Home Compliance & Certification

Compliance & Certification

Step-by-step instructions and resources to help you generate compliance evidence, prepare for audits, and meet regulatory requirements.
Sir Stonk
By Sir Stonk
66 articles

Access Request Process Guide

1. Purpose of this Guide This artefact shows that your company has a clear and controlled way to grant, change, and revoke access to systems. Cyber Essentials (and most other standards) want proof that you don’t just hand out accounts like free samples at a mall — every access change is requested, approved, recorded, and revoked properly. This reduces the risk of ex-staff or unauthorised users slipping through the gates. 2. What You Will Submit You will need: - Your Access Request Process document (usually a short policy or procedure doc). - It should outline the steps for: - Requesting new access or role changes - Getting approval - Recording the change - Revoking access when no longer needed - (Optional) A short description, e.g. “This is our company’s official access request procedure, last updated 1 Jul 2025.” 3. How to Collect / Obtain / Generate This Evidence - Use StrongKeep's provided template, which can be found in the document library. - If you don’t have one yet or want to create your own template: 1. Draft a simple 1–2 page document. 2. Include the four key stages: Request → Approval → Recording → Revocation. 3. Make sure to state who is responsible at each stage (manager, approving authority, IT). 4. Evidence Format - Accepted file types: PDF, DOCX, or JPG/PNG screenshot (if your process is in a tool). - Suggested naming format: YourCompanyName_AccessRequestProcess_YYYY-MM-DD.pdf 5. What “Good” Looks Like A strong submission will show: - Clear steps for requesting, approving, recording, and revoking access. - Defined roles (e.g. “Manager requests, HR approves, IT updates inventory”). - Specific details captured (staff name, department, system, role, dates). - Revocation process (important! shows that accounts don’t stay open forever). Why this matters: Auditors want to see that your process isn’t just “ask IT nicely.” It proves you’ve thought about who should have access — and who shouldn’t. 6. Tips - Keep it short and readable — one or two pages is plenty. - Redact personal details if you use a real example (e.g. don’t show actual staff names).

Last updated on Sep 23, 2025

Account Inventory List Guide

1. Purpose of this Guide This artefact proves that your company keeps track of all user accounts across systems. This is vital because it shows you know: - Who has access, - What level of access they have, and - Whether their account is still active or should be closed. It’s your master roll call of accounts — making sure no “ghost logins” sneak past your defences. 2. What You Will Submit You will need: - An Account Inventory List document or spreadsheet. This should include: - Name and username of the account holder - Department / role - Role or account type (e.g. user, admin, read-only) - System accessed - Approved by (who authorised the account) - Date of account creation - Last logon date - Current account status (active, disabled, etc.) - Remarks if relevant (e.g. “required for role,” “temporary account,” etc.) 3. How to Collect / Obtain / Generate This Evidence - Use StrongKeep's template, which can be found in the document library. - List each system your staff use (email, HR, cloud tools, developer platforms, etc.). - Record the required fields for each account, where possible. - Keep this updated — add new hires, remove leavers. - Export or save a copy (XLSX or PDF). - If you use an IT management tool (e.g. Microsoft 365 Admin Center, Google Workspace Admin Console, AWS IAM, Atlassian, GitLab), you can export a list of users and roles, then combine these into a single master file. - If you don’t yet have a consolidated list: 1. Create a new spreadsheet. 2. List each system your staff use (email, HR, cloud tools, developer platforms, etc.). 3. Record the required fields for each account as listed above. 4. Keep this updated — add new hires, remove leavers. 4. Evidence Format - Accepted file types: XLSX, CSV, or PDF. - Suggested naming format: YourCompanyName_AccountInventoryList_YYYY-MM-DD.xlsx 5. What “Good” Looks Like A strong submission will show: - Comprehensive coverage (all systems and accounts, not just email). - Up-to-date logon dates — proves accounts are actively reviewed. - Clear status (active, disabled, revoked) so auditors see you manage leavers. - Approval trail — someone authorised each account. Why this matters: Auditors want assurance that accounts aren’t created ad hoc, and that dormant or risky accounts don’t linger. 6. Tips - Update your inventory at least quarterly — stale records weaken your evidence. - Shared accounts (e.g. admin@company.com) should be minimised and well justified — note why they exist. - Redact sensitive notes before uploading (e.g. internal comments that don’t add value to the evidence).

Last updated on Oct 06, 2025

Admin Account Screenshot Guide

1. Purpose of this Guide This artefact proves that admin rights aren’t handed out like free samples. It shows that any administrator account access was: - Properly requested, - Approved by senior management, and - Documented with oversight. Admin accounts are the “master keys” of your systems — if they fall into the wrong hands, dragons get in. 2. What You Will Submit You will need: - A screenshot that shows administrator account approval. - The screenshot must clearly display: - The admin account being created/assigned. - The approval or authorisation trail (e.g. manager approval, ticket approval, or workflow confirmation). - Context that ties the account to a legitimate business purpose. 3. How to Collect / Obtain / Generate This Evidence Here are some common ways to capture the right screenshot: Microsoft 365 / Azure AD (Entra): 1. Go to Microsoft Entra Admin Center → Users. 2. Select the user → check Roles and administrators. 3. Screenshot the page showing the Global admin / privileged role assignment. 4. If approval was logged in your ticketing/email system (e.g. ServiceNow, Jira, Outlook), screenshot the approval note or email. Google Workspace: 1. Log into Google Admin Console → Directory → Users. 2. Select the user → open Admin roles and privileges. 3. Screenshot the role assignment with timestamp. 4. If approval was logged in your ticketing/email system (e.g. ServiceNow, Jira, Outlook), screenshot the approval note or email. AWS IAM: 1. Log into AWS Console → IAM → Users. 2. Select a user with AdministratorAccess policy. 3. Screenshot the attached policy and creation/modification date. 4. If approval was logged in your ticketing/email system (e.g. ServiceNow, Jira, Outlook), screenshot the approval note or email. Other systems (Atlassian, GitLab, etc.): - Go into the system’s user management / role assignment screen. - Take a screenshot showing admin rights and approval/authorisation notes. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_AdminAccountApproval_YYYY-MM-DD.png Example: AcmeCorp_AdminAccountApproval_2025-07-01.png 5. What “Good” Looks Like A strong submission will include: - The specific admin account (username visible). - The system or tool (e.g. Microsoft 365, AWS, Atlassian). - Proof of approval (manager or senior-level authorisation). - A date/timestamp to show recency. Why this matters: Auditors want to see that admin rights weren’t just quietly granted by IT — but signed off at the right level. 6. Tips - Redact sensitive info before uploading (e.g. personal email addresses, full internal ticket numbers). - Pair the screenshot with an approval note or workflow log if the system doesn’t show approval inline. - Keep screenshots recent (within the audit cycle) to prove the process is active, not just historic.

Last updated on Sep 23, 2025

Antivirus Agent Logs Guide

1. Purpose of this Guide This artefact proves that all your company’s devices are actively protected by anti-virus or endpoint detection and response (EDR) software. Cyber Essentials demands proof that: - Anti-malware tools are installed on every endpoint. - Agents are deployed and reporting in. - Connection status and updates are monitored. Think of it as your “shield wall” — showing no device is left exposed. 2. What You Will Submit You will need: - A screenshot from your anti-virus / EDR system showing: - A list of protected devices (endpoint inventory). - Their status (active, installed, connected, last check-in). - Agent version or update status. - Examples of suitable systems: Palo Alto Cortex XDR, Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, Sophos Central, Kaspersky, Avast Business. 3. How to Collect / Obtain / Generate This Evidence Palo Alto Cortex XDR (bundled with StrongKeep): 1. Navigate to PROTECTION > ENDPOINTS in your StrongKeep dashboard 2. Capture a screenshot showing: - Endpoint names, timestamps, and policy actions. - Status (Success, Informational, High severity alerts). - Agent version. Microsoft Defender for Endpoint (included with Microsoft 365 Business Premium): 1. Go to the Microsoft 365 Security & Compliance Center → Endpoints → Device inventory. 2. Filter the view to show all registered devices. 3. Capture a screenshot that includes: - Device names (showing multiple endpoints) - Antivirus/EDR status (Active, Healthy, Not reporting) - Last seen or last update time - Agent version (if visible) Sophos Central: 1. Log in to the Sophos Central Admin Console. 2. Navigate to Devices. 3. Take a screenshot showing: - Device list with user/hostname - Protection status (green ticks for healthy devices) - Last check-in time - Policy compliance status (enabled, disabled, out of date) CrowdStrike Falcon: 1. Log in to the CrowdStrike Falcon Console. 2. Go to Host Management → Host setup. 3. Screenshot the table that shows: - Hostname / user - Sensor version - Last seen timestamp - Connection status (Online, Offline) 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_AntivirusAgentLogs_YYYY-MM-DD.png 5. What “Good” Looks Like - Visible endpoint names (shows coverage across multiple devices). - Agent status (installed, active, last logon, last update). - Version number or timestamp (to prove agents are current). - Clear evidence of monitoring/alerts (audit logs or dashboards). Why this matters: auditors want to see that you’re not just relying on “we think it’s installed” — but that there’s proof in the logs. 6. Tips - Redact sensitive details (e.g. usernames, hostnames) if needed. - Make sure the screenshot is recent — ideally within the last 3 months. - Capture enough rows/devices to show broad coverage, not just one machine.

Last updated on Sep 22, 2025

Antivirus Screenshot Guide

1. Purpose of this Guide This artefact shows that endpoints are actively protected by anti-virus (also known as anti-malware or Endpoint Detection & Response). Most compliance standards requires evidence that: - Anti-malware tools are installed and running, - Agents are deployed across company devices, and - Status is visible and monitored. It’s your digital health check — proving your systems are protected, connected, and up to date. 2. What You Will Submit You will need: - A screenshot from your anti-virus or endpoint protection system showing: - Device/endpoint coverage (inventory list). - Protection status (Protected, Active, Connected). - Agent version installed. - Last check-in time (to prove recency). 3. How to Collect / Obtain / Generate This Evidence Using StrongKeep: 1. Navigate to PROTECTION > ENDPOINTS > MANAGEMENT on StrongKeep dashboard 2. Generate a report or take a screenshot of the page. Palo Alto Cortex XDR: 1. Open the Cortex XDR agent on the endpoint. 2. Ensure the status shows “Protected”, version number, and last check-in. 3. Capture a screenshot of this view. Microsoft Defender for Endpoint: 1. Go to the Microsoft 365 Security Portal → Endpoints → Device inventory. 2. Show the list of devices with status “Active/Healthy.” 3. Take a screenshot including device names, status, and last seen. Sophos Central: 1. Log in to the Sophos Central Admin Console. 2. Go to Devices and view the device list. 3. Screenshot showing user/device name, protection status (green tick), and last check-in. CrowdStrike Falcon: 1. Log into the CrowdStrike Falcon Console. 2. Go to Hosts → Host Management. 3. Screenshot showing hostnames, sensor version, last seen, and protection state. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_AntivirusScreenshot_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot clearly shows “Protected/Active” status. - Version number and last check-in time visible. - Covers multiple endpoints (not just one, if possible). - Demonstrates the tool is running and current. Why it matters: auditors want more than “we installed AV once” — they need proof it’s live, monitored, and protecting your company right now. 6. Tips - Make sure the screenshot is recent (within 3 months). - Redact sensitive hostnames or emails before uploading. - If you use multiple tools (e.g. Defender + Cortex XDR), pick one as your primary screenshot for clarity.

Last updated on Sep 23, 2025

Application Control List Guide

1. Purpose of this Guide This artefact proves your company has rules about what software and file types are allowed (and which are banned). Cyber Essentials requires this because unmanaged or dodgy apps are a common way malware sneaks in. A written Application Control List is your “spellbook of allowed tools” — helping staff know what’s safe, and showing auditors you’ve locked the gates. 2. What You Will Submit You will need: - Your Application Control List document or template (Word, PDF, or spreadsheet). - It should clearly state: - The objective (why this policy exists). - Scope (who it applies to — employees, contractors, systems). - How authorised software is managed (e.g. via IT, MDM, or endpoint tools). - Which software and file types are prohibited (e.g. torrents, pirated software, .exe attachments, password-protected zips). - Version history showing reviews/updates. 3. How to Collect / Obtain / Generate This Evidence Using StrongKeep's Policy Template - If you already using StrongKeep's application control policy, edit it as required and export it to PDF. - If you’re starting fresh: 1. Open the provided Application Control List Template. 2. Fill in your company name, version history, and review date. 3. List approved/authorised software (or state “all not-prohibited software is allowed”). 4. List prohibited software and file types — include common risky items (torrents, pirated apps, third-party app stores, executable attachments). 5. Save the document and circulate to staff. Using Mobile Device Management Software If you are using a Mobile or Endpoint Device Management software to standardise controls and configuration across your organisation, you can implement an application control policy via that tool. Microsoft Intune (Endpoint Manager) 1. Log in to Microsoft Endpoint Manager admin center. 2. Go to Apps → App protection policies. 3. Open the relevant policy → Screenshot the section showing restricted apps or allowed apps. Google Endpoint Management: 1. Open Google Admin Console → Devices → Settings → Apps & Extensions. 2. Select the organisational unit. 3. Screenshot the policies showing which apps are allowed or blocked. 4. Evidence Format - Accepted file types: PNG, JPG, DOCX, PDF, XLSX. - Suggested naming format: YourCompanyName_ApplicationControlList_YYYY-MM-DD.pdf 5. What “Good” Looks Like - Document is clear and specific — not vague statements like “don’t install bad software.” - Includes both authorised and prohibited categories. - Version and review dates are present — shows it’s maintained, not abandoned. - Covers both software and attachments/file types. Why this matters: auditors want to see not just that you thought about risky apps, but that you’ve formally documented and communicated it. 6. Tips - Keep the prohibited list practical — too many entries makes it unreadable. - Update this document at least annually or when new risks arise. - Pair it with your Endpoint/MDM settings if you use them — consistency matters.

Last updated on Sep 23, 2025

Asset Inventory List Guide

1. Purpose of this Guide This artefact shows your company has a complete and accurate inventory of IT assets — devices, systems, and accounts. Most cyber compliance standards require this because you can’t secure what you don’t know exists. An Asset Inventory makes sure no laptops, servers, or cloud accounts slip under the radar. 2. What You Will Submit You will need: - Your Asset Inventory List document or spreadsheet. - It should capture details such as: - Asset name (device, account, or system). - Owner/assigned user. - Department / role. - Asset type (laptop, phone, server, software licence, cloud account). - System or service linked to the asset. - Approval / assigned by. - Date created or assigned. - Last used / last logon date. - Status (active, inactive, decommissioned). - Remarks (e.g. “required for role,” “shared account,” “spare laptop”). 3. How to Collect / Obtain / Generate This Evidence - If you already track assets using a tool: - Export your inventory from your IT management system (e.g. Intune, Jamf, Google Admin, AWS Console) into Excel/PDF. - If you wish to track assets using a template: 1. Use the StrongKeep template, or create a new spreadsheet. 2. List all devices (laptops, desktops, servers, mobile phones, tablets). 3. Add all cloud systems or major SaaS accounts (e.g. Microsoft 365, Google Workspace, AWS, GitHub). 4. Fill in the key details listed above. 5. Update the file regularly — especially when new assets are bought or staff leave. 4. Evidence Format - Accepted file types: XLSX, CSV, or PDF. - Suggested naming format: YourCompanyName_AssetInventory_YYYY-MM-DD.xlsx 5. What “Good” Looks Like - Covers all major asset categories (devices, software, cloud). - Shows ownership/accountability (each asset tied to a person/role). - Status field clearly marks assets as active/inactive/retired. - Regularly updated with last activity dates (not just a one-off snapshot). Why it matters: auditors want confidence you know exactly what tech you own and use — no forgotten laptops or abandoned accounts floating about. 6. Tips - Keep shared assets to a minimum and note the justification. - Tag decommissioned assets clearly — don’t just delete them. - Review your inventory quarterly to keep it sharp and up to date.

