What is Cyber Essentials?

Cyber Essentials is a government-backed scheme that focuses on five important technical security controls designed to help organizations protect against common cyber threats. It aims to provide a clear framework for organizations to follow in order to improve their cybersecurity posture.

How do I complete the Cyber Essentials self-assessment?

To complete the Cyber Essentials self-assessment, you must answer all questions in the provided booklet and submit your responses via IASME’s online assessment platform. It's important that a Board level representative or equivalent approves your answers to be eligible for certification.

What types of organizations can apply for Cyber Essentials certification?

Various types of organizations can apply for Cyber Essentials certification, including limited companies, partnerships, charities, government agencies, and sole traders. The application process includes specifying your organization type in the assessment form.

What information do I need to provide about my organization?

You will need to provide essential details such as your organization's name, registration number, address, main business activities, website address, and whether this is a renewal or first-time application for certification.

What is the scope of the Cyber Essentials assessment?

The scope of the Cyber Essentials assessment includes all elements of your organization’s IT systems that you wish to be covered by the certification. This can be the entire organization or a specific subset, and it must encompass all networks, devices, and locations accessing organizational data or services.

What happens if I do not include end-user devices in my scope?

If your scope does not include end-user devices, it will be considered unacceptable for the Cyber Essentials certification. It is essential to include all devices that connect to the internet and access your organization's data or services.

Can I opt for cyber insurance with Cyber Essentials certification?

Yes, organizations with a head office in the UK and a turnover of less than £20 million can opt into automatic cyber insurance upon achieving Cyber Essentials certification. This insurance is free of charge, but you have the option to opt out if you choose.

What should I do if I need help with the assessment questions?

If you need assistance understanding the assessment questions, you can contact IASME directly at +44 (0)3300 882752 or email info@iasme.co.uk. Additionally, you can seek help from IASME's network of Certification Bodies for advice on compliance.

What is required for the approval of my assessment answers?

Your answers must be approved by a Board level representative or equivalent within your organization. Without this approval, certification cannot be awarded, emphasizing the importance of accountability in the assessment process.

Cyber Essentials Question Booklet v15.1

Q: What kind of devices and systems do I need to list during the assessment?

You must list all laptops, desktops, servers, mobile devices, tablets, firewalls, routers, and any cloud services that are connected to the internet and access organizational data. This includes the make and operating system for each device.

Page 1

CONFIDENTIAL WHEN COMPLETED Cyber Essentials Self-Assessment Preparation Booklet

Page 2

Version15.1 April2025 Willow Introduction This booklet contains the question set for theCyber Essentialsinformation assurance standard: Cyber Essentials Cyber Essentials is a government-backed scheme focussing on five important technical security controls. Further guidance on the Cyber Essentials scheme can be found at https://www.cyberessentials.ncsc.gov.uk Answering the questions The booklet is intended to help you to understand the questions and take notes on the current setup in your organisation. In order to completetheassessment, you must enter your answers via IASME’s online assessment platform. You must answer all questions in order to achieve certification. Your answers must be approved by a Board level representative, business owner or the equivalent, otherwise certification cannot be awarded. Need help? If you need help withunderstandingthe questions, get in contact with IASME on +44 (0)3300 882752 or emailinfo@iasme.co.uk Alternatively, IASME has a network of Certification Bodies who are skilled information assurance companies who can provide advice on the standards and who can help you make changes to your setup in order to achieve compliance. Visit the IASME website atwww.iasme.co.ukto find yournearest Certification Body.

Page 3

Your Company In this section we need to know a little about how your organisation is set up so we can ask you the most appropriate questions. A1.1.What is your organisation's name? The answer given in A1.1 is the name that will be displayed on your certificate and has a character limit of 150 including spaces. Where an organisation wishes to certify subsidiary companies on the same certificate, the organisation can certify as a group and can include the subsidiaries' name on the certificate as long as the board member signing off the certificate has authority over all certified organisations. For example: The Stationary Group, incorporating The Paper Mill and The Pen House It is also possible to list on a certificate where organisations are trading as other names. For example: The Paper Mill trading as The Pen House. [Notes] A1.2.What type of organisation are you? “LTD”–Limited Company (Ltd or PLC) “LLP”–Limited Liability Partnership (LLP) “CIC”–Community Interest Company (CIC) “COP”–Cooperative “MTL”–Other Registered Mutual (CommunityBenefit Society, Credit Union, Building Society, Friendly Society) “CHA”–Registered Charity “GOV”–Government Agency or Public Body “SOL”–Sole Trader “PRT”–Other Partnership “SOC”–Other Club/ Society “OTH”–Other Organisation [Notes]

