--- name: cyber-essentials-questionnaire-helper description: Walk an SMB through the IASME Cyber Essentials (or CE Plus) self-assessment questionnaire and draft every answer in the format assessors expect, flagging gaps before submission. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: IT Managers, DPOs, Compliance Leads, MSPs, Practice Managers at law and accountancy firms output_format: Formatted Markdown document with scope statement, drafted answers to every CE control section, evidence checklist, gap register, and pre-submission review checklist. license: MIT last-reviewed: 2026-04 --- # Cyber Essentials Questionnaire Helper A Claude Code skill for London SMBs preparing their first (or fifth) Cyber Essentials or Cyber Essentials Plus submission — designed to stop the questionnaire becoming a three-month project that still fails on the same three controls. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/cyber-essentials-questionnaire-helper`. Describe your environment in plain English. Answer the clarifying questions. Receive a drafted response pack plus a gap register. ## When to use this - You've just been handed the IASME Cyber Essentials questionnaire and you don't know where to start. - A client (typically in finance, legal, or public sector) has required Cyber Essentials as a contractual condition, and you have 4-6 weeks. - You failed last year on secure configuration or update management and need to self-audit before resubmitting. - You're going for Cyber Essentials **Plus** and need to know exactly which evidence an external assessor will test, before they test it. - Your insurer is offering a premium reduction for Cyber Essentials and you want to know if you can realistically achieve it. ## What you'll get A single Markdown document containing: - A **scope statement** matching IASME's format (whole-organisation or defined subset) - **Drafted answers** to every question in the 5 technical controls (Firewalls, Secure Configuration, User Access Control, Malware Protection, Security Update Management) plus the organisational/insurance question set - An **evidence checklist** detailing exactly what screenshots, exports, or policy documents an assessor will expect to see - A **gap register** listing every control where your current state would likely fail, with specific remediation steps and effort estimates - A **CE Plus audit prep** section (if applicable) listing the technical tests an assessor runs - A **pre-submission review checklist** to run the day before you submit ## Clarifying questions I will ask you Before drafting answers, I will ask: 1. **Are you going for Cyber Essentials or Cyber Essentials Plus?** (self-assessed vs. externally audited) 2. **What is your scope?** (whole organisation, UK office only, specific subsidiary, development environment excluded, etc.) 3. **How many users and how many end-user devices in scope?** (laptops, desktops, phones, tablets) 4. **What is your hosting model?** (cloud-only, hybrid, on-prem, mix) 5. **Which cloud providers are in scope?** (M365, Google Workspace, AWS, Azure, GCP, specific SaaS) 6. **What operating systems are in use?** (versions of Windows, macOS, Linux, iOS, Android) 7. **Is BYOD allowed?** (no / yes, enrolled via MDM / yes, unmanaged) 8. **Firewall situation?** (office router/firewall brand + model; any software firewall policy; no office / remote only) 9. **Endpoint protection?** (Defender, third-party AV, EDR, "not sure") 10. **Password and MFA policy?** (documented, enforced; documented, partial; not documented) 11. **How do you patch?** (Intune / Group Policy / manual / WSUS / cloud MDM / mixed) 12. **Joiner/leaver process?** (documented and followed; documented, not followed; ad-hoc) 13. **Do you have a documented information security policy?** (yes, reviewed in last 12 months; yes, older; no) 14. **Any previous CE submission?** (first time; previous pass; previous fail — on which control?) 15. **Target submission date?** (date, or "flexible") If you can't answer a question confidently, I will mark it in the gap register rather than guessing. Guessing is how submissions fail. ## Output template ```markdown # Cyber Essentials Submission — ## Level targeted: ## Scope statement (as it will appear on the certificate) > . In scope: users, end-user devices (). Cloud services in scope: . Out of scope: . ## Organisational & insurance questions (answered) | Question | Answer | Notes | |---|---|---| | Legal entity name | | | | Trading names | | | | Website | www.vpnetworks.co.uk | | | Company registration number | | | | Head office address | | | | Primary contact (name, role, email) | | | | Number of employees | | | | Annual turnover band | | | | UK-domiciled? | | | | Insurance required? (sub-£20m turnover = free CE-backed cyber insurance) | | | | Previous CE certification? | | | ## CONTROL 1 — Firewalls (and internet gateways) **Objective:** Devices with a connection to the internet must be protected by a firewall, and that firewall must be configured to restrict inbound connections. ### A1.1 Do you have firewalls at the boundary between your organisation's internal networks and the internet? **Draft answer:** Yes. . The device is configured so that the default policy blocks all inbound traffic; only are permitted, each to a specific destination with a documented business justification. ### A1.2 When firewalls require a password, is the default password changed? **Draft answer:** Yes. All boundary devices had their default administrator password changed during commissioning. Current administrator passwords are characters, include , and are stored in . Password rotation occurs . ### A1.3 Are firewall administrator accounts protected by multi-factor authentication, or are administrators granted access from a restricted set of IP addresses? **Draft answer:** . / Yes — administrative access restricted to named source IP addresses.