Last updated 18 June 2026
The Cyber Essentials Firewall Questions, Explained in Plain English
Every firewall question in the Cyber Essentials self-assessment translated into plain English: what is being asked, what a defensible answer needs, and what evidence to keep.
The firewall section is where many Cyber Essentials self-assessments stall, not because the network is exotic, but because the questions use words nobody uses at work.
This article translates the section: what each firewall question is really asking, what a defensible answer looks like, and the evidence worth keeping.
First: what they mean by boundary firewall
Whatever sits between your network and the internet. In a small office, that is usually the router: the box your ISP supplied or your IT provider installed. If people work from home on company kit, the boundary travels with them: the software firewall built into their laptop becomes part of your answer.
Mostly cloud-based? The providers' controls plus your device firewalls do the job together.
Before answering anything, check your scope
The mistake that poisons the whole section is answering as if everyone sits in the office. If your scope includes remote workers, the office router does not protect them. If it includes cloud services, the box in the office is not the whole story.
Answer for everything in scope. The scope decision comes first for a reason.
The questions, translated
Do you have firewalls at the boundaries between your organisation's network and the internet? This is the router question. For home workers, the device's software firewall carries much of the answer.
Are software firewalls enabled on your computers and servers? Open the settings and look. Windows and macOS both have visible firewall settings. Check that the Windows firewall covers all profiles, not only the office network.
When you first received your router, did you change the default password? This means the admin password for the router's settings page, not the Wi-Fi password. Default credentials on boundary equipment are one of the fastest ways to fail.
How is your firewall password configured? Pick what is true: MFA, password length, or passwordless access where genuinely used. The honest answer that needs fixing beats the impressive answer that gets probed.
Do you change the password when you suspect compromise? This needs a who and a how, not just a yes.
Do you have a process to manage your firewall, and have you reviewed the rules in the last 12 months? A review can be one short meeting with your IT provider and a dated note. It just has to have happened.
Is your firewall configured to allow unauthenticated inbound connections? Inbound rules are doors you have deliberately opened: port forwarding for CCTV, an old remote desktop rule, or a NAS reachable from the internet. Every one needs a business reason, an owner, and a restriction.
Can the firewall be administered from the internet? If remote administration is off, say so. If it is on, it needs protection such as MFA or an IP allow-list.
Two traps
Home routers. An employee's own broadband router generally is not your organisational firewall. You did not supply it and cannot manage it. What you can evidence is the software firewall on the company laptop.
Consistency. If section A2 says ten remote workers, the firewall answers cannot read as if everyone is behind the office router. Assessors read the whole document.
The four pieces of evidence to keep
Keep a screenshot or export showing router admin users and defaults removed, the remote administration setting, a one-page register of inbound rules, and a dated note of the last rule review.
Never include the firewall password itself or a full configuration dump. Assessors want proof that you manage the thing, not the keys to it.
FAQ
- What is a boundary firewall in Cyber Essentials?
- It is the device or control between your network and the internet, typically the office router plus the built-in software firewalls on devices used away from the office.
- Do home workers need their routers assessed?
- Generally no. A personal broadband router is not usually organisational equipment. The company laptop used at home is in scope, and its software firewall is what you evidence.
- What inbound connections are acceptable?
- Acceptable inbound connections need a business reason, a named owner, and appropriate restrictions such as MFA or IP allow-listing where relevant.
RightCyber
Prepare the evidence behind the answers.
RightCyber walks the firewall section question by question, with evidence examples and a gap log in the local desktop workspace.
Last reviewed against official sources
Reviewed 18 June 2026 against current IASME, NCSC, or UK government sources. Official sources remain authoritative if requirements change.
RightCyber is an independent preparation tool and is not affiliated with or endorsed by IASME or the NCSC. This article is general guidance, not legal or professional advice.