protection

When not using multi-factor authentication, which option are you using to protect your external service from brute force attacks?
Alert
A. Throttling the rate of attempts
B. Locking accounts after 10 unsuccessful attempts
C. None of the above, please describe

The external service that you provide must be set to slow down or stop attempts to log in if the wrong username and password have been tried a number of times. This reduces the opportunity for cyber criminals to keep trying different passwords (brute-forcing) in the hope of gaining access.

CE Requirement: You must protect your chosen authentication method (which can be biometric authentication, password or PIN) against brute-force attacks. When it's possible to configure, you should apply one of the following:
  1. ‘throttling' the rate of attempts, so that the length of time the user must wait between attempts increases with each unsuccessful attempt - you shouldn’t allow more than 10 guesses in 5 minutes
  2. locking devices after more than 10 unsuccessful attempts
  3. When the vendor doesn't allow you to configure the above, use the vendor’s default setting.
Info
You should choose from the available options. Options A and B are both compliant; if selecting Option C, you should describe the controls you have in place to protect against brute force attacks—this may be confirmation that you rely on multi-factor authentication, or that you enforce a more secure version of Option A or B (e.g., locking accounts after only 5 unsuccessful attempts).

A5.8 Auto-Run Disabled

Have you disabled any feature which allows automatic file execution of downloaded or imported files without user authorisation?
Alert
This is a setting on your device which automatically runs software on external media or downloaded from the internet.

It is acceptable to choose the option where a user is prompted to make a choice about what action will occur each time they insert a memory stick. If you have chosen this option, you can answer yes to this question.

CE Requirement: Disable any auto-run feature which allows file execution without user authorisation (such as when they are downloaded).
Info
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.

A5.9 Device Unlocking

When a device requires a user to be present, do you set a locking mechanism on your devices to access the software and services installed?
Alert
Device locking mechanisms such as biometric, password or PIN, need to be enabled to prevent unauthorised access to devices accessing organisational data or services.

CE Requirement: Ensure appropriate device locking controls for users that are physically present.
Info
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.

A5.10 Device Unlocking Method

Which method do you use to unlock the devices?
AlertPlease refer to Device Unlocking Credentials paragraph found under Secure Configuration in the Cyber Essentials Requirements for IT Infrastructure document for further information.


The use of a PIN with a length of at least six characters can only be used where the credentials are just to unlock a device and does not provide access to organisational data and services without further authentication.

CE Requirement: If a device requires a user’s physical presence to access a device’s services (such as logging on to a laptop or unlocking a mobile phone), a credential such as a biometric, password or PIN must be in place before a user can gain access to the services.

You must protect your chosen authentication method against brute-force attacks. When it's possible to configure, you should apply one of the following:
  1. ‘throttling' the rate of attempts, so that the length of time the user must wait between attempts increases with each unsuccessful attempt - you shouldn’t allow more than 10 guesses in 5 minutes
  2. locking devices after more than 10 unsuccessful attempts
  3. When the vendor doesn't allow you to configure the above, use the vendor’s default setting.

Info
Provide a brief description of the method used to unlock your devices.
Technical controls must be used to manage the quality of credentials. If credentials are just to unlock a device, you can use biometrics (e.g., fingerprint, face ID) or a minimum password or PIN length of at least 6 characters. When the device unlocking credentials are also used for authentication, then the method must be one of the following: password of minimum 8 characters supported by either MFA or a deny list, or a password of minimum 12 characters. Please see Cyber Essentials Requirements for IT Infrastructure for more information.


    • Related Articles

    • Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)

      This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations Boundary ...
    • Questionnaire Part 6 Secure Business Operations (Security Update Management)

      This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Security Update Management A6.1 ...
    • Questionnaire Part 7 Access Control

      This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Access Control (User Access Control) ...
    • Questionnaire Part 3 Insurance

      This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Insurance When a UK-domiciled ...
    • Questionnaire Part 1 Your Organisation

      This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Your Organisation This section is ...