> ### A1.4 Are all inbound firewall rules that allow internet traffic through your firewall documented and approved by someone authorised to make that decision? **Draft answer:** Yes. Each inbound rule is recorded in , approved by . The register is reviewed . No rule exists that does not have a dated, named business justification. ### A1.5 Have unused firewall rules been removed? **Draft answer:** Yes. During the last rule-base review on , rules were removed. Next review due . ### A1.6 Where boundary firewalls are host-based (software firewalls on a user device), are they configured to deny by default? **Draft answer:** Yes. Host-based firewalls on all in-scope devices are enabled by default via . The default inbound policy is block; exceptions are documented in . ### Evidence the assessor will expect - Screenshot of firewall admin interface showing inbound policy = deny-all - Export/screenshot of the rule base with dates - Documented rule-review process (policy document or ticket examples) - Password management policy applied to admin accounts - Proof of MFA on admin accounts OR the named source-IP restriction list ## CONTROL 2 — Secure Configuration **Objective:** Computers and network devices should be configured to reduce their level of inherent vulnerability. Default configurations are not acceptable. ### A2.1 Have you removed or disabled unnecessary user accounts? **Draft answer:** Yes. , disablement on last day per named workflow, deletion after days.> ### A2.2 Have you changed default passwords for all user and administrator accounts on all devices and software to a password that is difficult to guess? **Draft answer:** Yes. ### A2.3 Has all software installed on devices in scope been licensed, supported, and patched? **Draft answer:** Yes. Software inventory maintained in . Unsupported software removed — none currently installed. Patch cadence described in Control 5. ### A2.4 Have you ensured that only necessary software, accounts and apps are used on devices? **Draft answer:** Yes. No local admin rights for standard users. ### A2.5 Are users locked out of all devices and services after an idle period? **Draft answer:** Yes. Device lock enforced after minutes of inactivity via . Session timeout on web services set to hours/days per Conditional Access policy. ### A2.6 Is multi-factor authentication required for all cloud services? **Draft answer:** Yes. MFA is enforced on . Break-glass accounts are documented and excluded only with compensating controls (see policy). ### Evidence the assessor will expect - Device build / baseline documentation - Screenshot of MDM / Intune / Group Policy showing idle-lock enforcement - Joiner/leaver tickets for a sample period - Proof of MFA enforcement across named cloud services - Documented password policy ## CONTROL 3 — User Access Control **Objective:** User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers, and networks. ### A3.1 Are users only provided with user accounts after a process has been followed to approve their creation? **Draft answer:** Yes. , creation by IT, record kept in .> ### A3.2 Can you only access laptops, desktops, and servers in your organisation with a unique username and password? **Draft answer:** Yes. ### A3.3 Do you have a process to remove access when a user no longer needs it? **Draft answer:** Yes. Joiner/mover/leaver process at . Leaver access removed within hours of last working day. Quarterly access review performed by . ### A3.4 Do you require users to authenticate with a strong password to access applications, computers, and the network? **Draft answer:** Yes. Password policy: . Passwords not rotated on a schedule; rotation triggered on suspicion of compromise. ### A3.5 Are administrative privileges granted only to those who need them? **Draft answer:** Yes. global administrator accounts, all named individuals, none shared. Privileged access reviewed . Standard users do not have local admin rights. ### A3.6 Do you use separate administrator accounts to carry out administrative activities? **Draft answer:** ### A3.7 Is multi-factor authentication required for access to cloud services? **Draft answer:** Yes — see Control 2 answer A2.6. ### Evidence the assessor will expect - Joiner/leaver policy and a sample of executed tickets - List of privileged users with justification - Role separation evidence (normal account vs. admin account) - Access-review outputs - MFA enforcement screenshots ## CONTROL 4 — Malware Protection **Objective:** The risk of malware infection must be mitigated through anti-malware software, signed application allow-listing, or application sandboxing. ### A4.1 Are all devices in scope protected from malware by at least one of: anti-malware software / application allow-listing / application sandboxing? **Draft answer:** Yes. All in-scope devices run . Real-time protection enabled. Signatures updated automatically. ### A4.2 Where you have used anti-malware software, is it set to update in line with the vendor's guidelines? **Draft answer:** Yes. Definitions updated automatically (default behaviour). Monitored via . Mean time between update hours. ### A4.3 Where you have used anti-malware software, is it set to scan files automatically upon access? **Draft answer:** Yes. On-access scanning enabled via policy; cannot be disabled by standard users. ### A4.4 Where you have used anti-malware software, is it set to scan web pages automatically? **Draft answer:** Yes. SmartScreen / web protection enabled on all in-scope browsers / endpoint agent. ### A4.5 Does your organisation