Last updated on Sep 23, 2025

Asset Onboarding and Removal Process Guide

1. Purpose of this Guide This artefact demonstrates that your company has a formal process for introducing and retiring IT assets. Compliance standards require this because assets (like laptops, servers, or phones) need to be approved, tracked, and securely removed — not left floating around where they could pose a risk. 2. What You Will Submit You will need: - Your documented Asset Onboarding and Removal Process (policy or procedure). - It should cover: - How new assets (e.g. laptops, phones, software licences) are requested and approved. - How asset details are recorded (e.g. make, model, serial number, assigned owner). - The authorisation workflow (who signs off). - How decommissioned assets are securely removed (data wiped, hardware recycled, accounts closed). - Example forms or emails showing real approvals. 3. How to Collect / Obtain / Generate This Evidence - If you already maintain this process: - Export the policy/procedure to PDF or Word. - Include references to the forms/templates you use (e.g. onboarding authorisation forms, removal checklists). - If you don’t have one yet: 1. Start with the Asset Onboarding and Removal Process Template provided in StrongKeep. 2. Document the steps for: - Onboarding: request → approval → record entry in asset inventory. - During lifecycle: periodic review of ownership and use. - Removal: manager request → approval → data sanitisation/disposal → update inventory. 3. Attach or reference samples of the actual approvals (like a signed authorisation form or an email approval screenshot) to show the workflow in action. 4. Save the document in PDF/DOCX format. 4. Evidence Format - Accepted file types: DOCX, PDF, JPG. - Suggested naming format: YourCompanyName_AssetOnboardingRemovalProcess_YYYY-MM-DD.pdf 5. What “Good” Looks Like - Clearly written steps for both onboarding and removal. - Defined approval roles (e.g. Product Manager, CEO, IT Manager). - Integration with your Asset Inventory List (so assets aren’t tracked in isolation). - Secure removal procedures (data wiping, hardware disposal, account deactivation). Why this matters: auditors want confidence that assets don’t just appear or disappear without oversight, creating gaps in security. 6. Tips - Include a form or checklist for both onboarding and removal — auditors love seeing evidence of real approvals. - If you outsource disposal (e.g. to an e-waste vendor), keep the disposal certificates. - Review the process yearly to make sure it reflects your current IT setup.

Last updated on Sep 23, 2025

Auto Software Updates Screenshot Guide

1. Purpose of this Guide This artefact demonstrates that your company’s devices are set to automatically install security updates, patches, and fixes. Cyber compliance requires this because attackers often exploit unpatched systems — turning “patch later” into “breach now.” Automatic updates are your armour polish: they keep your systems shining and secure without relying on memory or manual effort. 2. What You Will Submit You will need: - A screenshot showing automatic update settings enabled. - This must clearly display: - The operating system (Windows, macOS, Linux). - That automatic updates are turned on. - (If possible) Confirmation that app and anti-malware updates are also enabled. 3. How to Collect / Obtain / Generate This Evidence macOS: 1. Open System Settings → General → Software Update. 2. Ensure Automatic Updates is enabled (OS updates + security responses). 3. Screenshot this settings page. Windows 10/11: 1. Go to Settings → Update & Security → Windows Update. 2. Ensure “Receive updates automatically” or “Check for updates → Advanced Options” is set to automatic. 3. Take a screenshot showing the toggle enabled. Linux (Ubuntu example): 1. Open Software & Updates → Updates tab. 2. Ensure Automatic updates and security patches are enabled. 3. Capture a screenshot of the settings. Anti-malware / Endpoint Protection (e.g., Microsoft Defender, Sophos, CrowdStrike): - Go to update or policy settings. - Screenshot showing auto-updates for virus signatures and security definitions. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_AutoUpdates_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot shows auto-updates enabled, not manual only. - Covers OS and security patches (not just optional feature updates). - Settings are clearly labelled so auditors know the screenshot is genuine. Why it matters: auditors want to see your machines won’t miss critical security patches if someone forgets to click “Update now.” 6. Tips - Capture the setting from a real, in-use device. - Redact personal info (like user account names) if it appears. - For best coverage, include both OS and anti-malware auto-update screenshots.

Last updated on Sep 23, 2025

Autorun Disabled Configuration Guide

1. Purpose of this Guide This artefact shows that your company has disabled autorun and auto-launch features on devices. Cyber compliance requires this because malware often relies on auto-execution (e.g. USB autorun, startup scripts) to sneak in. By turning this off, you close a common attack path and prove your devices are hardened. 2. What You Will Submit You will need: - A screenshot from your device settings showing autorun or startup programs disabled. - This should clearly show: - No items set to auto-launch at login/startup, OR - A system control panel / configuration window confirming autorun is blocked. 3. How to Collect / Obtain / Generate This Evidence macOS: 1. Open System Settings → General → Login Items & Extensions. 2. Confirm the list is empty (or shows only security-critical apps). 3. Take a screenshot of the panel. Windows 10/11: 1. Press Ctrl + Shift + Esc to open Task Manager. 2. Go to the Startup tab. 3. Ensure non-essential apps are disabled (status shows “Disabled”). 4. Take a screenshot showing the list. Linux (Ubuntu example): 1. Open Startup Applications (from Activities search). 2. Ensure no risky/unnecessary programs are set to auto-start. 3. Take a screenshot of the empty or minimal list. MDM / Centralised Management (Intune, Jamf, Workspace ONE): - Navigate to device configuration profiles. - Show the policy that enforces “disable autorun” or controls startup apps. - Capture a screenshot of the applied policy. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_AutorunDisabled_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot clearly shows no unnecessary startup apps. - If a startup app is present, it must be business-critical (e.g. antivirus, backup agent). - Settings panel is labelled (so auditors can see it’s from the system itself). Why it matters: auditors want assurance that malware or unauthorised apps can’t sneak in through auto-run. 6. Tips - Redact usernames if they appear in the screenshot. - For Windows, disable “OneDrive auto-launch” if not required — auditors often check this. - Take the screenshot from a real, actively used device — not just a test VM.

Last updated on Sep 23, 2025

Backup Automation Guide

1. Purpose of this Guide This artefact demonstrates that your company has automated backup schedules in place, even for non-critical systems. Compliance auditors want to see that data protection isn’t left to chance — backups are configured, running regularly, and not just manually triggered when someone remembers. 2. What You Will Submit You will need: - A screenshot from your backup solution showing: - The system or dataset being backed up. - The backup frequency (e.g. daily, weekly, monthly). - The schedule or automation settings. - (Optional but strong) recent backup job completion status. 3. How to Collect / Obtain / Generate This Evidence Microsoft 365 / OneDrive / SharePoint: 1. Go to the Microsoft 365 Admin Center. 2. Under Settings → Security & Privacy → Backup, review configured backup policies. 3. Screenshot the page showing backup automation (frequency, retention). Google Workspace: 1. Open the Google Admin Console. 2. Navigate to Apps → Google Workspace → Drive and Docs → Backup & Retention. 3. Screenshot the settings showing automatic backups or retention rules. AWS Backup (for EC2, RDS, DynamoDB, etc.): 1. Log in to the AWS Console. 2. Open AWS Backup → Backup Plans. 3. Select the relevant plan and screenshot the schedule (frequency, backup vault, lifecycle). Other popular SMB backup solutions: - Acronis Cyber Protect: Go to Backup Plans → Screenshot the schedule and status. - Veeam Backup & Replication: Open the console → Jobs → Backup Job Properties → Screenshot the schedule tab. - Datto / MSP solutions: Navigate to Backup Management → Device Settings → Capture automation schedule. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_BackupAutomation_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot shows automation clearly configured (not just a manual backup). - System or dataset identified (so it’s clear what’s being backed up). - Frequency visible (daily, weekly, monthly). - Timestamp or last run info (to prove the schedule is active). Why it matters: auditors want to see that backups are happening by design, not by accident. 6. Tips - Avoid screenshots of blank or inactive schedules — that will be flagged as insufficient. - Show at least one completed job in the logs if possible, to prove it’s not theoretical. - Redact sensitive system names if needed before uploading.

Last updated on Sep 22, 2025

Business Critical Data Inventory List Guide

1. Purpose of this Guide This artefact proves that your company has identified and catalogued its most valuable data — the crown jewels. Cyber Essentials requires this because without knowing what your critical data is, you can’t protect it. An inventory ensures sensitive data is properly safeguarded, backed up, and only accessible to those who need it. 2. What You Will Submit You will need: - Your Business-Critical Data Inventory List document or spreadsheet. - It should include: - Data type/category (e.g. customer PII, financial records, health data, intellectual property). - Location (where it’s stored — e.g. local server, AWS S3, M365 SharePoint). - Data owner (department or role responsible). - Sensitivity/criticality rating (e.g. High/Medium/Low). - Access permissions (who can view/edit). - Backup method/frequency. - Retention or disposal schedule. 3. How to Collect / Obtain / Generate This Evidence - If you already manage a data register: - Export your document into XLSX or PDF. - Ensure it includes both business value and security handling details. - If starting from scratch: 1. Use the Business Critical Data Inventory List Template from StrongKeep . 2. List each category of business-critical data (start with customer, financial, HR, legal/compliance). 3. For each, capture its location, owner, access rights, backup method, and retention period. 4. Review the list quarterly and after major business/IT changes. 4. Evidence Format - Accepted file types: XLSX, CSV, PDF. - Suggested naming format: YourCompanyName_DataInventory_YYYY-MM-DD.xlsx 5. What “Good” Looks Like - Covers all major categories of business-critical data. - Assigns owners and responsibilities (no orphaned data). - Shows security controls (restricted access, backups, retention). - Updated regularly, not a one-time snapshot. Why it matters: auditors want to see that you know where sensitive data lives, who touches it, and how it’s protected. 6. Tips - Use consistent sensitivity labels (e.g. Confidential / Restricted / Public). - Cross-reference this inventory with your backup records and asset inventory. - If outsourcing storage (e.g. cloud), make sure the service and backup responsibilities are clearly noted.

Last updated on Sep 23, 2025

Business Critical Data Protection Guide

1. Purpose of this Guide This artefact proves that your organisation’s most valuable data — customer records, financial systems, intellectual property — is properly safeguarded. Cyber Essentials requires this because it’s not enough to know what critical data you have (that’s covered by your Inventory List); you must also show it’s protected by technical controls like encryption, access management, and secure backups. 2. What You Will Submit You will need: - A screenshot showing protection measures applied to business-critical data. - Acceptable evidence sources include: - Encryption settings enabled (e.g. BitLocker, FileVault, AWS KMS). - Access controls (e.g. user permission matrix, restricted folders). - Backup protection (e.g. immutable backups, retention policies, MFA for restores). - The screenshot should show: - Service or system name. - Security control in action (enabled/active). - Timestamp or version (to prove recency). 3. How to Collect / Obtain / Generate This Evidence Operating System Encryption: - Windows: Open Control Panel → BitLocker Drive Encryption → Screenshot showing BitLocker “On” for system drives. - macOS: Go to System Settings → Security & Privacy → FileVault → Screenshot showing FileVault “On.” Cloud Storage (SharePoint / Google Drive): - SharePoint (Microsoft 365): 1. Open the Microsoft 365 Security & Compliance Center. 2. Go to Information Protection → Sensitivity Labels / Retention Policies. 3. Screenshot showing that sensitive SharePoint sites are labelled as Confidential/Restricted and covered by retention/encryption policies. 4. Alternatively, open a specific SharePoint site → Settings → Site Permissions and capture the restricted access list (only specific groups/users can access). - Google Drive (Google Workspace): 1. Open the Google Admin Console. 2. Navigate to Apps → Google Workspace → Drive and Docs → Sharing Settings. 3. Screenshot showing restricted sharing settings (e.g. only internal users, restricted external sharing). 4. For critical folders, open Google Drive → File/Folder → View details → Manage Access and screenshot the limited permissions (only authorised users, no public links). Database Protection (e.g. MongoDB Atlas, AWS RDS): 1. Open the database console. 2. Navigate to Security → Encryption or Backups. 3. Screenshot showing “Encryption at Rest” enabled and access restricted. Backup Protection: - Microsoft 365: Open Compliance Center → Information Protection → Retention Policies → Screenshot showing critical data under retention lock. - Google Workspace: Use Vault (if licensed) → Screenshot showing retention rules applied to Drive content. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_DataProtection_YYYY-MM-DD.png Example: AcmeCorp_DataProtection_2025-07-01.png 5. What “Good” Looks Like - Control is enabled and visible (not just a greyed-out option). - Screenshot clearly shows encryption, access restriction, or backup immutability. - Includes timestamps, policy names, or system identifiers. - Demonstrates protection for critical, not just general, data. Why it matters: auditors need to see more than a policy statement — they want real proof that security controls are switched on and active. 6. Tips - Redact sensitive names (e.g. database IDs, customer names) before uploading. - Pair multiple screenshots if needed (e.g. one showing encryption, one showing backup immutability). - Update your evidence at least annually — stale screenshots may be rejected.

Last updated on Sep 23, 2025

Cloud Backup Service Guide

1. Purpose of this Guide This artefact shows that your company is using cloud provider backup services to protect data. Cyber Essentials requires this because relying on the cloud alone is not enough — you must prove backups are configured, running, and monitored. This evidence demonstrates that data stored in SaaS, PaaS, or cloud systems is recoverable in case of failure, corruption, or cyberattack. 2. What You Will Submit You will need: - A screenshot from your cloud provider’s backup or version control feature. - Acceptable sources include: - Database snapshots (e.g. MongoDB Atlas, AWS RDS). - File storage version history (e.g. SharePoint, Google Drive, Dropbox). - Source code repository history (e.g. GitLab, GitHub). - Screenshot should clearly show: - Service name and environment (e.g. “MongoDB Atlas → Backups”). - Backup schedule or snapshot list (timestamps, frequency). - Retention policy (e.g. 7 days, 30 days). 3. How to Collect / Obtain / Generate This Evidence SharePoint / OneDrive (File storage): 1. Navigate to a critical document in SharePoint. 2. Open Version history. 3. Screenshot showing multiple saved versions with dates, sizes, and user IDs. Google Workspace / Drive: 1. Right-click on a business-critical file → choose Version history. 2. Screenshot with dates and editors displayed. GitLab / GitHub (Code repositories): 1. Open your repository → Commits page. 2. Screenshot the commit log showing date, author, and version history. AWS Backup / RDS / S3: 1. In AWS Console, go to AWS Backup. 2. Open your Backup Plans or Vaults. 3. Screenshot showing policy schedule and completed backup jobs. MongoDB Atlas (Database backups): 1. Log in to MongoDB Atlas Console. 2. Select the cluster → open Backups tab. 3. Screenshot showing snapshot schedule and retention (e.g. daily/hourly). 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_CloudBackupService_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot shows real, configured backups — not just a blank page. - Includes timestamps and frequency/retention details. - Identifies the cloud service name (e.g. AWS, MongoDB, SharePoint). - Shows multiple entries/versions to prove continuity. Why it matters: auditors want to confirm that cloud-stored data isn’t just “assumed safe,” but actively protected by provider tools with your oversight. 6. Tips - Always redact sensitive project or database names before uploading. - Pair multiple screenshots if needed (e.g. one from DB, one from SaaS). - Review provider SLAs — some cloud services don’t back up by default.

Last updated on Sep 23, 2025

Cloud Logging Guide

1. Purpose of this Guide This screenshot demonstrates that your organisation enables and retains logging of system activities on cloud platforms. 2. What You Will Submit A screenshot of a cloud logging dashboard that shows: - The cloud system (e.g. Microsoft Entra ID, Google Admin, AWS, GitHub) - Actual log entries with timestamps and event types - (Optional) Filters applied, such as "Security Events", "Admin Actions", "Sign-ins" 3. How to Obtain This Screenshot A. Microsoft 365 (Entra ID / Defender) 1. Go to https://entra.microsoft.com 2. Navigate to Monitoring > Sign-in Logs or Audit Logs 3. Ensure the view shows: - Timestamps - Username or Object (blur if needed) - Action performed (e.g. sign-in, password change) 4. Take a screenshot showing at least 5 log entries Bonus: Filter for a time range (e.g. "Last 7 days") or event types ("Admin", "Conditional Access") B. Google Workspace (Admin Console) 1. Go to https://admin.google.com 2. Navigate to Reporting > Audit log > Admin / Drive / Login 3. Filter by event type or username 4. Screenshot should show: - List of recent logged actions - Timestamp - Event type - Targeted user or object Best: Use the "Audit log – Admin" or “Login log” view C. AWS CloudTrail 1. Go to CloudTrail > Event history 2. Filter for "ReadOnly: false" or specific service (e.g. IAM) 3. Screenshot should show: - Event time - Event name (e.g. CreateUser, ConsoleLogin) - Username or ARN - Source IP 4. Accepted File Format - ✅ PNG, JPG, or PDF - ✅ Suggested filename: YourCompany_CloudLoggingScreenshot_20250701.png 5. What Good Evidence Looks Like

Last updated on Sep 25, 2025

Physical Hard Disk Backup Guide

1. Purpose of this Guide This artefact proves your organisation keeps a physical copy of cloud data on hard disks. Cyber Essentials requires this because cloud providers operate on a “shared responsibility model”: they protect their platform, but you’re responsible for your own data. Maintaining physical backups ensures your critical cloud-hosted data can be recovered even if the provider’s backups fail. 2. What You Will Submit You will need: - A screenshot or photo showing cloud data being backed up to a physical hard disk (USB, NAS, or external drive). - Evidence should show: - The backup software or export tool in use. - Destination drive (external HDD/NAS). - Timestamp or job history proving recent backups. 3. How to Collect / Obtain / Generate This Evidence Microsoft 365 / SharePoint / OneDrive: 1. Use the OneDrive/SharePoint sync client to download files to a local drive. 2. Connect an external HDD or NAS. 3. Run a copy/export job (e.g. robocopy or sync tool). 4. Screenshot the file explorer view showing business-critical folders saved to the external drive. Google Workspace (Google Drive): 1. Use Google Drive for Desktop to sync data locally. 2. Connect an external HDD. 3. Copy the synced folders to the drive. 4. Screenshot the copy process or the final drive contents with recent timestamps. AWS / Cloud databases (e.g. RDS, S3): 1. Export snapshots or object storage data locally. 2. Save them to an encrypted external disk. 3. Screenshot the backup job report showing data written to the physical storage device. Backup tools (Acronis, Veeam, Synology, etc.): - Show the backup console with the external HDD/NAS as a target. - Screenshot the schedule and last completed backup status. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_PhysicalBackup_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot or photo clearly shows: - External hard disk/NAS target. - Backup schedule or completion log. - Timestamp (to prove backups are current). - Links the cloud data source (e.g. SharePoint, Google Drive, AWS) to the physical disk storage. Why it matters: auditors want to confirm you can recover from a cloud outage without depending solely on the CSP’s internal backups. 6. Tips - Encrypt the external drive and store it securely (locked cabinet or offsite). - Keep at least two rotating drives — one in use, one stored offsite. - Redact any sensitive filenames before uploading screenshots.

