Cyber Essentials Questionnaire Guidance

Providing relevant and detailed answers along with supporting evidence is key to a successful Cyber Essentials submission. As such we have issued the following cyber essentials questionnaire guidance.

As a recommendation, we would suggest the following approach be used:

1. Use the comments field to provide narrative that supports the statement.

2. Where appropriate, use additional evidence to back up that assertion.

3. Additional evidence should be included within a separate folder and where possible the file name should reference the question to aid in easy navigation.

4. Where a policy statement is used to support an assertion, the policy should be included within the evidence folder. The comments section should clearly reference the exact location of the policy statement and where possible the relevant paragraph should be included. This should then be backed up with evidence of use, such as screenshots.

5. If you do not feel you fully comply with a certain question, then provide a detailed answer as to what the business does have in place and any mitigating reasons as to why it may not be or is not possible/feasible to fully comply with a particular Cyber Essentials requirement.

To illustrate this, we will use question 13 from the questionnaire.

Q: Is a standard build image used to configure new workstations, does this image include the policies and controls and software required to protect the workstation, and is the image kept up to date with corporate policies?

A robust response within the comments filed would be:

A gold build is used to deploy machines within the estate, each machine is built using the most up to date gold build and is then tested to confirm there were no issues during installation. Once this has been completed, the machine is then added to the Active Directory and all relevant GPO’s such as those pertaining to updates, permissions and password policies are applied. At this stage the machine is ready to be introduced to the network for use by an end user. Evidence of this process can be seen in the following screenshots and policy extracts:

IS Policy ‘Section 4, page 2’ “All IT assets will be built using the authorized gold build”.

Screenshot ‘Question13-a’ details a list of authorized software deployed as part of the gold build.

Screenshot ‘Question13-b’ Evidence of the machines within the Active Directory. 


For more information regarding our Cyber Essentials services, please visit the following page.