Home Compliance & Certification Business Critical Data Protection Guide

Business Critical Data Protection Guide

Last updated on Sep 23, 2025

1. Purpose of this Guide

This artefact proves that your organisation’s most valuable data — customer records, financial systems, intellectual property — is properly safeguarded. Cyber Essentials requires this because it’s not enough to know what critical data you have (that’s covered by your Inventory List); you must also show it’s protected by technical controls like encryption, access management, and secure backups.

2. What You Will Submit

You will need:

  • screenshot showing protection measures applied to business-critical data.

  • Acceptable evidence sources include:

    • Encryption settings enabled (e.g. BitLocker, FileVault, AWS KMS).

    • Access controls (e.g. user permission matrix, restricted folders).

    • Backup protection (e.g. immutable backups, retention policies, MFA for restores).

  • The screenshot should show:

    • Service or system name.

    • Security control in action (enabled/active).

    • Timestamp or version (to prove recency).

3. How to Collect / Obtain / Generate This Evidence

Operating System Encryption:

  • Windows: Open Control Panel → BitLocker Drive Encryption → Screenshot showing BitLocker “On” for system drives.

  • macOS: Go to System Settings → Security & Privacy → FileVault → Screenshot showing FileVault “On.”

Cloud Storage (SharePoint / Google Drive):

  • SharePoint (Microsoft 365):

    1. Open the Microsoft 365 Security & Compliance Center.

    2. Go to Information Protection → Sensitivity Labels / Retention Policies.

    3. Screenshot showing that sensitive SharePoint sites are labelled as Confidential/Restricted and covered by retention/encryption policies.

    4. Alternatively, open a specific SharePoint site → Settings → Site Permissions and capture the restricted access list (only specific groups/users can access).

  • Google Drive (Google Workspace):

    1. Open the Google Admin Console.

    2. Navigate to Apps → Google Workspace → Drive and Docs → Sharing Settings.

    3. Screenshot showing restricted sharing settings (e.g. only internal users, restricted external sharing).

    4. For critical folders, open Google Drive → File/Folder → View details → Manage Access and screenshot the limited permissions (only authorised users, no public links).

Database Protection (e.g. MongoDB Atlas, AWS RDS):

  1. Open the database console.

  2. Navigate to Security → Encryption or Backups.

  3. Screenshot showing “Encryption at Rest” enabled and access restricted.

Backup Protection:

  • Microsoft 365: Open Compliance Center → Information Protection → Retention Policies → Screenshot showing critical data under retention lock.

  • Google Workspace: Use Vault (if licensed) → Screenshot showing retention rules applied to Drive content.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_DataProtection_YYYY-MM-DD.png
    Example: AcmeCorp_DataProtection_2025-07-01.png

5. What “Good” Looks Like

  • Control is enabled and visible (not just a greyed-out option).

  • Screenshot clearly shows encryption, access restriction, or backup immutability.

  • Includes timestamps, policy names, or system identifiers.

  • Demonstrates protection for critical, not just general, data.

Why it matters: auditors need to see more than a policy statement — they want real proof that security controls are switched on and active.

6. Tips

  • Redact sensitive names (e.g. database IDs, customer names) before uploading.

  • Pair multiple screenshots if needed (e.g. one showing encryption, one showing backup immutability).

  • Update your evidence at least annually — stale screenshots may be rejected.