Last updated on Sep 23, 2025

Crisis Communications Guide

1. Purpose of this Guide This artefact demonstrates that your company has a plan for who communicates what, when, and to whom during a cyber incident. Cyber Essentials requires this because confusion and silence during a crisis cause as much damage as the incident itself. A documented timeline and comms plan ensures staff, management, regulators, and customers get the right message at the right time. 2. What You Will Submit You will need: - A Crisis Communications and Timeline document (Word, PDF, or spreadsheet). - It should include: - Key contacts (Incident Lead, Comms Lead, CEO, Legal, IT). - Communication channels (email, phone, Teams/Slack, press release). - Escalation steps (who is told first, who is told next). - Incident timeline template (time of detection, first comms, regulator notification, customer updates). 3. How to Collect / Obtain / Generate This Evidence - If starting from scratch: 1. Use StrongKeep's Crisis Communications Template (in the Incident Response Plan). 2. Fill in: - Roles: e.g. CEO (public spokesperson), Comms Lead (drafts announcements), IT Manager (technical updates), Secretary (logs comms). - Timeline markers: Detection → Internal staff alert → Executive team alert → Regulator notified → Customer notification → Post-incident briefing. - Message library: Draft templates for “Initial Detection,” “Containment in Progress,” “Resolution,” and “Follow-up.” 3. Save the file with version history and circulate to management. - If you already have an existing Incident Response Plan (IRP): - Extract or reference the communications and timeline section into a standalone document. - Ensure roles and contacts are current. 4. Evidence Format - Accepted file types: DOCX, PDF, XLSX. - Suggested naming format: YourCompanyName_CrisisCommsTimeline_YYYY-MM-DD.pdf 5. What “Good” Looks Like - Clear roles and responsibilities (no confusion about who speaks). - Defined timeline with escalation points. - Message templates prepared in advance (not written in panic). - Version control showing the plan is updated regularly. Why it matters: auditors want to see that communication is not improvised but structured, fast, and compliant with notification obligations. 6. Tips - Review at least annually and after real incidents. - Test it in tabletop exercises with your Cyber Incident Response Plan. - Keep regulator and customer comms separate — audiences need different levels of detail.

Last updated on Sep 25, 2025

Cyber Incident Response Plan Guide

1. Purpose of this Guide This artefact demonstrates that your company has a written, structured plan to handle cyber incidents. Cyber Essentials requires this because when disaster strikes — ransomware, phishing, or even a defaced website — you need more than panic and guesswork. A documented plan shows you’re ready to act quickly, assign responsibilities, and recover effectively. 2. What You Will Submit You will need: - Your Cyber Incident Response Plan document (policy/procedure template). - It should include: - Version history (effective/review dates, owner). - Introduction and scope (which staff/systems are covered). - Roles and responsibilities (e.g. CEO as Incident Lead, IT Manager as Technical Lead, PR Head as Comms Lead). - Playbooks for common incident types (e.g. DDoS, malware/ransomware, phishing, website defacement, data breach). - Post-incident review template (to record lessons learned). 3. How to Collect / Obtain / Generate This Evidence - If you are using StrongKeep, upload the CIRP template that is provided for you. - If you are starting from scratch: 1. Open the Cyber Incident Response Plan Template. 2. Fill in your company details, contacts, and version history. 3. Assign incident roles (Incident Lead, Technical Lead, Comms Lead, Secretary). 4. Draft playbooks for at least the 5 common incidents: - Distributed Denial-of-Service (DDoS) - Malware / Ransomware - Phishing / Scam - Website Defacement - Data Breach 5. Include a post-incident review form with fields like date, personnel involved, impact, summary, and improvements. 6. Save and keep this document updated annually or after a real incident. 4. Evidence Format - Accepted file types: DOCX, PDF. - Suggested naming format: YourCompanyName_CIRP_YYYY-MM-DD.pdf 5. What “Good” Looks Like - Version control and ownership — shows it’s maintained, not abandoned. - Clear roles and contacts — no confusion during a crisis. - Detailed playbooks — step-by-step response for common incidents. - Review template included — proving you’ll learn from past incidents. Why this matters: auditors want to see that you’re not improvising when chaos hits, but following a well-rehearsed plan. 6. Tips - Keep contacts updated — old phone numbers or missing staff will undermine your plan. - Test your CIRP at least once a year with a tabletop exercise. - If outsourcing IT, make sure vendors are included in the roles & responsibilities.

Last updated on Sep 23, 2025

Cybersecurity Awareness Training Guide

1. Purpose of this Guide This artefact demonstrates that your company provides structured cybersecurity awareness training for staff. Cyber Essentials requires this because humans are often the first line of defence — and the first target. A proper training guide proves your team knows how to handle phishing emails, dodgy Wi-Fi, weak passwords, and more. 2. What You Will Submit You will need: - A Cybersecurity Awareness Training document (Word, PDF, or slide deck). - It should cover: - Cyber hygiene basics (passwords, MFA, safe browsing). - Recognising phishing and suspicious attachments. - Role-specific training (e.g. finance staff on invoice fraud, IT staff on admin account risks). - Secure use of networks and devices. - Reporting processes (how to escalate suspicious emails or incidents). 3. How to Collect / Obtain / Generate This Evidence - If you already have a training program: - Export the syllabus or staff training manual. - Ensure the document includes date/version and target audience. - If starting fresh: 1. Use the Cybersecurity Awareness Training Template (from StrongKeep or CSA Cyber Essentials guidance). 2. Add your company name, logo, and version control. 3. Write clear sections: - Introduction: Why staff training matters. - Threats & Risks: Phishing, ransomware, weak passwords, unsafe Wi-Fi. - Cyber Hygiene Habits: Updates, MFA, device lock, reporting. - Role-Based Modules: Tailored to job functions. - Reporting Process: How to flag suspicious activity. 4. Save the file as PDF/DOCX and circulate it to staff. 5. Keep records of who attended or completed training (this links to the separate artefact “Users Training Completion Screenshot” ). 4. Evidence Format - Accepted file types: DOCX, PDF. - Suggested naming format: YourCompanyName_CyberAwarenessTraining_YYYY-MM-DD.pdf 5. What “Good” Looks Like - Clearly structured content (topics and objectives). - Role differentiation — e.g. IT staff vs. general staff. - Practical advice (not just theory). - Version/date visible — shows it’s kept current. Why it matters: auditors want proof that training isn’t just a tick-box — but an active, documented program. 6. Tips - Update the content annually (cyber threats evolve quickly). - Use quizzes or sign-off forms to confirm completion (ties to completion evidence). - Keep language simple — staff should understand it without needing IT expertise.

Last updated on Sep 23, 2025

Cybersecurity Guidelines Guide

1. Purpose of this Guide This artefact shows your company has written cybersecurity guidelines for staff. Cyber compliance requires this because every knight (staff member) needs a rulebook — clear, simple instructions on how to stay safe in daily work. Without them, employees may accidentally leave the gates wide open to attackers. 2. What You Will Submit You will need: - Your Cybersecurity Guidelines document (policy or handbook). - It should cover: - Password hygiene and multi-factor authentication. - Safe internet and email use (how to spot phishing). - Device protection (locking screens, patching, antivirus). - Secure handling of sensitive data (storage and sharing). - Role-based guidance (e.g. IT admins, finance staff, HR). 3. How to Collect / Obtain / Generate This Evidence - If starting from scratch: 1. Open StrongKeep's Cybersecurity Guidelines Template 2. Add your company name, logo, and version history. 3. Write sections for: - Passwords & Access: Use MFA, avoid password reuse. - Email & Phishing: Don’t click suspicious links, report attempts. - Device Care: Keep software updated, lock devices, no personal USBs. - Data Handling: Share only with authorised staff, use secure platforms. - Role-Specific Rules: Tailor guidelines for high-risk groups like IT and Finance. 4. Save as PDF/DOCX. 5. Circulate to staff and confirm acknowledgement (e.g. email or HR system). - If you already have a cybersecurity policy or handbook: - Export it to PDF or Word. - Make sure it’s written in plain language staff can understand. 4. Evidence Format - Accepted file types: DOCX, PDF. - Suggested naming format: YourCompanyName_CybersecurityGuidelines_YYYY-MM-DD.pdf Example: AcmeCorp_CybersecurityGuidelines_2025-07-01.pdf 5. What “Good” Looks Like - Easy to read (plain language, no jargon). - Covers core cyber hygiene practices (passwords, phishing, device use). - Includes role-specific advice (different rules for admins vs general staff). - Shows version history — proving it’s updated, not abandoned. Why it matters: auditors want to see staff aren’t left guessing — they have a written guide to follow. 6. Tips - Keep it short and usable (one pager or handbook, not 50 pages). - Update yearly or after major incidents. - Align with your training program so staff get consistent messages.

Last updated on Sep 25, 2025

Data Backup Records Guide

1. Purpose of this Guide This artefact proves that your company not only runs backups but also keeps proper records of them. Cyber Essentials requires this because “set and forget” backups are useless if they fail silently. Documenting backup dates, status, and test restores ensures data really can be recovered when disaster strikes. 2. What You Will Submit You will need: - A Data Backup Records document or spreadsheet. - It should show: - Date and time of backup. - Systems or data covered (e.g. finance files, HR folders, databases). - Backup location (cloud, physical disk, NAS). - Status (successful, failed, partial). - Last restore test performed (date and outcome). 3. How to Collect / Obtain / Generate This Evidence - If you already keep records: - Export from your backup tool (e.g. Veeam, Acronis, AWS Backup, Microsoft 365). - Or extract logs and format them into a clear table. - If you don’t yet: 1. Create a simple spreadsheet using the Data Backup Records Template from StrongKeep. 2. Add columns for: Date, System/Data, Location, Status, Restore Test Date, Remarks. 3. Update the log each time backups run (automated tools often email reports you can copy here). 4. Perform and log at least one test restore to prove recoverability. 4. Evidence Format - Accepted file types: XLSX, CSV, PDF. - Suggested naming format: YourCompanyName_DataBackupRecords_YYYY-MM-DD.xlsx Example: AcmeCorp_DataBackupRecords_2025-07-01.xlsx 5. What “Good” Looks Like - Consistent entries — not just a single line from months ago. - Covers all critical systems and datasets. - Shows regular testing (at least annually restore validation). - Status clearly marked (Success / Failed) so issues are visible. Why it matters: auditors want assurance that backups aren’t theoretical, but actively monitored and verified. 6. Tips - Automate record collection if possible — many tools export logs. - Keep at least 12 months of records for audit purposes. - If using third-party IT providers, make sure they supply logs you can incorporate.

Last updated on Sep 25, 2025

Disabling and Locking User Accounts Screenshot Guide

1. Purpose of this Guide This artefact proves your company has the ability to promptly disable or lock user accounts when employees leave, change roles, or when suspicious activity is detected. Cyber compliance requires this because dormant or uncontrolled accounts are golden keys for attackers. Showing you can lock or disable them demonstrates proper account lifecycle management. 2. What You Will Submit You will need: - A screenshot from your user management system showing an account being disabled or locked. - The screenshot must clearly show: - The account identifier (e.g. email or username). - Its status (Disabled, Locked, Inactive). - Timestamp or context of the action. 3. How to Collect / Obtain / Generate This Evidence Microsoft 365 / Azure AD (Entra): 1. Open Microsoft Entra Admin Center → Users. 2. Select a user account. 3. Under Account, show the toggle for Block sign-in = Yes. 4. Screenshot this view. Google Workspace (Admin Console): 1. Log in to Google Admin Console → Directory → Users. 2. Select a user account. 3. Click Suspend User. 4. Screenshot the suspended status. AWS Console (IAM): 1. Open IAM → Users. 2. Select the user account. 3. Remove or deactivate login credentials (passwords, access keys). 4. Screenshot showing the account marked inactive. Okta / Identity Providers: 1. Log into your IdP admin console. 2. Select a user profile. 3. Use Deactivate / Suspend function. 4. Screenshot the confirmation. Other SaaS tools (Atlassian, GitHub, GitLab, etc.): - Open user management. - Select a user and mark them disabled or inactive. - Screenshot the result. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_DisabledUserAccount_YYYY-MM-DD.png Example: AcmeCorp_DisabledUserAccount_2025-07-01.png 5. What “Good” Looks Like - Screenshot shows a real account marked disabled/inactive. - Status clearly visible (e.g. “Blocked,” “Suspended”). - Context shows it’s from an actual system (Microsoft, Google, AWS, etc.). - Ideally from a recent action, not years old. Why it matters: auditors want proof you can shut off access quickly and effectively — a vital safeguard when staff leave or if there’s a breach. 6. Tips - If you have no user accounts that were locked, that's fine. You just need to explain to the auditor that there were no accounts that met the criteria to be disabled or locked out. - Redact personal details (names, emails) before uploading. - Show at least one disabled account — auditors don’t need every single record. - Link this with your Account Inventory List to prove lifecycle management is consistent.

Last updated on Sep 25, 2025

Endpoint OS Autoupdate Guide

1. Purpose of this Guide This artefact demonstrates that your company’s laptops, desktops, and servers are configured to receive and install OS updates automatically. Cyber compliance requires this because timely patching is one of the strongest shields against attackers exploiting known flaws. 2. What You Will Submit You will need: - A screenshot from a device showing that automatic OS updates are enabled. - The screenshot should clearly show: - The operating system (Windows, macOS, Linux). - Auto-update settings switched “On.” - (If visible) that security patches are included. 3. How to Collect / Obtain / Generate This Evidence Windows 10/11: 1. Open Settings → Update & Security → Windows Update. 2. Click Advanced options. 3. Ensure “Automatically download and install updates” is enabled. 4. Screenshot the page showing this toggle or confirmation. macOS: 1. Go to System Settings → General → Software Update. 2. Confirm Automatic Updates is enabled (includes OS updates and Security Responses). 3. Take a screenshot of this view. Linux (Ubuntu example): 1. Open Software & Updates → Updates tab. 2. Ensure “Install security updates without confirmation” is enabled. 3. Capture a screenshot showing this setting. MDM Platforms (e.g. Microsoft Intune, Jamf): - Navigate to Update Policies. - Capture the screen showing that automatic OS updates are enforced across managed devices. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_EndpointOSAutoupdate_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot clearly shows the auto-update toggle enabled. - The setting applies to the OS itself, not just apps. - If captured via MDM, it shows organisation-wide enforcement. - Ideally includes last checked/last updated date for proof of recency. Why it matters: auditors want assurance that vulnerabilities are patched without relying on someone remembering to click “Update now.” 6. Tips - Capture from an actively used device to show it’s applied in practice. - Redact personal identifiers (like usernames in OS settings) if they appear. - If using MDM, a policy-level screenshot is stronger than one from a single device.

