Home Compliance & Certification Unused Features Disabled Guide

Unused Features Disabled Guide

Last updated on Sep 25, 2025

1. Purpose of this Guide

This artefact proves your company trims away unnecessary system features that attackers could exploit. Cyber Essentials requires this because unused services are like forgotten side doors in a castle — easy for intruders to sneak through. Disabling them keeps your environment lean and secure.

2. What You Will Submit

You will need:

  • screenshot showing disabled features/services in your systems.

  • The screenshot should demonstrate:

    • The specific feature/service name.

    • Its disabled status.

    • The platform it applies to (Windows, macOS, cloud service, etc.).

3. How to Collect / Obtain / Generate This Evidence

Windows (example features):

  1. Open Control Panel → Programs → Turn Windows features on or off.

  2. Disable unneeded services (e.g., SMBv1, Telnet Client).

  3. Screenshot showing unchecked/disabled status.

Microsoft 365 / Office Apps:

  1. Open Office → Options → Trust Center → Macro Settings.

  2. Ensure “Disable all macros without notification” is selected.

  3. Screenshot this view.

macOS:

  1. Go to System Settings → Sharing.

  2. Disable unnecessary services (e.g., File Sharing, Printer Sharing, Remote Management if not needed).

  3. Screenshot the toggles OFF.

Cloud Platforms (AWS, Azure, GCP):

  • AWS Console: Show unused ports/protocols disabled in Security Groups.

  • Azure: Screenshot of disabled legacy authentication.

  • GCP: Show services/APIs disabled in IAM or API console.

4. Evidence Format

  • Accepted file types: PNG, JPG, PDF.

  • Suggested naming format:
    YourCompanyName_UnusedFeaturesDisabled_YYYY-MM-DD.png
    Example: AcmeCorp_UnusedFeaturesDisabled_2025-07-01.png

5. What “Good” Looks Like

  • Screenshot clearly shows the feature/service turned OFF.

  • Platform is identifiable (so it’s not a generic image).

  • Shows relevant security-related features, not just random system toggles.

Why it matters: auditors want evidence that you’ve actively slimmed down your systems to reduce risk, not left attack surfaces open by default.

6. Tips

  • Keep a list of which features/services are disabled across your environment.

  • Redact sensitive names (e.g., server names, internal IPs).

  • Pair this evidence with your Secure Configuration Screenshot to show a holistic hardening strategy.