Frequently Asked Questions about the Cyber Essentials Control
Question | Answer |
|---|---|
For question A8.1, can you explain the option of allow listing, especially where BYOD is involved? | The allow listing option means that you must have a list of approved applications which can access organisational data or services. With company-owned devices, this can be accomplished using an MDM solution which only permits specific, approved applications restricted by code signing to be installed. For BYOD, bear in mind that Cyber Essentials is only concerned with applications which access org data, as it's not possible to control what users may install on their own devices. You must therefore ensure that only the applications on the allow list have access - so for example, users can only access email using an approved app. It's expected by the NCSC that technical controls are implemented to achieve this, although in organisations with fewer than 50 employees, policy or training can be sufficient to meet compliance. |
Is using built-in anti-malware for Windows or MacOS (Windows Defender or Xprotect) considered compliant for Cyber Essentials? | While we do not provide endorsement of any particular product, both Windows Defender and MacOS Xprotect can be used to meet the anti-malware requirement for question A8.1 |