Page 4

A1.3.What is your organisation's registration number? Please enter the registered number only with at least one digit (0-9). There is a 20 character limit for your answer. If you are applying for certification for more than one registered company, number. Other Organisation please enter "none". number. [Notes] A1.4.What is your organisation's address? Please provide the legal registered address for your organisation [Notes] A1.5.What is your main business? Please summarise the main occupation of your organisation Academia-Pre Schools Defence Academia-PrimarySchools Diplomacy Academia-Secondary SchoolsEmergencyServices Academia-Academies Energy-Electricity Academia-Colleges Energy-Gas Academia-Universities Energy-Oil Aerospace Engineering Agriculture, Forestry and Environmental Fishing Finance Automotive Food Charities Government Chemicals Health Civil Nuclear Hospitality-Food Construction Hospitality-Accommodation Consultancy [Notes] A1.6.What is your website address? [Notes] no spaces or other punctuation.Letters (a-z) are allowed, but you need please still enter only one organisation If you have answered A1.2 with Government Agency, Sole Trader, Other Partnership, Other Club/Society or If you are registered in a country that does not issue a company number, please enter a unique identifier like aDUNS . . Hospitality-Hotels Other (please describe) IT Pharmaceuticals Intelligence Political Law Enforcement (Serious & Postal Services Organised Crime) Property Legal R&D Leisure Retail Managed Services-IT Managed Telecoms Services Transport-Aviation Managed Services-Other Transport-Maritime Managed Services Transport-Rail Manufacturing Transport-Road Media Waste Management Membership Organisations Water Mining Overseas Please provide your website address (if you have one). This can be a Facebook/LinkedIn page if you prefer.

Page 5

A1.7.Is this application a renewal of an existing certification or is it the first time you have applied for certification? If you have previously achieved Cyber Essentials, please select "Renewal". If you have not previously achieved Cyber Essentials, please select "First Time Application". [Notes] A1.8.What are the two main reasons for applying for certification? Please let us know the two main reasons why you are applying for certification. If there are multiple reasons, please selectthe two that are most important to you. This helps us to understand how people are using our certifications. [Notes] A1.8.1Who is the commercial contracting organisation? Please provide the name of the contractingorganisation. [Notes] A1.8.2Whois thegovernment contracting organisation and the contract number? Please provide the contract number and the contracting organisation. [Notes] A1.8.3Who isthe grant authority? Please provide details of the grant issuing authority. [Notes] A1.8.4Who is theregulator? Please provide details of the regulator. [Notes] A1.8.5What are the reasons you have applied for the certification which you described as “other”? Please provide a description. [Notes]

Page 6

A1.9. Have you read the 'Cyber EssentialsRequirements for IT Infrastructure' document? Document is available on the NCSC Cyber Essentials website and should be read before completing this question set. Cyber Essentials Requirements for IT Infrastructure v3.2 [Notes] A1.10.Can IASME and their expert partnerscontact you if you experience a cyber breach? We would like feedback on how well the controls are protecting organisations. If you agree to this then please email security@iasme.co.ukif you do experience a cyber breach. IASME and expert partners will then contact you to find out a little more but all information will be kept confidential. [Notes] A1.11.Can IASMEcontact you for researchpurposes? Both IASME and the UK government occasionally need to ask questions about the process and/or benefits of the Cyber Essentials scheme for research purposes.If you agree to this we will contact you via the email address you registered with, you are free to not respond if we do contact you.

Page 7

Scopeof Assessment In this section, you need to describe the elements of your organisation's IT system that you want to be covered by the Cyber Essentials certification. The scope should be either thewhole organisation or an organisational sub-set (for example, the UK operation of a multinational company). You will also need to answer questions regarding the computers, laptops, servers, mobile phones, tablets, firewalls/routers and cloud services that are connected to the internet and accessing organisational data or services. All locations that are owned or operated by this organisation or sub-set, whether in the UK or internationally, should be considered "in-scope". The level of detail required for devices is as follows: With the exception of network devices (such as firewalls and routers), all other devices within the scope of the certification only need the information about the make and operating system. The requirement to list the model of the device only applies to question A2.8 in relation to firewalls and routers. A scope that does not include end user devices is not acceptable. Further guidance: Knowledge Hub -Scope Scope -FAQ A2.1.Does the scope of this assessment cover your whole organisation? Please note: Your organisation is only eligible for free Cyber Insurance if your assessment covers your whole company, if you answer "No" to this question you will not be invited to opt in tothe included insurance. Your whole organisation includes allnetworks, people and devices which access your organisation's data and services. About Scope Subset Scoping Guidance [Notes]

