Frequently Asked Questions about the Cyber Essentials Control
QUESTION | ANSWER |
|---|---|
Is using built-in anti-malware for Windows or MacOS (Windows Defender or XProtect) considered compliant for Cyber Essentials? | While we do not provide endorsement of any particular product, both Windows Defender and MacOS XProtect can be used to meet the anti-malware requirement for question A8.1 |
What does the allow listing option on question A8.1 mean in the context of Cyber Essentials? | The allow listing option means that you must have a list of approved applications which can access organisational data or services. With company-owned devices, this can be accomplished by using an MDM (Mobile Device Management) solution. This will only permit specific applications to be installed. For personally-owned devices, Cyber Essentials is only concerned with applications which access organisational data and services. It's not possible to control what people install on their own devices, but it is possible to control what applications have access to. You must ensure that only the applications on the allow list can access data and services - for example, making sure that users can only access email using an approved application. |
How should we meet the anti-malware requirements for mobile devices? | Because there is no mobile anti-malware considered compliant, you would need to use allow listing for this requirement. |
Is there a way of allowing volunteer access (for example for charities) without having to install Mobile Device Management (MDM) tools on their personal devices such as smartphones and laptops? | MDM isn't a requirement for Cyber Essentials, although it can be useful. If the devices are personally-owned, you'll need to control access to organisation data via allow listing, meaning that only permitted applications can access your data. |