Last updated on Sep 25, 2025

Firewall Configuration Screenshot Guide

1. Purpose of this Guide This artefact proves that your company has firewalls enabled and configured to block malicious traffic. For DNS firewalls, this shows you’ve gone beyond the basics by filtering at the DNS layer, stopping users from even connecting to dangerous sites. Cyber compliance requires this because firewalls are the first shield-wall against intruders. 2. What You Will Submit You will need: - A screenshot of your DNS firewall configuration page. - The screenshot should clearly show: - Filtering rules (malware, phishing, adult content, custom blocklists). - Policy enforcement applied to your organisation or network. - (If available) Statistics or logs proving the firewall is actively blocking threats. 3. How to Collect / Obtain / Generate This Evidence StrongKeep's DNS Firewall: 1. Click "Generate your report" 2. StrongKeep will provide the report of what malicious network traffic is being blocked for you. Cisco Umbrella (or similar enterprise DNS firewalls): 1. Log into the Umbrella dashboard. 2. Go to Policies → Policy List. 3. Select the active policy and screenshot the enabled categories (Malware, Phishing, C2, Botnets). 4. Include evidence of the policy assignment to your network or user group. Fortinet (FortiGate hardware firewall): 1. Log into the FortiGate web interface. 2. Go to Security Profiles → Web Filter / DNS Filter. 3. Screenshot showing enabled filters (e.g. Malware, Phishing, Block High-Risk Categories). 4. Optionally, go to Log & Report → Forward Traffic and capture entries showing blocked activity. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_FirewallConfig_YYYY-MM-DD.png Example: AcmeCorp_FirewallConfig_2025-07-01.png 5. What “Good” Looks Like - Firewall shown as enabled. - Clear evidence of security categories/rules applied (not blank). - (Bonus) Logs or reports showing actual blocks. - Screenshot taken from the live firewall console, not a generic image. Why it matters: auditors want assurance you’re not just saying “we have a firewall,” but showing proof of active, configured protection. 6. Tips - Redact IP addresses or sensitive domains before uploading. - Pair a configuration screenshot with a report/analytics screenshot to strengthen evidence. - If using multiple DNS firewalls (e.g. NextDNS for endpoints, Cisco Umbrella for office), submit one clear screenshot per tool.

Last updated on Sep 25, 2025

Hardware Asset Onboarding Authorization Form Guide

1. Purpose of this Guide This artefact demonstrates that your company has a formal process for introducing and retiring IT assets. Cyber Essentials requires this because assets (like laptops, servers, or phones) need to be approved, tracked, and securely removed — not left floating around where they could pose a risk. 2. What You Will Submit You will need: - Your documented Asset Onboarding and Removal Process (policy or procedure). - It should cover: - How new assets (e.g. laptops, phones, software licences) are requested and approved. - How asset details are recorded (e.g. make, model, serial number, assigned owner). - The authorisation workflow (who signs off). - How decommissioned assets are securely removed (data wiped, hardware recycled, accounts closed). - (Optional but strong): Example forms (like your Hardware Asset Onboarding Authorisation Form) showing real approvals. 3. How to Collect / Obtain / Generate This Evidence - If you already maintain this process: - Export the policy/procedure to PDF or Word. - Include references to the forms/templates you use (e.g. onboarding authorisation forms, removal checklists). - If you don’t have one yet: 1. Start with the Asset Onboarding and Removal Process Template provided in StrongKeep. 2. Document the steps for: - Onboarding: request → approval → record entry in asset inventory. - During lifecycle: periodic review of ownership and use. - Removal: manager request → approval → data sanitisation/disposal → update inventory. 3. Attach or reference forms (like the Hardware Asset Onboarding Authorisation Form) to show the workflow in action. 4. Save the document in PDF/DOCX format. 4. Evidence Format - Accepted file types: DOCX, PDF. - Suggested naming format: YourCompanyName_AssetOnboardingRemovalProcess_YYYY-MM-DD.pdf Example: AcmeCorp_AssetOnboardingRemovalProcess_2025-07-01.pdf 5. What “Good” Looks Like - Clearly written steps for both onboarding and removal. - Defined approval roles (e.g. Product Manager, CEO, IT Manager). - Integration with your Asset Inventory List (so assets aren’t tracked in isolation). - Secure removal procedures (data wiping, hardware disposal, account deactivation). Why this matters: auditors want confidence that assets don’t just appear or disappear without oversight, creating gaps in security. 6. Tips - Include a form or checklist for both onboarding and removal — auditors love seeing evidence of real approvals. - If you outsource disposal (e.g. to an e-waste vendor), keep the disposal certificates. - Review the process yearly to make sure it reflects your current IT setup.

Last updated on Sep 25, 2025

Idle Session Timeout Screenshot Guide

1. Purpose of this Guide This artefact demonstrates that your company enforces automatic log-off after a set idle period. Cyber Essentials requires this because if staff leave their laptops or web apps unlocked, attackers can waltz in. An enforced timeout slams the gate shut after a few minutes of inactivity. 2. What You Will Submit You will need: - A screenshot showing idle session timeout settings. - The screenshot should clearly display: - The platform (Windows, macOS, Google Workspace, Microsoft 365, AWS, etc.). - The timeout duration (e.g. 5, 10, or 15 minutes). - Confirmation that automatic lock or log-off is enabled. 3. How to Collect / Obtain / Generate This Evidence Windows 10/11: 1. Open Group Policy Editor → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options. 2. Find Interactive logon: Machine inactivity limit. 3. Screenshot showing the value (e.g. 900 seconds = 15 mins). macOS: 1. Open System Settings → Lock Screen. 2. Under Turn display off on battery/power, set to ≤ 10–15 minutes. 3. Ensure Require password after sleep or screen saver begins is enabled. 4. Screenshot this panel. Google Workspace (Admin Console): 1. Log into Admin Console → Devices → Chrome → Settings → User & Browser Settings. 2. Find Idle Settings / Sign-out policy. 3. Screenshot showing automatic sign-out after idle period. Microsoft 365 (Entra / Office web apps): 1. Open Microsoft Entra Admin Center → Conditional Access → Session controls. 2. Check Sign-in frequency and Idle timeout policy. 3. Screenshot showing policy applied to users. AWS Console (example for cloud services): 1. Open IAM → Account Settings → Console session timeout. 2. Screenshot showing the timeout duration. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_IdleSessionTimeout_YYYY-MM-DD.png Example: AcmeCorp_IdleSessionTimeout_2025-07-01.png 5. What “Good” Looks Like - Screenshot shows timeout enabled (not “Never”). - Timeout duration is reasonable (≤ 15 minutes). - Platform name visible (to prove authenticity). - Date/version visible where possible. Why it matters: auditors want to see that unattended sessions won’t sit open for hours, giving attackers easy access. 6. Tips - If you apply timeout via MDM (Intune, Jamf, Workspace ONE), grab a screenshot of the policy setting. - Redact personal names or device IDs if they appear. - Use consistent timeout values across systems for simplicity.

Last updated on Sep 25, 2025

IoT Backup Screenshot Guide

1. Purpose of this Guide This artefact proves that your organisation’s IoT devices (for systems that are within scope) are backed up — even when they don’t have built-in auto-backup. Cyber Essentials requires this because IoT systems (like CCTV, smart printers, and sensors) often hold critical data or configurations, and if they fail without backups, you could lose visibility or security control. 2. What You Will Submit You will need: - A screenshot showing the backup of IoT data. - The screenshot should demonstrate: - The IoT device or system (e.g. CCTV NVR, smart printer, building sensor). - Backup configuration or export screen. - Storage location (external HDD, NAS, or cloud). - Timestamps showing recent backup activity. 3. How to Collect / Obtain / Generate This Evidence CCTV / NVR systems (e.g. Hikvision, Dahua): 1. Log into the NVR/DVR management console. 2. Go to Backup / Export. 3. Screenshot showing backup of recordings/configurations to external disk or NAS. Smart Printers / MFDs: 1. Open the printer’s admin console (via web interface). 2. Go to Settings → Backup & Restore. 3. Screenshot the backup/export screen (config files saved to external location). IoT Sensors / Gateways: 1. Access the device’s management console. 2. Export configuration or logs. 3. Screenshot the interface showing data export/backup in progress. General Best Practice: - If the IoT device has no native backup, screenshot the manual process: - Export to USB, external HDD, or cloud sync folder. - Show file/folder with timestamp confirming backup. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_IoTBackup_YYYY-MM-DD.png Example: AcmeCorp_IoTBackup_2025-07-01.png 5. What “Good” Looks Like - Screenshot shows the actual IoT system (not a generic PC folder). - Clearly shows backup/export action and target location. - Includes timestamp to prove recency. - If multiple IoT devices are critical (e.g. CCTV + smart sensors), provide at least one screenshot per category. Why it matters: auditors want confidence you can recover IoT data/configurations after device failure, ransomware, or physical damage. 6. Tips - Label the storage media (e.g. “CCTV Backup HDD 1”). - Rotate between at least two physical drives for resilience. - Encrypt backups where possible, especially if devices capture sensitive information.

Last updated on Sep 25, 2025

Mail Server Internet Hygiene Portal Results Guide

1. Purpose of this Guide This artefact proves your company’s mail servers are securely configured and resilient against phishing, spoofing, and insecure email transport. Cyber Essentials requires this because weak email security leaves your castle gates wide open to attackers who exploit insecure mail servers to impersonate your staff or steal sensitive information. 2. What You Will Submit You will need: - A report generated via StrongKeep’s dashboard, which pulls directly from the CSA Internet Hygiene Portal (IHP). - This report will include: - Overall Mail Server Security Score. - TLS/STARTTLS support status. - Validity of security certificates. - Email authentication checks (SPF, DKIM, DMARC). - DANE validation and phishing prevention features. 3. How to Collect / Obtain / Generate This Evidence For StrongKeep customers, this artefact is auto-generated: 1. StrongKeep will generate this report for you from our external scan of your servers. 2. Click Generate Report. 3. The system will fetch the latest results for your domain. 4. Download the report or screenshot the dashboard view. No need to run manual scans — StrongKeep fetches it for you, so you won’t have to joust with SPF records or TLS ciphers yourself. 4. Evidence Format - Accepted file types: PDF, PNG, JPG. - Suggested naming format: YourCompanyName_MailServerIHP_YYYY-MM-DD.pdf 5. What “Good” Looks Like - Report shows a recent scan date (within the last 3 months). - Overall security score is green / high pass. - TLS protocols are enabled and valid. - SPF, DKIM, and DMARC all pass validation. - No red flags under phishing or spoofing protection. Why it matters: auditors want assurance that your email infrastructure isn’t a weak link for attackers to slip phishing lances through. 6. Tips - Regenerate the IHP results shortly before audit submission, so it’s fresh. - If your score is low, fix mail server issues (SPF, DKIM, DMARC) and re-run before submitting. - Keep older reports — they help demonstrate continuous monitoring and improvement.

Last updated on Sep 25, 2025

Malware Scan Policy Screenshot Guide

1. Purpose of this Guide This artefact proves that your company has anti-malware solutions properly configured. Cyber Essentials requires this because attackers rely on lazy defences — if your devices aren’t scanning files, updating signatures, or running periodic sweeps, you’re leaving the drawbridge down. 2. What You Will Submit You will need: - A screenshot/report of your anti-malware policy. - The evidence should clearly show: - Scheduled scans (daily/weekly). - Real-time/on-access protection enabled. - Automatic updates for virus/malware signatures. - Mobile device protection (if applicable). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep customers (recommended): 1. Log into your StrongKeep Dashboard. 2. Go to Evidence Library → Malware Scan Policy. 3. Click Generate Report. 4. The system will fetch your anti-malware configuration (via integrated endpoint protection tool). 5. Download the PDF or screenshot the dashboard view. For non-integrated setups: - Microsoft Defender (Windows): 1. Open Windows Security → Virus & threat protection → Manage settings. 2. Screenshot showing real-time protection ON and scheduled scans. - Sophos / Trend Micro / Avast Business: - Go to the admin console. - Screenshot the policy page showing automated scans, signature updates, and real-time file protection. - Mobile devices (MDM-managed): - Open MDM console (e.g., Intune, Jamf, Workspace ONE). - Screenshot the profile showing enforced anti-malware protection. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_MalwareScanPolicy_YYYY-MM-DD.png Example: AcmeCorp_MalwareScanPolicy_2025-07-01.png 5. What “Good” Looks Like - Evidence shows all key controls (scans, updates, real-time protection). - Policy view or settings panel visible, not just a random “Scan complete” screen. - (Bonus) Logs showing last successful scan. Why it matters: auditors want proof that you’re not only able to scan for malware but that the process is automatic, current, and continuous. 6. Tips - If using StrongKeep, let the platform auto-generate — it ensures consistency. - For third-party tools, make sure screenshots show the policy configuration, not just results. - Redact usernames, device IDs, or internal hostnames before submission.

Last updated on Sep 25, 2025

Multi-Factor Authentication Policy Enforcement Guide

1. Purpose of this Guide This artefact proves your company has enforced MFA across user accounts, not just made it optional. Cyber Essentials requires this because passwords alone are a rickety drawbridge; MFA adds a second gate — a code, token, or app approval — making it much harder for attackers to sneak in with stolen credentials. 2. What You Will Submit You will need: - A screenshot from your identity provider (IdP) or admin console showing: - MFA enforcement enabled for users. - Status that indicates “Enforced” or “Required”, not just “Available.” - Coverage across the organisation or specific groups (admins, staff, etc.). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep users: 1. Log into the StrongKeep Password Manager → Reports 2. Select MFA 3. Click Generate Report. 4. Download the screenshot/report. Microsoft Entra (Azure AD): 1. Go to Entra Admin Center → Users → Per-user MFA. 2. Look for status = Enforced. 3. Screenshot showing at least one enforced account (ideally all relevant users). Google Workspace: 1. Open Admin Console → Security → Authentication → 2-step verification. 2. Ensure enforcement is ON for organisational units or all users. 3. Screenshot showing enforcement, not just availability. Okta / Other IdPs (Duo, OneLogin): 1. Log into admin console. 2. Navigate to Authentication / Security Policies. 3. Screenshot showing MFA required for sign-ins. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_MFAEnforcement_YYYY-MM-DD.png Example: AcmeCorp_MFAEnforcement_2025-07-01.png 5. What “Good” Looks Like - Status clearly shows MFA enforced (not optional). - Screenshot taken from the official IdP console (Microsoft Entra, Google Admin, Okta, etc.). - Evidence covers all relevant staff — especially admins and high-privilege accounts. Why it matters: auditors want assurance that MFA isn’t just “available in theory” but practically enforced across your systems. 6. Tips - Redact personal names or emails from the screenshot before upload. - Enforce MFA organisation-wide where possible; partial coverage may raise questions. - Combine this with your Access Request Process evidence to show end-to-end strong account security.

Last updated on Sep 25, 2025

Mobile Backup Screenshot Guide

1. Purpose of this Guide This artefact proves your company’s mobile devices are securely and automatically backed up. Cyber Essentials requires this because mobiles often hold sensitive client conversations, contacts, and operational data. Without backups, a lost or broken phone could mean lost business-critical data. 2. What You Will Submit You will need: - A screenshot from your mobile device or MDM console showing backup settings. - The screenshot should clearly show: - Backup turned ON. - Type of data being backed up (SMS, contacts, app data, etc.). - Destination (cloud account, secondary storage, or MDM-managed system). - Automatic/scheduled backup frequency. 3. How to Collect / Obtain / Generate This Evidence Apple iOS (iCloud Backup): 1. Open Settings → [Your Name] → iCloud → iCloud Backup. 2. Ensure iCloud Backup is toggled ON. 3. Screenshot the screen showing backup enabled, with timestamp of last successful backup. Android (Google Backup): 1. Open Settings → Google → Backup. 2. Confirm Backup by Google One is ON. 3. Screenshot showing items backed up (App data, Contacts, SMS, etc.) and latest backup time. Mobile Device Management (MDM) tools (e.g., Intune, Jamf, Workspace ONE): 1. Log into your MDM admin portal. 2. Go to Device Configuration → Backup Policy. 3. Screenshot showing that corporate devices have automatic backup policies enforced. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_MobileBackup_YYYY-MM-DD.png 5. What “Good” Looks Like - Shows backup enabled and running automatically. - Data types listed (contacts, SMS, app data). - Destination storage clear (iCloud, Google Drive, or corporate backup system). - A recent backup timestamp visible. Why it matters: auditors want proof that if a device is lost or damaged, data isn’t gone forever — it can be recovered quickly. 6. Tips - Redact personal photos, messages, or irrelevant apps before capturing. - Standardise settings across all corporate phones (via MDM) to avoid exceptions. - Run a test restore on one device — it proves your backups actually work.