Page 8

A2.2.If you are not certifying your whole organisation, then what scope description would you like to appear on your certificate and website? Youwill need to have a clear excluding statement within your scope description, e.g. "whole organisation excluding development network". Your scope description should provide details of any networks in your business that have internet access and have been excluded from the assessment. There is a limit of 300 characters for the scope description on the certificate. [Notes] A2.3.Please describe the geographical locations of your business which are in the scope of this assessment. (e.g. All UK offices) or simply list the locations in scope (e.g. Manchester and Glasgow retail stores). [Notes]

Page 9

A2.4.Please list thequantities and operating systems for your laptops, desktops and virtual desktops within the scope of this assessment. Please Note: You must include make and operating system versions for all devices. All user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for you to list the model of the device. Devices that are connecting to cloud services must be included. A scope that does not include end user devices is not acceptable. You need to provide a summary of all laptops, computers, virtual desktops and their operating systems that are used for accessing organisational data or services and have access to the internet. For example, “We have 25 DELL laptops running Windows 10 Professional version 22H2 and 10 MacBook laptops running MacOS Ventura". Please note, the edition and feature version of your Windows operating systems are required. This applies to both your corporate and user owned devices (BYOD). You do not need to provide serial numbers, MAC addresses or further technical information. Extended Security Update schemes For any end-of-life operating system that has an extended security update program, you must maintain the required subscription. If you are using Windows 10 beyond the 14thOctober 2025 you must be signed up to the Microsoft Extended Security Update program in order to remain compliant. Further guidance: Operating System Support Guidance to BYOD [Notes]

Page 10

A2.4.1Please list the quantity of thin clients within the scope of this assessment. Please include make and operating systems. Please provide asummary of all the thin clients in scope that are connecting to organisational data or services (definitions of which are in the ‘Cyber Essentials Requirements for IT Infrastructure’ document linked in question A1.9). Thin clients are commonly used to connect to a Virtual Desktop Solution. Thin clients are a type of very simple computer holding only a base operating system which are often used to connect to virtual desktops. Thin clients can connect to the internet, and it is possible to modify some thin clients to operate more like PCs, andthis can create security complications. Cyber Essentials requires thin clients to be supported and receiving security updates. Cyber Essentials Requirements for IT Infrastructure v3.2 [Notes] A2.5.Please list the quantity of servers, virtual servers, virtual server hosts (hypervisors) and Virtual Desktop Infrastructure (VDI) servers. You must include the operating system. Please list the quantity of all servers within the scope of this assessment. For example: 2 x VMware ESXI 6.7 hosting 8 virtual Windows 2016 servers; 1 x MS Server 2019; 1 xRed Hat Enterprise Linux 8.3 [Notes] A2.6.Please list the quantities of tablets and mobile devices within the scope of this assessment. Please Note:You must include make and operating system versions for all devices.All user devices within the scope of the certification only require the make and operating system to be listed. Devices that are connecting to cloudservices must be included. A scope that does not include end user devices is not acceptable. Guidance to BYOD Operating System Support [Notes]

Page 11

A2.7.Please provide a list of networks that will be in scope for this assessment. You should include details of each network used in your organisation including its name, location andits purpose (e.g. Main Network at Head Office for administrative use, Development Network at Malvern Office for testing software). You do not need to provide IP addresses or other technical information. [Notes] A2.7.1How many staff are homeor remoteworkers? Any employee that has been given permission to work remotely (for any period of time at the time of the assessment) needs to be classed as a home/remote worker for Cyber Essentials. For further guidance see the Home and remote working section in the Cyber Essentials Requirements for IT Infrastructure document. Cyber Essentials Requirements for IT Infrastructure v3.2 [Notes] A2.8.Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).You must include make andmodel of each device listed. You should include all equipment that controls the flow of data to and from the internet. This will be your routers and firewalls. You do not need to include switches or wireless access points that do not contain a firewall or do not route internet traffic. If you have home and/or remote workers they will be relying on software firewalls, please describe in the notes field. You are not required to list any IP addresses, MAC addresses or serial numbers. [Notes]

