Home Compliance & Certification Secure Configuration (Cloud, Mobile, IOT) Guide

Secure Configuration (Cloud, Mobile, IOT) Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves that your company has locked down the configuration of mobile devices, IoT equipment, and cloud systems. Cyber Essentials requires this because insecure defaults and weak settings are easy entry points for attackers. Showing secure configuration demonstrates that your devices and cloud services are hardened, monitored, and not left wide open.

2. What You Will Submit

You will need:

  • screenshot from the following, depending on the scope of your certification:

    • Mobile device settings showing passcodes, auto-lock, and no jailbreak/root.

    • IoT management console showing separated network, discovery features disabled.

    • Cloud platform console (e.g. AWS, Microsoft 365, Google Cloud) showing logging, monitoring, or compliance enabled.

3. How to Collect / Obtain / Generate This Evidence

Mobile Devices:

  • iOS: Settings → Face ID & Passcode → Screenshot showing passcode enabled and Auto-Lock ≤ 2 mins.

  • Android: Settings → Security → Screenshot showing Screen Lock enabled, Play Protect on, and apps only from Play Store.

IoT Devices (e.g. CCTV, printers, smart devices):

  1. Log into the IoT management page.

  2. Show network segmentation (IoT VLAN separate from business LAN).

  3. Disable auto-discovery and UPnP, then screenshot the configuration page.

Cloud Services:

  • AWS: Management Console → CloudTrail → Event history → Screenshot showing logging enabled.

  • Microsoft 365: Compliance Center → Audit Log Search → Screenshot showing audit logging on.

  • Google Cloud: Console → Logging → Logs Explorer → Screenshot of API activity logs enabled.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_SecureConfig_YYYY-MM-DD.png

5. What “Good” Looks Like

  • Screenshot shows specific security controls active (not greyed out).

  • Device or platform name visible (to prove authenticity).

  • Timestamp or version visible where possible.

  • Demonstrates security for the relevant environment (mobile, IoT, or cloud).

Why it matters: auditors want evidence that your company has hardened configurations across different platforms — not left them at risky defaults.

6. Tips

  • For mobile, avoid showing personal photos or sensitive data in screenshots.

  • For IoT, redact SSIDs or device IDs before uploading.

  • For cloud, pair the configuration screenshot with a log screenshot to show it’s working.