Last updated on Sep 25, 2025

Multi-Cloud Backup Guide

1. Purpose of this Guide This artefact proves that your company isn’t putting all its eggs in one basket — you’re using multiple cloud providers to back up critical data. Cyber Essentials requires this because cloud providers can have outages, misconfigurations, or even policy changes. A multi-cloud approach shows you’re prepared for continuity no matter which cloud falters. 2. What You Will Submit You will need: - A screenshot from your backup platform(s) showing: - Data backed up to two or more different cloud providers (e.g., AWS + Google Cloud, or OneDrive + Dropbox). - Active and recent backup activity. - Timestamps or logs proving backups are current. 3. How to Collect / Obtain / Generate This Evidence Option A: SaaS backup tools (Datto, Veeam, Acronis, Druva): 1. Log into the admin console. 2. Navigate to Backup Jobs / Policies. 3. Show backup destinations across multiple cloud providers. 4. Screenshot the summary page. Option B: Direct Cloud Provider Setup: - AWS S3 + Google Cloud Storage: 1. Show replication/backup job configured to copy data between clouds. 2. Screenshot the job detail screen with destinations. - Microsoft OneDrive + Google Drive: 1. If using a sync tool (e.g., MultCloud, CloudHQ), open the dashboard. 2. Screenshot showing the files are synced/backed up between platforms. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_MultiCloudBackup_YYYY-MM-DD.png Example: AcmeCorp_MultiCloudBackup_2025-07-01.png 5. What “Good” Looks Like - Clear proof that two or more providers are in use. - Screenshot shows recent activity (not stale/empty jobs). - Destinations are recognisable (AWS, Google, Microsoft, etc.). - Timestamps/logs confirm recency and reliability. Why it matters: auditors want to see you’re not over-relying on a single vendor and have resilience built in. 6. Tips - Redact sensitive paths, filenames, or customer data in the screenshot. - Use different types of providers (e.g., AWS + Microsoft) for stronger assurance. - Pair this with your Business Critical Data Backup artefacts for completeness.

Last updated on Sep 25, 2025

Network Diagram Guide

1. Purpose of this Guide This artefact proves your company understands and documents how its network is structured and defended. Cyber Essentials requires this because without a clear map, it’s easy to overlook unprotected pathways, forgotten devices, or weak firewall coverage. A diagram is like your castle blueprint — showing walls, gates, and where the guards are posted. 2. What You Will Submit You will need: - A network diagram that includes: - Internet connection points. - Firewalls (hardware or DNS firewalls). - Routers, switches, Wi-Fi access points. - Segmented networks (e.g., office LAN, guest Wi-Fi, IoT VLAN). - End-user devices (workstations, laptops, mobiles, printers). - If using StrongKeep: the provided template diagram, adapted with your details. 3. How to Collect / Obtain / Generate This Evidence Option A: Use the StrongKeep Template: 1. Download the Network Diagram template. 2. Add your: - ISP connection - Firewall(s) - Switches / Wi-Fi Access Points - Device groups (e.g., staff laptops, printers, IoT cameras) 3. Save and export as PDF or PNG. Option B: Create from Scratch (if not using StrongKeep): - Microsoft Visio / Lucidchart / Draw.io: 1. Create a blank canvas. 2. Add internet, firewall, router, and network segments. 3. Place icons for devices (workstations, printers, servers). 4. Label key security features (e.g., “DNS firewall enabled,” “IoT isolated VLAN”). 5. Export to PDF/PNG. Option C: Auto-Discovery Tools (advanced): - Use tools like Lansweeper, SolarWinds, or NetBrain to auto-generate diagrams. - Export the generated map, ensuring sensitive hostnames/IPs are redacted. 4. Evidence Format - Accepted file types: PDF, PNG, JPG. - Suggested naming format: YourCompanyName_NetworkDiagram_YYYY-MM-DD.pdf Example: AcmeCorp_NetworkDiagram_2025-07-01.pdf 5. What “Good” Looks Like - Shows all main components (firewalls, routers, devices, Wi-Fi). - Clearly labels security controls (firewall, segmentation). - Easy to read (not overloaded with every tiny switch or port). - Reflects the current environment (not an outdated design). Why it matters: auditors want proof that you’re aware of your network’s shape and choke points — a living map of your cyber fortress. 6. Tips - Keep it high-level — no need for every patch cable. - Show segmentation (e.g., staff Wi-Fi vs guest Wi-Fi). - Update after major IT changes (new ISP, new firewall, new office). - Redact sensitive details like internal IP ranges if needed.

Last updated on Sep 25, 2025

Non-Critical Backup Screenshot Guide

1. Purpose of this Guide This artefact proves your company doesn’t only protect the “crown jewels” but also keeps less critical data backed up. Cyber Essentials requires this because even non-critical systems can contain information that, if lost, could disrupt operations. Having a backup — even at lower frequency — shows resilience across the board. 2. What You Will Submit You will need: - A screenshot showing: - Backup settings for non-critical systems (e.g., shared drives, test servers, archive data). - Frequency (e.g., weekly, monthly) clearly configured. - Destination storage (cloud, NAS, external drive). - Timestamp or status proving recent activity. 3. How to Collect / Obtain / Generate This Evidence Option A: Cloud Backup Services (e.g., OneDrive, Google Drive, Dropbox): 1. Open the admin or settings panel. 2. Navigate to Backup / Sync Settings. 3. Screenshot showing folders/files designated as non-critical with backup frequency. Option B: Backup Software (e.g., Veeam, Acronis, Datto): 1. Log into the admin console. 2. Go to Backup Jobs / Policies. 3. Screenshot the configuration showing weekly/monthly backup jobs for non-critical systems. Option C: Local/On-Premise NAS or External Storage: 1. Open the backup scheduler interface. 2. Capture the job list showing less frequent backups (e.g., archives every 2 weeks). 3. Screenshot with timestamps of last and next backup. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_NonCriticalBackup_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot clearly shows non-critical data included. - Backup frequency lower than critical systems (e.g., monthly vs daily). - Shows destination where backups are stored. - Timestamp/logs prove backup is active and not stale. Why it matters: auditors want evidence that your company covers all data tiers, not just critical files, while optimising resources responsibly. 6. Tips - Label non-critical jobs clearly (“Archive Data Weekly Backup”) to avoid confusion. - Redact sensitive file/folder names if shown. - Pair with your Business Critical Backup evidence to demonstrate a balanced backup strategy.

Last updated on Sep 25, 2025

Non-Disclosure Agreement Guide

1. Purpose of this Guide This artefact shows that your company uses NDAs to protect sensitive information when working with staff, contractors, or partners. Cyber Essentials requires this because without confidentiality agreements, third parties could legally (or accidentally) share your secrets with outsiders — and that’s like leaving the castle gate unguarded. 2. What You Will Submit You will need: - A signed NDA document (template customised for your organisation). - This should cover: - Definitions of confidential information. - Obligations to protect that information. - Restrictions on disclosure and use. - Duration of the agreement. - Parties bound (employees, contractors, vendors). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers: 1. Download StrongKeep's Non-Disclosure Agreement Template. 2. Add your company name, logo, and specific details (parties, scope, duration). 3. Circulate for signing with employees, contractors, or vendors. 4. Save the signed copy as PDF. If building your own NDA: 1. Use your legal counsel or internal policy framework. 2. Ensure the NDA covers: - Confidential data scope (business, financial, IT, customer). - Use restrictions (no sharing, no re-use outside contract). - Remedies in case of breach. 3. Collect signed copies from all relevant parties. 4. Evidence Format - Accepted file types: PDF, DOCX. - Suggested naming format: YourCompanyName_NDA_YYYY-MM-DD.pdf Example: AcmeCorp_NDA_2025-07-01.pdf 5. What “Good” Looks Like - NDA includes clear confidentiality clauses. - Document shows signatures from both parties. - Agreement applies to all relevant stakeholders (employees, contractors, vendors). - Recent version (not an outdated draft). Why it matters: auditors want proof that sensitive information is legally protected, not just secured by goodwill. 6. Tips - Use e-signature platforms (e.g., DocuSign, Adobe Sign) for easy tracking. - Keep a central record of all signed NDAs in your compliance folder. - Pair this with your Access Request Process evidence to show contractors don’t just get access — they’re bound by confidentiality too.

Last updated on Sep 25, 2025

Offline Backup Screenshot Guide

1. Purpose of this Guide This artefact proves that your company can recover data even if online systems are compromised. Cyber Essentials requires this because ransomware, malware, or insider threats can wipe out live backups. An offline backup is like a sealed vault — attackers can’t touch it because it’s disconnected. 2. What You Will Submit You will need: - A screenshot or photo showing offline backup storage in use. - The evidence should display: - The storage medium (USB drive, encrypted external HDD, tape, etc.). - Backup contents or logs proving recent data copied. - Evidence that it’s disconnected from the live network/system. 3. How to Collect / Obtain / Generate This Evidence Option A: External Hard Disk / USB drive: 1. Plug in your encrypted external HDD or USB flash drive. 2. Run a backup job or copy your business data. 3. Screenshot the folder view showing data + timestamps. 4. Safely eject the device and (optionally) take a photo of it labelled and stored securely. Option B: Managed Offline Backup Service: 1. Log into the provider console. 2. Open the job history for offline/air-gapped storage. 3. Screenshot showing successful transfer with date. Best Practice: - Store the offline media physically separate (e.g., another office, safe, at home, or vault). - Use encryption + password protection for portable drives. 4. Evidence Format - Accepted file types: PNG, JPG, PDF (screenshots or photographs). - Suggested naming format: YourCompanyName_OfflineBackup_YYYY-MM-DD.png 5. What “Good” Looks Like - Backup media shown separate from live systems. - Timestamp/log showing recent backup activity. - Media labelled (e.g., “Finance Q3 Backup – Stored Offsite”). - Ideally, encrypted or password-protected media. Why it matters: auditors want assurance that even if ransomware takes out your online backups, you still have untouchable recovery options. 6. Tips - Rotate multiple offline media sets (weekly/monthly). - Store one copy offsite for disaster recovery. - Redact sensitive filenames in screenshots before uploading. - If photographing physical media, blur serial numbers.

Last updated on Sep 25, 2025

Organisational Chart Guide

1. Purpose of this Guide This artefact proves that your company has clear reporting lines and responsibilities. Cyber Essentials requires this because, in a crisis, everyone needs to know who calls the shots. An organisational chart is like your battle map — showing who leads, who supports, and who reports where. 2. What You Will Submit You will need: - An organisational chart that includes: - Leadership roles (e.g., CEO, Directors). - IT/security roles (e.g., IT Manager, Security Lead). - Operational teams (e.g., HR, Finance, Ops). - Reporting lines (who reports to whom). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers (recommended): 1. Download StrongKeep's Organisational Chart Template. 2. Fill in your company’s staff names, job titles, and reporting relationships. 3. Save as PDF or PNG. If building from scratch: - Microsoft PowerPoint / Word / Excel: Use SmartArt → Hierarchy → fill in roles. - Draw.io / Lucidchart / Canva: Use drag-and-drop hierarchy tools to design the chart. - Ensure clarity: don’t overload with every single intern — focus on structure and authority. 4. Evidence Format - Accepted file types: PDF, PNG, JPG, DOCX. - Suggested naming format: YourCompanyName_OrgChart_YYYY-MM-DD.pdf Example: AcmeCorp_OrgChart_2025-07-01.pdf 5. What “Good” Looks Like - Clear hierarchical structure with key roles shown. - Reporting lines visible (arrows/lines connecting roles). - Includes IT/security roles relevant to incident response. - Reflects the current state of your company (not outdated). Why it matters: auditors want to see that your company won’t descend into chaos during an incident — everyone knows their role and who they report to. 6. Tips - Update the chart whenever leadership or IT/security roles change. - Keep it high-level — auditors don’t need every intern or contractor. - Pair this with your Incident Response Plan artefact to show who actually carries out each action.

Last updated on Sep 25, 2025

Operating System Firewall Guide

1. Purpose of this Guide This artefact proves your company has host firewalls enabled on all endpoints. Cyber Essentials requires this because firewalls are your personal guard at the door — blocking shady traffic before it even enters. Whether using the built-in OS firewall or StrongKeep’s XDR host firewall, this evidence shows every device has a shield raised. 2. What You Will Submit You will need: - A screenshot showing a host firewall enabled and configured. - The screenshot should include: - Firewall status (ON/Enabled). - Rules or categories applied (if visible). - Confirmation it’s applied at the device level (OS or XDR agent). 3. How to Collect / Obtain / Generate This Evidence Using StrongKeep XDR Host Firewall (coming soon): 1. Log into the StrongKeep Dashboard → Evidence Library → Host Firewall. 2. Click Generate Report. 3. Screenshot the view showing firewall enforcement from the XDR agent. Using Windows built-in Defender Firewall: 1. Open Control Panel → System and Security → Windows Defender Firewall. 2. Confirm firewall is ON for Domain, Private, and Public networks. 3. Screenshot the panel. Using macOS built-in Firewall: 1. Go to System Settings → Network → Firewall. 2. Toggle Firewall = ON. 3. Screenshot this view. Using Linux (UFW or Firewalld): 1. Run sudo ufw status or sudo firewall-cmd --state. 2. Take a screenshot of the terminal showing active firewall. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_HostFirewall_YYYY-MM-DD.png Example: AcmeCorp_HostFirewall_2025-07-01.png 5. What “Good” Looks Like - Firewall clearly shown as enabled. - Screenshot taken from system or XDR console (not a mockup). - If possible, rules or logs visible to show active blocking. - Evidence from multiple OS types if your organisation uses mixed environments. Why it matters: auditors want to see host-level protection — even if your network firewall fails, endpoints are still guarded. 6. Tips - For StrongKeep XDR, include one screenshot per OS type deployed (Windows/macOS). - Redact sensitive rule names or IP addresses. - Pair this with your Firewall Configuration Screenshot (DNS/Network firewall) to show layered defence.

Last updated on Sep 25, 2025

Password Compromise Screenshot Guide

1. Purpose of this Guide This artefact demonstrates your company’s ability to detect compromised passwords and immediately enforce a password change. Cyber Essentials requires this because an early warning system for password leaks and other breaches prevents attackers from using stolen credentials to infiltrate systems. 2. What You Will Submit You will need: - A screenshot from your password manager showing the detection of a compromised password. - The screenshot should clearly display: - User details (e.g., email or username associated with the password). - The alert or notification flagging the password compromise. - Confirmation that password change was enforced or recommended. 3. How to Collect / Obtain / Generate This Evidence For StrongKeep customers: 1. Log into the StrongKeep Dashboard → Password Manager. 2. Go to the Compromised Password Alerts section. 3. Screenshot the list showing compromised passwords and any emails with related enforcement actions (e.g. password reset recommended to the respective staff). For third-party password managers (e.g., LastPass, 1Password, Bitwarden): 1. Log into the password manager dashboard. 2. Go to the Security / Breach Reports section. 3. Capture a screenshot showing detected compromised passwords (e.g., “password found in data breach”). 4. Ensure it also shows enforcement actions (e.g., prompting password change or auto-reset). 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_PasswordCompromise_YYYY-MM-DD.png Example: AcmeCorp_PasswordCompromise_2025-07-01.png 5. What “Good” Looks Like - Screenshot shows compromised password detected in the system. - Displays enforcement action (e.g., change password, notify user). - User identifier (email, username) visible, without exposing sensitive data. - Evidence from trusted password manager (Bitwarden, 1Password, StrongKeep, etc.). Why it matters: auditors want to see that you actively monitor and manage compromised credentials, ensuring they are promptly addressed to avoid breaches. 6. Tips - Redact sensitive details (like full usernames or passwords) before submitting. - Regularly review and enforce password hygiene practices across the organisation. - Make sure your password manager integrates with your incident response to automate actions.