discourage the use of removable media, and if used, do you scan such media for malware? **Draft answer:** ### Evidence the assessor will expect - Endpoint-protection console screenshot showing coverage and compliance - Policy configuration showing on-access scanning + auto-update - Sample of a recent detection (optional but persuasive) - Removable-media policy ## CONTROL 5 — Security Update Management **Objective:** Software must be kept up-to-date. Out-of-date software is one of the top causes of preventable compromise. ### A5.1 Are all devices in scope running software that is licensed and supported by the vendor? **Draft answer:** Yes. Software inventory confirms all installed applications are in vendor support. applications approaching end-of-life flagged in register with replacement dates. ### A5.2 Do you have a process to ensure that all high-risk and critical security updates are applied to all devices in scope within 14 days of release? **Draft answer:** Yes. Patches deployed via . High-risk updates: targeted within 7 days. Critical: 14-day SLA, measured via compliance report. ### A5.3 Do you have a process to ensure that all operating systems, firmware, and applications are kept up-to-date with the latest supported versions? **Draft answer:** Yes. ### A5.4 Have you removed any software that is no longer supported by the vendor? **Draft answer:** ### Evidence the assessor will expect - Patch-compliance report with ≥ 95% within SLA - Software inventory with vendor-support status - List of retired / replaced packages with dates - Patching policy document ## Evidence checklist (assemble before submitting) - [ ] Firewall admin screenshot (deny-all default) - [ ] Firewall rule register export - [ ] Password policy document - [ ] MDM / Intune compliance report - [ ] MFA enforcement screenshots per cloud service - [ ] Joiner/leaver policy + 3 sample executed tickets - [ ] Privileged user register - [ ] Endpoint-protection coverage report - [ ] Patch-compliance report (90-day) - [ ] Software inventory with vendor-support status - [ ] Information security policy (reviewed in last 12 months) - [ ] Removable-media policy - [ ] Named break-glass account procedure ## Gap register — remediate before submission | Gap | Control | Effort | Owner | Target date | Blocker? | |---|---|---|---|---|---| | | | | | | | (Every row marked "Blocker? Yes" = do not submit.) ## CE Plus specific (if applicable) For Cyber Essentials Plus, an assessor performs the following tests on a sample of devices: 1. Vulnerability scan (authenticated) against a sample of endpoints and cloud services. 2. Malware protection test with an EICAR file / simulated malicious email. 3. Account separation test — attempt to install software as a standard user. 4. MFA bypass test — attempt to access a cloud service without MFA. 5. Removable-media test (where applicable). Pre-audit preparation: - Run the same vulnerability scan internally and remediate findings **before** the assessor arrives. - Verify the EICAR test file is blocked on your endpoint protection. - Confirm one sample device per OS is available for remote testing. - Ensure a named IT contact is available during the assessor's window. ## Pre-submission review checklist - [ ] Scope statement matches the legal entity and the certificate you want - [ ] Every Control 1-5 answer matches what a screenshot would show today — not what the policy says - [ ] No "we are planning to" phrases — CE is pass/fail on current state - [ ] Evidence checklist complete - [ ] Gap register has zero "Blocker? Yes" rows - [ ] Insurance opt-in decided (automatic for sub-£20m turnover with full submission) - [ ] Primary contact has 48 hours to respond to assessor queries - [ ] Internal sign-off by ``` ## Example invocation **User:** "We're a 35-person London law firm. M365 Business Premium, Intune for laptops, iPhones BYOD. Never done Cyber Essentials. Client has asked us to have it within 8 weeks." **What the skill will do:** 1. Ask the 15 clarifying questions, pressing particularly on: BYOD iPhone management (MDM or not?), firewall (is there a management-level firewall at the office or purely cloud-edge?), joiner/leaver process (written or not?), and MFA coverage on M365 and any SaaS legal-practice-management tool. 2. Produce the complete response pack with drafted answers referencing Intune and Defender specifically, flagging BYOD iPhones as needing either MDM enrolment or exclusion from scope. 3. Build the gap register — typical first-time submissions from law firms trip on: rule-base review, unmanaged BYOD, missing break-glass procedure, unpatched line-of-business legal software. 4. Produce a week-by-week plan showing 8 weeks is feasible if BYOD is addressed in weeks 1-2, not week 7. ## Notes for the requester - **Do not submit with guessed answers.** IASME will fail you, and you'll have paid the application fee. Mark it as a gap instead. - **BYOD phones are the single most common failure reason for CE.** Either bring them into MDM scope or explicitly exclude them in your scope statement (and then don't let them access corporate data). - **Password rotation on a schedule is no longer good practice** per NCSC — rotate only on suspicion of compromise. CE accepts this; older policies sometimes still mandate rotation and cause confusion. - **CE is a point-in-time snapshot.** Failing one control fails the whole submission. Worth an internal mock-audit two weeks before the real submission. - **Good looks like:** you pass on first submission, your certificate arrives within a week, you get the free CE-backed cyber insurance (if under £20m turnover), and your client signs the supplier framework. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*