Page 12

A2.9.Please list all of the cloud services that are in use by your organisation and provided by a third party. Please note that cloud services cannot be excluded from the scope of Cyber Essentials. You need to include details of all of your cloud services. This includes all types of services-Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Definitions of the different types of cloud services are provided in the ‘Cyber Essentials Requirements for IT Infrastructure’ document. Cyber Essentials Requirements for IT Infrastructure v3.2 [Notes] A2.10.Please provide the name and role of the person who is responsible for managing your IT systems in the scope of this assessment. This person must be a member of your organisation and cannot be aperson employed by your outsourced IT provider. [Notes]

Page 13

Insurance All organisations with a head office domiciled in the UK and a turnover of less than £20 million can opt into automatic cyber insurance if they achieve Cyber Essentials certification. The insurance is free of charge but you can opt out of the insurance element if you choose. This will not change the price of the assessment package. If you want the insurance then we do need to ask some additional questions and these answers will be forwarded to the broker.The answers to these questions will not affect theresult of your Cyber Essentials assessment. It is important that the insurance information provided is as accurate as possible and that the assessment declaration is signed by Board level or equivalent, to avoid any delays to the insurance policy being issued. A3.1.Is your head office domiciled in the UKor Crown Dependenciesand is your gross annual turnover less than £20m? This question relates to the eligibility of yourorganisationfor the included cyber insurance. [Notes] A3.2.If you have answered “yes” to the lastquestion,then yourorganisationis eligible for the included cyber insurance if you gain certification. If you do not want this insurance element,please opt out here. There is no additional cost for the insurance. You can see more about it athttps://iasme.co.uk/cyber-essentials/cyber- liability-insurance/ [Notes] A3.3.What is the organisation email contact for the insurance documents? You only need to answer thisquestion if you are taking the insurance. The answer to this question will be passed to the Insurance Broker in association with the Cyber Insurance you will receive at certification and they will use this to contact you with your insurance documents and renewal information. [Notes]

Page 14

Firewalls Firewall is the generic name for a piece of software or a hardware device which provides technical protection between your network devices and the Internet, referred to in the question set as boundary firewalls. Your organisation will have physical, virtual or software firewalls at your internet boundaries. Software firewalls are included within all major operating systems for laptops, desktops and servers and need to be configured correctly to provide effective protection. Questions in this section apply to: boundary firewalls, desktop computers, laptops, routers, servers, IaaS, PaaS, and SaaS. Further guidance can be found here: Knowledge Hub -Firewalls Firewalls -FAQ A4.1.Do you have firewalls at the boundaries between your organisation’s internal networks, laptops, desktops,servers,and the internet? You must have firewalls in placebetween your office network and the internet. CE Requirement: You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality). Further guidance:Firewalls [Notes] A4.1.1Do you have software firewalls enabled on all ofyour computers, laptops and servers? Your software firewall needs to be configured and enabled at all times, even when sitting behind a physical/virtual boundary firewall in an office location. Guidance on how to check your software firewall can be found here:About Firewalls CE Requirement:You must protect every device in scope with a correctly configured firewall (or network device with firewall functionality). CE Requirement:Make sure you use a software firewall on devices which are used on untrusted networks, such as public wifi hotspots. If your organisation doesn't control the network to which a device connects, you must configure a software firewall on the device. [Notes]

Page 15

A4.1.2If you answered no to question A4.1.1, is this because software firewalls are not installed by default as part ofthe operating system you are using? Please list the operating systems. Only very few operating systems do not have software firewalls available. Examples might include embedded Linux systems or bespoke servers. For the avoidance of doubt, all versions of Windows, macOS and all common Linux distributions such as Ubuntu do havesoftware firewalls available. [Notes] A4.2.When you first receive an internet router or hardware firewall device, it may have had a default password on it. Have you changed all thedefault passwords on your boundary firewall devices? The default administrator password must be changed on all routers and firewalls, including those that come with a unique password pre-configured (e.g. BT Business Hub, Draytek Vigor 2865ac). When relying on software firewalls included as part of the operating system of your end user devices, the password to access the device will need to be changed. CE Requirement:Change default administrative passwords to a strong and unique password–or disable remote administrative access entirely. Further guidance:About Routers [Notes]