Last updated on Sep 25, 2025

Password Expiration Screenshot Guide

1. Purpose of this Guide This artefact proves your company has password expiration policies configured. Cyber Essentials requires this because long-lived, unchanged passwords are ripe targets for attackers. By enforcing expiration, you compel regular refreshes, reducing the chance of old credentials being abused. 2. What You Will Submit You will need: - A screenshot showing the password expiration settings in your environment. - The screenshot should display: - Password expiration period (e.g., 90 days). - Enforcement at the domain or system level. - Confirmation that the policy is active, not just a draft. 3. How to Collect / Obtain / Generate This Evidence Microsoft Active Directory / Entra ID (Azure AD): 1. Open Group Policy Management → Default Domain Policy → Account Policies → Password Policy. 2. Locate Maximum password age. 3. Screenshot the value (e.g., 90 days). Microsoft 365 (Cloud-only): 1. Log into Microsoft 365 Admin Center → Settings → Org Settings → Security & Privacy. 2. Under Password expiration policy, verify days set. 3. Screenshot this setting. Google Workspace: 1. Open Admin Console → Security → Authentication → Password Management. 2. Check Password expiration period. 3. Screenshot the setting with applied value. Other Systems (Okta, OneLogin, etc.): 1. Go to Security / Policies → Password Policy. 2. Locate expiration/rotation settings. 3. Screenshot policy configuration. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_PasswordExpiration_YYYY-MM-DD.png Example: AcmeCorp_PasswordExpiration_2025-07-01.png 5. What “Good” Looks Like - Screenshot shows a specific expiration timeframe (not blank/disabled). - Policy scope visible (applies to users or domain). - Captured from official admin console (Active Directory, M365, Google Admin, etc.). Why it matters: auditors want proof that password expiration is not optional — it’s actively enforced across accounts. 6. Tips - Pair this with your Password Compromise Screenshot to demonstrate layered defence. - Redact user names or tenant IDs from screenshots. - Standardise expiration values (e.g., 90 days) across all systems to avoid gaps.

Last updated on Sep 25, 2025

Physical Access Control Photo Guide

1. Purpose of this Guide This artefact proves your company has physical barriers in place to stop unauthorised access to IT systems. Cyber Essentials requires this because even the best digital fortress is useless if someone can just stroll into your office and plug into a server. Think of it as your moat, drawbridge, and portcullis. 2. What You Will Submit You will need: - A photo clearly showing one or more physical access control measures, such as: - Card or biometric access system on a server room door. - Cable locks securing laptops or desktops. - Locked server racks or cabinets. - Security turnstiles or restricted office access points. 3. How to Collect / Obtain / Generate This Evidence Office Door Access Control: 1. Take a photo of the keycard reader, biometric scanner, or keypad at your office/server room. 2. Ensure the photo shows it is installed and in use (e.g., at the entry point). Workstation Cable Locks: 1. Photograph a workstation with a cable lock securing the device to a desk. 2. Ensure the lock mechanism and tether are visible. Locked Server Rack / Cabinet: 1. Photograph your server/network cabinet with lock engaged. 2. Include evidence of labelling or restricted access signage if present. Multi-layered Controls: - Show combinations of controls (e.g., card access + CCTV, or locked racks inside a restricted room). 4. Evidence Format - Accepted file types: JPG, PNG, PDF. - Suggested naming format: YourCompanyName_PhysicalAccessControl_YYYY-MM-DD.jpg Example: AcmeCorp_PhysicalAccessControl_2025-07-01.jpg 5. What “Good” Looks Like - Evidence is clear and unambiguous (no blurry hallway photos). - Shows a real physical control in place, not just an empty room. - Ideally, includes multiple types of access control (e.g., locked racks + card access). Why it matters: auditors want proof that attackers can’t simply bypass digital controls by physically walking into your workspace. 6. Tips - Avoid capturing staff faces in the photo (privacy). - Redact serial numbers or sensitive signage if visible. - If controls are outsourced (e.g., data centre), request a photo or access log evidence from the provider.

Last updated on Sep 25, 2025

Physical Media Destruction Photo Guide

1. Purpose of this Guide This artefact proves your company securely destroys paper-based media so sensitive information doesn’t fall into enemy hands. Cyber Essentials requires this because forgotten printouts, contracts, or system reports can be a goldmine for attackers if left in the bin. A photo of your destruction process shows that you’re not leaving secrets lying around. 2. What You Will Submit You will need: - A photo clearly showing: - The shredding or secure destruction process. - Equipment used (e.g., paper shredder, secure disposal bin). - Media being destroyed (blurred or redacted if sensitive text is visible). 3. How to Collect / Obtain / Generate This Evidence Option A: Office Paper Shredder: 1. Feed paper documents into the shredder. 2. Photograph the shredder in action, showing documents being destroyed. 3. If possible, capture the shredded output. Option B: Secure Disposal Bins (locked consoles): 1. Photograph the secure console/bin in your office. 2. Ensure the lock is visible (to show restricted access). 3. Optionally, include a collection tag from the disposal provider. Option C: Third-Party Secure Disposal Service: 1. Take a photo of the certificate of destruction provided by the vendor. 2. (Optional) Photograph the vendor’s sealed collection bins being removed. 4. Evidence Format - Accepted file types: JPG, PNG, PDF. - Suggested naming format: YourCompanyName_PhysicalMediaDestruction_YYYY-MM-DD.jpg Example: AcmeCorp_PhysicalMediaDestruction_2025-07-01.jpg 5. What “Good” Looks Like - Clear evidence of destruction in progress or completed (not just a photo of a printer). - Secure destruction tool visible (cross-cut shredder, locked bin). - (If vendor-managed) proof of chain-of-custody or destruction certificate. Why it matters: auditors want assurance that sensitive paper doesn’t just walk out the door in the recycling pile — it’s properly destroyed. 6. Tips - Blur/redact visible sensitive info before uploading. - If using a vendor, keep their certificates in your compliance folder. - Ideally, show regular practice, not just one-off destruction (e.g., photo of a labelled “Weekly Shred Bin”).

Last updated on Sep 25, 2025

Risk Management Framework Guide

1. Purpose of this Guide This artefact proves your company has a structured method to assess risks, especially when dealing with EOS (End-of-Support) assets. Cyber Essentials requires this because old software/hardware without vendor patches is a juicy target for attackers. A Risk Management Framework (RMF) shows you’ve thought through those risks and decided on safeguards or mitigations. 2. What You Will Submit You will need: - A documented Risk Management Framework (based on StrongKeep’s template or your own). - It should include: - Identification of risks (technical, operational, compliance). - Assessment of likelihood and impact. - Risk treatment options (accept, mitigate, transfer, retire). - Monitoring and review cycle. - Specific section for End-of-Support assets and how they are managed. 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers (recommended): 1. Log into StrongKeep Dashboard → Evidence Library → Templates. 2. Download the Risk Management Framework Template. 3. Fill in: - Company name and date. - Known EOS assets (old Windows servers, routers, apps). - Risks identified (e.g., unpatched vulnerabilities, data leaks). - Mitigations (e.g., network isolation, compensating controls, plan to retire). 4. Save as PDF/DOCX. If creating your own RMF: 1. Base it on NIST or ISO 27005 risk management structures. 2. Include: - Risk Register: list of identified risks. - Scoring Matrix: impact × likelihood. - Treatment Plan: actions, owner, timeline. 3. Review and approve by management. 4. Export as PDF. 4. Evidence Format - Accepted file types: DOCX, PDF, XLSX (if risk register is in spreadsheet). - Suggested naming format: YourCompanyName_RiskManagementFramework_YYYY-MM-DD.pdf Example: AcmeCorp_RiskManagementFramework_2025-07-01.pdf 5. What “Good” Looks Like - Framework clearly documents process + responsibilities. - Risks are scored, prioritised, and assigned to owners. - EOS assets explicitly considered with mitigation actions. - Shows review cycle (e.g., quarterly). Why it matters: auditors want evidence you’re not blindly using outdated kit but making informed, risk-based decisions. 6. Tips - Keep the framework simple but structured — one doc with a clear matrix. - Link it to your Risk Register Form (another artefact) for full coverage. - Update whenever new assets are added or old ones retired.

Last updated on Sep 25, 2025

Risk Register Form Guide

1. Purpose of this Guide This artefact proves your company records and manages identified risks in a structured way. Cyber Essentials requires this because risks — especially from unsupported hardware/software — must not be ignored. A risk register is your ledger of dangers, with each one tracked, scored, and tamed. 2. What You Will Submit You will need: - A Risk Register Form (from StrongKeep’s template or your own) containing: - Risk description (e.g., “Windows Server 2012 reached EOS”). - Likelihood and impact scoring. - Mitigation or treatment actions. - Risk owner (who is responsible). - Status (open, mitigated, retired). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers : 1. Download StrongKeep's Risk Register Form template. 2. Fill in risks relevant to your organisation, including: - EOS assets (hardware/software). - Operational risks (e.g., loss of staff, single points of failure). - Security risks (e.g., phishing, ransomware). 3. Complete the scoring and assign owners. 4. Save as PDF/DOCX/XLSX. If creating your own: 1. Build a table with columns: Risk, Likelihood, Impact, Risk Score, Mitigation, Owner, Status. 2. Rate likelihood/impact on a 1–5 scale. 3. Define mitigations (patching, isolation, migration, etc.). 4. Keep it updated at least quarterly. 4. Evidence Format - Accepted file types: DOCX, PDF, XLSX. - Suggested naming format: YourCompanyName_RiskRegister_YYYY-MM-DD.xlsx Example: AcmeCorp_RiskRegister_2025-07-01.xlsx 5. What “Good” Looks Like - Risks clearly listed with scoring and owners. - EOS assets explicitly included. - Status column shows active management (not blank). - Updated within the last 3–6 months. Why it matters: auditors want to see you’re not guessing — you’ve documented risks and are tracking them like a disciplined knight tallying foes. 6. Tips - Use colour coding (green/yellow/red) for quick visibility. - Keep one master register across the company — don’t scatter risks in different silos. - Link this with your Risk Management Framework artefact to show policy + practice alignment.

Last updated on Sep 25, 2025

Secure Configuration (Cloud, Mobile, IOT) Guide

1. Purpose of this Guide This artefact proves that your company has locked down the configuration of mobile devices, IoT equipment, and cloud systems. Cyber Essentials requires this because insecure defaults and weak settings are easy entry points for attackers. Showing secure configuration demonstrates that your devices and cloud services are hardened, monitored, and not left wide open. 2. What You Will Submit You will need: - A screenshot from the following, depending on the scope of your certification: - Mobile device settings showing passcodes, auto-lock, and no jailbreak/root. - IoT management console showing separated network, discovery features disabled. - Cloud platform console (e.g. AWS, Microsoft 365, Google Cloud) showing logging, monitoring, or compliance enabled. 3. How to Collect / Obtain / Generate This Evidence Mobile Devices: - iOS: Settings → Face ID & Passcode → Screenshot showing passcode enabled and Auto-Lock ≤ 2 mins. - Android: Settings → Security → Screenshot showing Screen Lock enabled, Play Protect on, and apps only from Play Store. IoT Devices (e.g. CCTV, printers, smart devices): 1. Log into the IoT management page. 2. Show network segmentation (IoT VLAN separate from business LAN). 3. Disable auto-discovery and UPnP, then screenshot the configuration page. Cloud Services: - AWS: Management Console → CloudTrail → Event history → Screenshot showing logging enabled. - Microsoft 365: Compliance Center → Audit Log Search → Screenshot showing audit logging on. - Google Cloud: Console → Logging → Logs Explorer → Screenshot of API activity logs enabled. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_SecureConfig_YYYY-MM-DD.png 5. What “Good” Looks Like - Screenshot shows specific security controls active (not greyed out). - Device or platform name visible (to prove authenticity). - Timestamp or version visible where possible. - Demonstrates security for the relevant environment (mobile, IoT, or cloud). Why it matters: auditors want evidence that your company has hardened configurations across different platforms — not left them at risky defaults. 6. Tips - For mobile, avoid showing personal photos or sensitive data in screenshots. - For IoT, redact SSIDs or device IDs before uploading. - For cloud, pair the configuration screenshot with a log screenshot to show it’s working.

Last updated on Sep 25, 2025

Trusted Password Manager Guide

1. Purpose of this Guide This artefact proves your company uses a trusted password manager to wrangle logins safely. Cyber Essentials requires this because weak, reused, or sticky-note passwords are easy prey. A password manager keeps accounts organised, unique, and far harder for attackers to crack. 2. What You Will Submit You will need: - A screenshot or report from a trusted password manager. - The evidence should clearly show: - Secure credential storage. - Strong password generator feature. - Password strength/security checks. - (If possible) MFA/2FA setup options. 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers: 1. Log into the StrongKeep Dashboard → Password Manager (coming soon). 2. Click Generate Report. 3. Download the PDF or screenshot showing secure storage and features. For other password managers (Bitwarden, 1Password, LastPass, Keeper): 1. Log into the admin/user console. 2. Go to Vault / Security Dashboard / Reports. 3. Screenshot showing: - Password strength report. - Enforced use of unique/strong passwords. - Any MFA/2FA or secure sharing features enabled. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_PasswordManager_YYYY-MM-DD.png Example: AcmeCorp_PasswordManager_2025-07-01.png 5. What “Good” Looks Like - Screenshot/report shows actual credential storage (not an empty vault). - Passwords assessed for strength/uniqueness. - Secure password generation features visible. - MFA/2FA setup supported or recommended. Why it matters: auditors want proof you’re not relying on memory or spreadsheets, but a trusted system with best-practice security features. 6. Tips - Redact actual usernames or account names before uploading. - Make sure the report is recent (not years old). - Combine this with your Password Compromise Screenshot to show both proactive (compromise detection) and preventive (trusted manager) controls.

Last updated on Oct 06, 2025

Unused Features Disabled Guide

1. Purpose of this Guide This artefact proves your company trims away unnecessary system features that attackers could exploit. Cyber Essentials requires this because unused services are like forgotten side doors in a castle — easy for intruders to sneak through. Disabling them keeps your environment lean and secure. 2. What You Will Submit You will need: - A screenshot showing disabled features/services in your systems. - The screenshot should demonstrate: - The specific feature/service name. - Its disabled status. - The platform it applies to (Windows, macOS, cloud service, etc.). 3. How to Collect / Obtain / Generate This Evidence Windows (example features): 1. Open Control Panel → Programs → Turn Windows features on or off. 2. Disable unneeded services (e.g., SMBv1, Telnet Client). 3. Screenshot showing unchecked/disabled status. Microsoft 365 / Office Apps: 1. Open Office → Options → Trust Center → Macro Settings. 2. Ensure “Disable all macros without notification” is selected. 3. Screenshot this view. macOS: 1. Go to System Settings → Sharing. 2. Disable unnecessary services (e.g., File Sharing, Printer Sharing, Remote Management if not needed). 3. Screenshot the toggles OFF. Cloud Platforms (AWS, Azure, GCP): - AWS Console: Show unused ports/protocols disabled in Security Groups. - Azure: Screenshot of disabled legacy authentication. - GCP: Show services/APIs disabled in IAM or API console. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_UnusedFeaturesDisabled_YYYY-MM-DD.png Example: AcmeCorp_UnusedFeaturesDisabled_2025-07-01.png 5. What “Good” Looks Like - Screenshot clearly shows the feature/service turned OFF. - Platform is identifiable (so it’s not a generic image). - Shows relevant security-related features, not just random system toggles. Why it matters: auditors want evidence that you’ve actively slimmed down your systems to reduce risk, not left attack surfaces open by default. 6. Tips - Keep a list of which features/services are disabled across your environment. - Redact sensitive names (e.g., server names, internal IPs). - Pair this evidence with your Secure Configuration Screenshot to show a holistic hardening strategy.

Last updated on Sep 25, 2025

Users Training Completion Screenshot Guide

1. Purpose of this Guide This artefact shows your company doesn’t just talk about training but actually tracks who has completed it. Cyber Essentials requires this because awareness training isn’t a one-off quest — it’s a routine drill. Evidence proves your staff sharpen their cyber skills regularly, not just once upon a time. 2. What You Will Submit You will need: - A screenshot or report showing: - List of users enrolled. - Training completion status (Completed, In-progress, Not started). - Completion dates or timestamps. - Overall training coverage (e.g., % of staff trained). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers: 1. Log into the StrongKeep Dashboard → Training. 2. Select the latest training campaign (e.g., phishing awareness, password hygiene). 3. Screenshot the completion list or summary graph. Alternative (non-StrongKeep setups): - Google Classroom / Microsoft Teams / Moodle: Export or screenshot training completion reports. - HR / LMS platforms (Workday, BambooHR, SAP SuccessFactors): Download or screenshot compliance training completion status. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_TrainingCompletion_YYYY-MM-DD.png Example: AcmeCorp_TrainingCompletion_2025-07-01.png 5. What “Good” Looks Like - Screenshot shows multiple users with clear status indicators (Completed/In-progress). - Includes dates for completions. - Overall coverage easily visible (e.g., percentage trained). - Taken from a credible platform (StrongKeep dashboard, LMS, HR tool). Why it matters: auditors want to see proof that awareness training is ongoing and tracked, not just a checkbox exercise. 6. Tips - Redact personal details (email addresses, staff IDs) before uploading. - Keep records from multiple cycles (e.g., last year and this year) — it proves consistency. - Pair this evidence with your Cybersecurity Awareness Training Guide artefact for maximum impact.

Last updated on Sep 25, 2025

Web Server Internet Hygiene Portal Results Guide

1. Purpose of this Guide This artefact proves your company’s web servers are configured securely. Cyber Essentials requires this because misconfigured servers (e.g., expired TLS, missing headers) are prime targets for attackers. The IHP scan provides independent verification that your servers meet security best practices. 2. What You Will Submit You will need: - A screenshot or PDF report of your Web Server IHP Results, showing: - Overall web server security score. - HTTPS/TLS configuration. - Certificate validity status. - HTTP security headers (e.g., HSTS, X-Frame-Options). 3. How to Collect / Obtain / Generate This Evidence For StrongKeep Customers: 1. Log into StrongKeep Dashboard → Web and Mail Server 2. Select Web Server Results. 3. Run the external scan (or select latest scan). 4. Download the results as PDF or take a screenshot of the dashboard view. If using IHP directly (Singapore CSA Internet Hygiene Portal): 1. Visit the IHP portal (https://ihp.csa.gov.sg). 2. Enter your web server domain. 3. Run the scan. 4. Save a screenshot of the results page or download the report. 4. Evidence Format - Accepted file types: PNG, JPG, PDF. - Suggested naming format: YourCompanyName_WebServerIHP_YYYY-MM-DD.pdf Example: AcmeCorp_WebServerIHP_2025-07-01.pdf 5. What “Good” Looks Like - Evidence clearly shows: - Valid HTTPS/TLS certificates (not expired). - Strong TLS protocols (e.g., TLS 1.2/1.3). - HTTP security headers present. - A passing or good security score in the IHP results. Why it matters: auditors want assurance your servers aren’t leaking weaknesses to the internet. 6. Tips - Always run scans close to audit date (so the results are fresh). - If the IHP flags weak protocols (e.g., TLS 1.0), disable them and rerun. - Save historical results too — they help show continuous compliance.

Last updated on Sep 25, 2025

Mobile Firewall Guide

1. Purpose of This Guide Mobile devices connect everywhere — office Wi-Fi, home networks, public hotspots, airports, coffee shops, the void. A firewall on the device adds a crucial defensive layer by blocking suspicious inbound traffic and controlling outbound connections. This artefact shows auditors that your organisation: - Has enabled a firewall or equivalent network protection on mobile devices - Uses platform security features or app-based firewalls - (Optional) Uses DNS firewalls or mobile device security tools This confirms that mobile devices aren’t roaming the internet unarmoured. 2. What You Will Submit You may upload one or more screenshots showing: A. Built-in Mobile Firewall / Network Protection Depending on platform: - Android: “Firewall / Network Protection / Secure Wi-Fi / Block Connections” - Samsung Knox: Network protection features - Apple iOS: No traditional firewall, but acceptable evidence includes Private Relay, Lockdown Mode, or Third-party firewall/security tools B. Mobile Security App / Endpoint Protection Including screenshots from solutions like: - Microsoft Defender for Endpoint (MDE) - Palo Alto Cortex XDR mobile - Bitdefender Mobile - Lookout Mobile Security - ESET Mobile Security Must show: - Network protection enabled - Firewall-style filtering active - Blocked threats or connections (if visible) C. DNS Firewall Used on Mobile Devices StrongKeep customers can use DNS filtering as the mobile firewall: Upload screenshots showing: - Device enrolled in DNS filtering - DNS profile assigned - Protection status ON (StrongKeep may auto-generate this evidence.) 3. How to Collect / Obtain / Generate This Evidence Here is the practical step-by-step by device type. A. Apple iOS / iPadOS Devices iOS does not include a traditional firewall, so the acceptable evidence includes: Option 1: Mobile Security App Showing Network Protection Examples: - StrongKeep customers can deploy Palo Alto Cortex XDR mobile Screenshot the app’s protection dashboard. Option 2: DNS Firewall Installed StrongKeep customers can show that their mobile devices are protected using the DNS Firewall: - Go to: Settings → VPN & Device Management - Show configuration labelled with your DNS firewall profile - Generate the list of protected devices to show that the mobile device is listed. StrongKeep may generate this evidence on your behalf. Option 3: Apple Private Relay (Supplementary Only) Private Relay is not a firewall, but if your business uses MDM to enforce it, you may screenshot: Settings → Apple ID → iCloud → Private Relay: ON (This is supporting evidence, not standalone.) B. Android Devices (Pixel, Samsung, Xiaomi, Oppo, etc.) Android provides stronger firewall capabilities. Option 1: Built-in Firewall / Network Protection Depending on device brand: - Pixel: Settings → Network & Internet → VPN → Private DNS - Samsung: Settings → Biometrics & Security → Secure Wi-Fi - Some manufacturers include: “Firewall ON”, “Block incoming connections” Screenshot the configuration page showing it enabled. Option 2: Mobile Security / EDR App Examples: - StrongKeep customers can deploy Palo Alto Cortex XDR mobile - Other solutions, like Defender, Bitdefender, ESET Screenshot: - Firewall / Web Protection / Network Filtering ON - Any screen showing enforcement of network policies Option 3: DNS Firewall App StrongKeep customers can show that their mobile devices are protected using the DNS Firewall: - Open the app → show Protection: Enabled - Generate the list of protected devices to show that the mobile device is listed. StrongKeep may generate this evidence on your behalf. C. MDM (Mobile Device Management) Enforcement (Recommended for SMBs) If you manage devices using Microsoft Intune, Google Endpoint Management, MobileIron, or Jamf: You may upload an MDM screenshot showing: - Compliance policy requiring firewall or network protection - Device compliance report (green tick) - Assigned configuration profile forcing secure DNS or network filtering 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Convention: YourCompanyName_MobileFirewall_YYYY-MM-DD Example: AcmeClinic_MobileFirewall_2025-03-20.png 5. What “Good” Looks Like A strong submission includes: - Clear indicator that the device has active network protection (“Firewall: ON”, “Web Protection: Enabled”, “Secure Wi-Fi: ON”, “DNS Protection Active”) - Brand or app name visible (e.g., Microsoft Defender, Control-D, Samsung Secure Wi-Fi) - Screenshot is readable Avoid cropped images that hide settings labels. - Representative device You only need one example unless your organisation uses multiple device types. Why it matters: auditors need to see that mobile devices aren’t walking into the internet unprotected. 6. Tips - Redact personal details (phone number, Apple ID, Google account). - If employees use their personal phones (BYOD), ensure screenshots do not reveal sensitive personal apps. - If your business does not use mobile devices for work, you may mark this artefact as Not Applicable.

Last updated on Dec 09, 2025

IoT Firewall Guide

1. Purpose of This Guide IoT devices (CCTV cameras, smart TVs, printers, door sensors, audio systems, etc.) connect directly to the internet — and many of them have weak default security. A firewall on the device (or on its network) helps prevent unwanted inbound connections and blocks risky outbound traffic. This artefact demonstrates that your organisation has enabled and configured firewall protection for IoT devices where possible. This artefact demonstrates: - Firewalls enabled on IoT devices (if supported) - Firewall rules or protections visible - Optional: evidence that network-level firewalling is applied if the device itself does not support built-in firewall features Your screenshot proves your IoT devices are not sitting on the internet like open doors inviting trouble. 2. What You Will Submit You may submit any one or more of the following: A. Built-in IoT Device Firewall Evidence A screenshot showing firewall or security features enabled on the IoT device, such as: - “Firewall: ON” - “Security Mode: Enabled” - “Block WAN access” - “Port blocking enabled” - “Remote access disabled” Many modern devices display these settings in their admin panel. B. DNS Firewall StrongKeep customers can point the DNS for the IOT device to StrongKeep's DNS Firewall, once they add it as a protected device. You can read more about how to do that here. C. Router or Gateway Firewall Enforcing Controls on IoT Devices If the IoT device does not have its own firewall (common), you may provide: - Screenshot showing IoT devices are isolated from the internet or restricted (using your wifi router's settings) These screenshots are fully acceptable as evidence. 3. How to Collect / Obtain / Generate This Evidence Pick the method that matches your actual environment. A. Common IoT Devices With Built-In Security Screens CCTV Cameras (HikVision, Dahua, TP-Link, Reolink) Look for: - Security → Firewall - Network → Advanced → Firewall - Remote Access: Disabled - DMZ/UPnP: Off (bonus evidence) Screenshot the page showing the firewall toggle and rules (if visible). Smart Printers (HP, Canon, Epson) Look for: - Network → Firewall Settings - Web Access Control - IP Filtering - Block incoming connections Take a screenshot showing the firewall enabled. NAS Devices (Synology, QNAP) Go to: - Control Panel → Security → Firewall Take a screenshot showing “Firewall: Enabled”. B. Router-Level Firewall for IoT Network (Common SMB Setup) If IoT devices are on a separate network and the router firewall protects them, provide screenshots such as: Home/SMB Routers (Asus, Linksys, TP-Link, D-Link) - Firewall → ON - Block WAN Access → Enabled - Guest/IoT Network Isolation → Enabled - Port Forwarding → Disabled for IoT devices Useful screenshot pages: - “Firewall Settings” - “IoT Network Settings” - “Access Control / MAC Filtering” UniFi Go to: Settings → Firewall & Security or Networks → IoT Network Screenshot: - Firewall rules applied - LAN → WAN restrictions - Device isolation enabled Fortinet Go to: Policy & Objects → Firewall Policy Screenshot the policy limiting: - IoT Zone → Corporate Zone - IoT Zone → Internet (restricted) Cisco Meraki Go to: Security & SD-WAN → Firewall Screenshot: - L3 Rules - L7 Rules - IoT VLAN protections C. If IoT Devices Cannot Support Firewalls Some devices (simple sensors, smart lights, older printers) offer no firewall settings. In that case, provide network-level firewall evidence protecting them: - IoT VLAN with deny rules - Router firewall preventing inbound connections - Policy that IoT cannot reach corporate devices This is fully compliant with CSA guidance. 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Convention: YourCompanyName_IoT_Firewall_YYYY-MM-DD Example: AcmeClinic_IoT_Firewall_2025-03-20.png 5. What “Good” Looks Like A strong submission includes: - Screenshots clearly showing “Firewall: ON” OR Evidence that the IoT network is protected by router/gateway firewalls. - Readable network or device names So auditors understand which devices are being protected. - Recent configurations (Don’t show a screenshot from a dusty old interface that nobody uses.) - Demonstrated restrictions e.g., blocking inbound access, limiting outbound traffic, disabling remote access. Why it matters: auditors must see that IoT devices aren’t freely exposed to the internet. 6. Tips - Redact IP addresses if needed — the auditor only needs evidence of firewalling, not your full network map. - If you have no business-critical IoT devices, this artefact may be marked Not Applicable. - If IoT devices belong to the landlord (e.g., CCTV), note that they are not part of your operational environment.

Last updated on Dec 09, 2025

Staff List Guide

1. Purpose of This Guide Your staff list is the cornerstone of your cybersecurity responsibilities. It shows who in your organisation has IT access, which in turn tells auditors: - Whose devices must be protected - Who needs cybersecurity training - Who must follow company policies - Who might hold sensitive accounts (admin, finance, HR, etc.) In short: if cybersecurity is a team sport, this list shows who’s actually on the team. 2. What You Will Submit You may submit one of the following: - A staff list generated directly from the StrongKeep platform (Recommended — it’s clean, complete, and mapped to your devices/training automatically.) - A screenshot or export from your HR system, such as: - Microsoft 365 / Entra ID - Google Workspace Admin - HRMS (Talenox, JustLogin, BambooHR, etc.) - Payroll or workforce management systems - A simple spreadsheet If your HR system is basic, a CSV or Excel showing staff details is also acceptable. Your evidence must list all staff with IT access, including active full-timers, part-timers, contractors, interns, and anyone with a company email or access to company systems. A sample layout is shown in the screenshot provided. 3. How to Collect / Obtain / Generate This Evidence Below are the most common methods: Option A — Generate Staff List from StrongKeep (Recommended) StrongKeep automatically builds your staff list when you integrate: - Microsoft 365 - Google Workspace - CSV import To obtain your evidence: 1. Log in to StrongKeep as an IT Manager. 2. Go to Staff → Staff List. 3. Review that the list is accurate and up to date. 4. Use the Export / Download option (if enabled), or take a screenshot showing: - Staff names - Emails - Job titles - Departments - Source (Microsoft, Google, Manual) 5. Save the screenshot for upload. This produces a clean, auditor-friendly record straight from the platform — the easiest route to victory. Option B — Export From Microsoft 365 (Entra ID / Azure AD) 1. Go to Microsoft 365 Admin Center 2. Open Users → Active Users 3. Filter out service accounts if needed 4. Click Export Users 5. Save the CSV or take a screenshot of the full list Ensure the export includes: - Name - Email - Job title - Department Option C — Export From Google Workspace Admin 1. Go to admin.google.com 2. Click Directory → Users 3. Export list via Download users 4. Or screenshot the visible user list Option D — Export from HR Management Systems Most HR systems support a staff directory export. Download in CSV/Excel or screenshot the listing page. Examples of fields you may include: - Name - Role / Job title - Department - Employment type - Work email 4. Evidence Format Accepted File Types: - PNG - JPG - PDF - CSV - XLSX Suggested Naming Convention: YourCompanyName_StaffList_YYYY-MM-DD Example: AcmeClinic_StaffList_2025-01-10.xlsx 5. What “Good” Looks Like A strong Staff List submission includes: - All employees with IT access (don’t forget interns, part-timers, contractors) - Clear identifying information - Name - Email address - Role / Job title - Department - Active staff only If someone left the company, remove or clearly mark them. - Consistent formatting No duplicates, no blank rows, no mystery entries like “Temp123”. - Evidence of the source Screenshots should show that the list was taken from a real system (M365, Google, HRMS, StrongKeep). Why this matters: auditors need to confirm your organisation knows exactly who needs device protection, security training, and policy enforcement. 6. Tips - Review accuracy every quarter Staff changes = cybersecurity changes. Keeping the list fresh helps compliance and operations. - Redact sensitive fields Phone numbers, NRIC/FIN, or addresses can be hidden — only job-related info is required. - Use StrongKeep to save time Our platform ties staff → devices → training → policy acknowledgements automatically, reducing manual evidence work.

Last updated on Dec 09, 2025

Mobile Secure Configuration Screenshot Guide

1. Purpose of This Guide Mobile devices (phones, tablets) often access company email, files, apps, and sensitive data. If they’re lost, stolen, or compromised, attackers shouldn’t be able to stroll right in. This artefact demonstrates that your organisation configures mobile devices securely, specifically showing that: - Devices are not jailbroken or rooted - Passcodes / biometric locks are enabled - Automatic screen lock activates after 2 minutes of inactivity - Apps are installed only from official app stores (no sideloading) This helps auditors confirm your mobile fleet isn’t the soft underbelly of your defences. 2. What You Will Submit Upload one or more screenshots showing: - Device Settings → Passcode / Screen Lock is enabled - Auto-lock or screen timeout = 2 minutes (or less) - Device status page confirming it is not rooted/jailbroken - App Store / Google Play as the only allowed source for apps (e.g., “Unknown Sources: Off”) Each screenshot should be from a representative corporate device (company-owned or BYOD enrolled in your policy). 3. How to Collect / Obtain / Generate This Evidence Below are the simplest ways to capture the required screenshots on iOS and Android. A. Apple iOS / iPadOS Devices 1. Passcode Enabled Go to: Settings → Face ID & Passcode Screenshot the top of the screen showing: - “Turn Passcode Off” (this proves a passcode is currently enabled) 2. Auto-Lock = 2 Minutes Go to: Settings → Display & Brightness → Auto-Lock Screenshot showing “2 Minutes” or any shorter value (1 min). 3. Device Not Jailbroken iPhones do not display a “jailbroken” status, so auditors will accept: - A screenshot of Settings → General → About showing normal OS version and no jailbreak indicators. - Optional: Screenshot of Settings → General → VPN & Device Management showing standard profiles (if any). 4. Official App Store Use iOS does not permit sideloading unless jailbroken. A screenshot of Settings → Screen Time → Content & Privacy Restrictions → iTunes & App Store Purchasesproving apps are only installed from the App Store is sufficient. B. Android Devices (Samsung, Google Pixel, Oppo, Xiaomi, etc.) 1. Screen Lock / Passcode Enabled Go to: Settings → Security → Screen Lock Screenshot showing: - “PIN enabled”, “Pattern enabled”, or “Fingerprint + PIN” 2. Auto-Lock = 2 Minutes Go to: Settings → Display → Screen timeout Screenshot showing 2 minutes. 3. Device Not Rooted Go to: Settings → About Phone → Status / Device Status Screenshot showing: - “Official” or “Certified” - OR the Google Play Protect certification page: Settings → Google → Device certification Many devices show: “Device status: Official” → this is accepted evidence. 4. No Sideloading of Apps Go to: Settings → Security → Install unknown apps Ensure the toggle for sideloading is OFF for all apps. Screenshot the page showing: - “Allowed from this source: Off” or - A global policy preventing unknown sources. C. If You Use MDM (Mobile Device Management) (Microsoft Intune, Google Endpoint Management, MobileIron, Jamf, etc.) You may provide: - Screenshot of the device compliance report - Screenshot of the MDM policy showing screen lock + timeout rules - Screenshot showing the device is compliant This method is highly recommended for organisations with >5 mobile users. 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Convention: YourCompanyName_MobileSecureConfig_YYYY-MM-DD Example: AcmeClinic_MobileSecureConfig_2025-03-15.png 5. What “Good” Looks Like A strong submission contains: - At least 2-3 screenshots covering: - Passcode enabled - Auto-lock timer - Not rooted/jailbroken - Official app installation only - Clear time and device context The screenshot should show the settings menu and labels. - Representative device You do not need screenshots for every staff device — just one example device used in the organisation. - Optional (but excellent): Evidence from your MDM showing compliance. This proves that mobile devices in your environment cannot be easily exploited or misused. 6. Tips - Redact personal details if needed (phone number, Apple ID, Google account). - If your business does not use mobile devices for work, you may mark this clause as Not Applicable. - If BYOD is allowed, ensure staff configure their devices securely before connecting to company systems.

Last updated on Dec 09, 2025

IoT Secure Configuration Screenshot Guide

1. Purpose of This Guide IoT devices (CCTV cameras, door sensors, smart TVs, Wi-Fi printers, IP speakers, etc.) often come with convenience features that can accidentally become security weaknesses. This artefact demonstrates that your organisation has configured business-critical IoT devices securely and kept them separate from networks that handle work data. This requires evidence showing that you have taken practical steps to protect your IoT fleet, such as: - Placing IoT devices on a separate network or VLAN - Disabling risky features like auto-discovery and Universal Plug and Play (UPnP) - Using IoT products with Singapore’s Cybersecurity Labelling Scheme (CLS) where available Your evidence proves that your IoT environment isn’t left open like an unlocked castle gate. 2. What You Will Submit You may upload one or more screenshots showing any of the following: - IoT devices connected to a separate Wi-Fi network or VLAN e.g., “IoT-Network”, “Guest IoT”, “CCTV Network” - Router or firewall configuration showing: - Network segmentation - Device isolation - IoT VLAN setup - Blocking IoT devices from accessing corporate networks - Device settings pages showing that: - UPnP is disabled - Auto-discovery is disabled (e.g., mDNS, DLNA, auto-pairing) - Default passwords have been changed (optional but good to show) - Evidence of cybersecurity-labelled IoT devices, e.g. - Photo of the CLS label on the device box - Product page showing CLS Level 1/2/3 Auditors do not expect you to submit all of these — just whatever applies in your environment. 3. How to Collect / Obtain / Generate This Evidence Choose the method that matches your setup. Below are the most common scenarios. A. Network Segregation Evidence (Recommended) Home/SMB routers (Asus, TP-Link, Linksys, D-Link) 1. Log in to your router admin page (often 192.168.1.1). 2. Open Wireless Settings or Network. 3. Show the IoT Wi-Fi network (e.g., “IoT”, “CCTV”) separate from your work network. 4. Screenshot: - SSID name - VLAN ID (if applicable) - Guest network isolation switch (if used) Business Firewalls (Fortinet, SonicWall, UniFi, Meraki) 1. Open Network → VLANs or Networks. 2. Show IoT VLAN configuration. 3. Show firewall rule preventing IoT → Corporate network access. 4. Take a screenshot of the configuration page. B. IoT Device Configuration Screenshots Choose any IoT device in use (e.g. CCTV, NAS device, Smart TV, Door Access Controller). Screenshots should show: 1. UPnP Disabled Typical locations: - Settings → Network → Advanced → UPnP - Admin → Security → UPnP 2. Auto-Discovery Disabled E.g.: - “Discovery Mode: Off” - “Auto-pairing: Disabled” - “DLNA: Off” - “Bonjour/mDNS: Off” 3. Device on IoT Network Show Wi-Fi settings indicating it is connected to the IoT SSID. C. Cybersecurity Labelling Scheme (CLS) Evidence If your IoT device is CLS-labelled: 1. Take a photo of the packaging showing the CLS rating (Level 1–4). 2. Or screenshot the official product listing with the CLS badge. This is optional but strengthens your compliance. 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Convention: YourCompanyName_IoT_SecureConfiguration_YYYY-MM-DD Example: AcmeClinic_IoT_SecureConfig_2025-03-15.png 5. What “Good” Looks Like A strong submission includes: - Clear indication that IoT devices are isolated (“IoT VLAN”, “Guest IoT Network”, firewall rule screenshot) - Security features disabled Especially: - UPnP - Auto-discovery - Peer-to-peer discovery features - Some form of IoT hardening (firmware up to date, admin password not default) - Readable screenshots Device name, setting names, and ON/OFF toggles should be visible. - Optional but excellent Proof that the devices carry a Cybersecurity Labelling Scheme badge. This shows the auditor that your IoT devices can’t freely wander into your corporate network or turn themselves into tiny digital spies. 6. Tips - Redact IP addresses if they expose your internal structure. - If your company has NO business-supporting IoT devices, mark this artefact “Not Applicable” — the clause allows it. - If IoT devices exist but are unmanaged (e.g., landlord CCTV) Show documentation stating they are not part of your corporate environment.

Last updated on Dec 09, 2025

Logging Screenshot Guide

1. Purpose of This Guide This evidence shows that your organisation has logging turned on for the key parts of your IT environment — systems, applications, security tools, and outbound proxies. Why does this matter? Because logs are the breadcrumb trail that helps you detect suspicious activity, investigate incidents, and prove what actually happened. Cyber Essentials 2025 clause A.6.4.H asks for this evidence to confirm that: - Logging is enabled, - Logs are being generated, and - You understand how to access them when needed. You don’t need a full SIEM or a spaceship dashboard. You just need to show that logs exist and are working. 2. What You Will Submit You may upload multiple screenshots, depending on the systems you use. Evidence must show active logs for: - Operating systems - Windows Event Viewer - macOS Console - Linux syslog/journalctl - Applications - Web apps, admin apps, internal systems - Cloud apps with audit logs (Microsoft 365, Google Workspace, HRMS, etc.) - Security tools - Endpoint Detection & Response (EDR) logs - Anti-virus logs - Firewall logs - DNS filtering logs - Outbound proxies (if you use one) - Secure web gateways - DNS firewalls - Web filtering tools Each screenshot should clearly show timestamped entries proving that logs are active and recent. 3. How to Collect / Obtain / Generate This Evidence Below are concrete examples for the most common tools small businesses use. You may need to upload as many types of logs as you have access to, to show full compliance. A. Operating System Logs Windows 1. Open Event Viewer 2. Go to: Windows Logs → Security / System / Application 3. Take a screenshot showing: - Recent timestamps - Log source - Event IDs macOS 1. Open Console 2. Select System Reports or Log Reports 3. Screenshot the log entries with date/time visible Linux 1. Run: journalctl -xe or tail -n 100 /var/log/syslog 2. Screenshot the terminal showing entries with timestamps B. Application Logs Pick any business-critical application your organisation uses: Microsoft 365 1. Go to Compliance Portal → Audit 2. Search for recent events 3. Take a screenshot of the audit results Google Workspace 1. Go to Reports → Audit → Admin / Drive / Login 2. Screenshot the log entries Business Critical ApplicationsL HRMS / Payroll Tools 1. Open Audit Logs / History panel (if available) 2. Screenshot recent events C. Security Tool Logs Endpoint Detection & Response (EDR) For StrongKeep Customers, we will generate logs for the EDR on your behalf. (e.g., Cortex XDR, CrowdStrike, Defender for Endpoint) Screenshot should show: - Alerts - Events - Detection logs - Device activity D. Outbound Proxy or DNS Filtering Logs If you use outbound filtering: DNS Firewall (e.g., Control-D) Screenshot the logs showing: - Blocked malicious domains - DNS queries - Timestamps Secure Web Gateway / Proxy Show any of the following: - Web access logs - Blocked request logs - Policy enforcement logs If your organisation does not use a proxy, this category may simply be omitted — the clause allows for non-applicability in smaller environments. 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Convention: YourCompanyName_LoggingScreenshots_YYYY-MM-DD_S1 (add S2, S3, etc. for multiple systems) Example: AcmeClinic_LoggingScreenshots_2025-03-04_SecurityTools.png 5. What “Good” Looks Like A strong submission includes: - Multiple log sources OS logs + application logs + security tools (at minimum) - Clear timestamps Showing events within the past 30 days - Readable entries Event type, description, user/device, source - Evidence of active logging Not an empty or disabled log screen - Screenshots with context Tool name, tab name, or URL visible if applicable Why this matters: auditors want to verify logging is real, recent, and covers enough systems to help detect unauthorised activity. 6. Tips - Don’t overthink it. Logs don’t need to be fancy — they just need to exist. - Redact sensitive IP addresses or usernames if needed. - If you have no proxy logs, that’s fine — this clause is not mandatory for all setups.

Last updated on Dec 09, 2025

Incident Response Communication Guide

1. Purpose of This Guide When a cyber incident strikes, your staff shouldn’t be running around like startled chickens. Everyone with IT access must know what to do, who to call, and how to report an incident. This artefact shows auditors that: - Your organisation has communicated the Incident Response Plan (IRP) to all relevant employees. - Staff know where to find the plan, - And you have proof that the communication actually happened. This is less about fancy technology and more about good housekeeping: “We told everyone what to do, and here’s the evidence.” 2. What You Will Submit You may submit any one of the following (or multiple, if available): - Screenshot of an email sent by the IT manager to all staff with IT access, containing: - The Incident Response Plan - A link to the shared location where the plan lives - A short summary of what staff should do in case of an incident - Screenshot of a shared folder (Google Drive, SharePoint, file server, etc.) - Showing the IRP document - Showing that all staff have access - Photo of a physical poster or notice - Displayed in a common workspace or operations area - Showing key steps and IR contact information - Screenshot from your intranet page or StrongKeep Staff Portal - Showing IRP instructions published to staff - Or showing that the IRP acknowledgement is part of onboarding Any method works as long as it clearly demonstrates staff awareness. 3. How to Collect / Obtain / Generate This Evidence Below are the most common (and auditor-friendly) ways: Option A — Email Announcement (Most Common) 1. IT Manager drafts an email to all employees with IT access. 2. Attach or link the Incident Response Plan. 3. Include key instructions (e.g., who to call, how to report incidents). 4. Send the email. 5. Take a screenshot of: - The sent email - The recipient list (or “all staff” group name) - The message body This is the cleanest evidence because it shows deliberate communication. Option B — Shared Folder Screenshot If your IRP lives in a cloud folder: Google Drive - Open the folder - Show file name (e.g., Incident Response Plan.pdf) - Click “Share” → screenshot the permissions (“Anyone in the organisation can view”) SharePoint / OneDrive - Open the document library - Show file visibility - Screenshot the “Manage Access” panel This proves staff can access the plan. Option C — Physical Poster Evidence 1. Place IR response instructions in a visible staff area. 2. Take a clear photo showing: - The poster content - The surrounding environment (to prove it’s a real location) This is common in clinics, retail shops, warehouses, and environments where staff don’t regularly check email. Option D — Intranet / Staff Page Announcement If the plan was published to internal staff-accessible platforms like an intranet: - Open the announcement/post - Ensure the title + IRP link are visible - Screenshot the page 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Format: YourCompanyName_IncidentResponseCommunication_YYYY-MM-DD Example: AcmeClinic_IRP_StaffCommunication_2025-02-01.png 5. What “Good” Looks Like A strong piece of evidence should: - Show that ALL relevant staff were reached (email group name, distribution list, or folder permissions) - Clearly display the Incident Response Plan or link to it The auditor must see the IRP is accessible. - Include context e.g., timestamp, sender name, platform used. - Show explicit communication “Please review our Incident Response Plan and follow these steps if you detect a cyber incident…” - Be readable and unambiguous Avoid screenshots of cropped emails with missing headers. Why this matters: Auditors don’t just want a plan. They want proof your staff actually know about it — because during an incident, silence is the enemy. 6. Tips - You may redact sensitive staff emails. Keep the group name visible (e.g., All Staff, Clinic Team, Retail Floor Staff). - Make this a recurring communication. Sharing the IRP annually (or after any updates) strengthens your compliance posture.

Last updated on Dec 09, 2025

Data Flow Diagram Guide

1. Purpose of This Guide A personal data flow diagram shows how personal data moves through your organisation — from the moment it is collected from a customer, staff member, or other individual, all the way through processing, storage, and sharing. For Cyber Essentials and similar standards, this diagram proves that your organisation: - Understands where personal data lives, - Knows who processes it, - Can identify risks, access points, and safeguards, and - Has a clear, documented view of its data lifecycle. Think of it as your “map of the kingdom” — showing auditors that your data isn’t wandering around the castle unsupervised. 2. What You Will Submit Please upload one clear diagram (image or PDF) showing: - Entities that provide personal data (e.g., Customers, Staff, Website Users) - Systems and services that receive or process this data Examples: CRM, HR system, payment processor, ticketing platform, inventory system, email inbox, etc. - Arrows showing how personal data flows between these systems Each arrow should represent a specific flow, such as: - “Customer submits form” - “CRM stores contact details” - “Data sent to email service provider” - Any third-party processors or cloud tools (e.g., Stripe, Google Workspace, HubSpot, Microsoft 365) - Clear labels explaining what data is being passed Examples: “Name + Email”, “Payment details”, “Order information” This should look similar in style to the sample diagram below, which shows business data flows, not personal data. 3. How to Collect / Obtain / Generate This Evidence Follow these steps to build your Personal Data Flow Diagram. You can sketch it in any tool you prefer — PowerPoint, Draw.io, Lucidchart, Miro, Canva, or even a PDF editor. Step 1 — Identify where you collect personal data List all touchpoints where your organisation collects data: - Website forms - Customer registration - Staff onboarding - Appointment/booking system - Payment checkout - Support/helpdesk Step 2 — Identify systems that store or process this data Common examples include: - CRM (HubSpot, Salesforce, Zoho) - HR systems (Talenox, BambooHR, JustLogin) - Email platforms (Google Workspace, Microsoft 365) - Payment processors (Stripe, PayNow, PayPal) - Project or ticketing systems (Jira, Zendesk) - Cloud storage (SharePoint, Google Drive) Step 3 — Map the flows Draw arrows to show how personal data moves: - From customer → website → CRM - From CRM → email system - From payment page → payment processor - From staff → HR system → payroll provider For each arrow, label: - The type of personal data involved - The purpose (e.g., process order, respond to enquiry) Step 4 — Include external processors If data leaves your organisation, auditors must see it. Examples: - Payroll vendor - Cloud hosting provider - Payment gateway - Marketing email provider Step 5 — Export as an image or PDF Most tools allow: File → Export → PNG/JPG/PDF. Keep the final diagram clean and readable. 4. Evidence Format Accepted File Types: - PNG - JPG - PDF Suggested Naming Convention: YourCompanyName_DataFlowDiagram_YYYY-MM-DD Example: AcmeClinic_DataFlowDiagram_2025-01-12.pdf 5. What “Good” Looks Like A high-quality Personal Data Flow Diagram should have: - Clear entities Labeled people or groups providing data (e.g., Customers, Staff). - All major systems included Internal systems + external vendors. - Clear arrows showing direction of data flow Each arrow must have a purpose and data type label. - No ambiguous or missing steps If personal data touches it, it must appear in the diagram. - Readable layout Avoid clutter — the sample provided is a good reference for simplicity. - End-to-end visibility Shows: collection → processing → storage → sharing/disposal. Sample: Why this matters: auditors want to see that you know where personal data travels, so that you can protect it deliberately — not by accident. 6. Tips - Keep it simple. You’re drawing a map, not a masterpiece. The goal is clarity, not art. - Redact sensitive data. Never include real personal data in the diagram — only categories like “Name”, “Email”, “NRIC (if collected)”. - Review it annually. Systems change, processes evolve — keep the diagram fresh.

Last updated on Dec 09, 2025

Vendor Compliance Guide

1. Purpose of This Guide This guide helps you collect evidence showing that your vendors and contractors are required to meet cybersecurity expectations, not just your internal team. This matters because: - Vendors are a common supply-chain attack path - Weak vendor security can undo your own controls - You’re expected to set minimum cyber requirements, not just “trust them” This evidence proves you’ve told your vendors: “If you work with us, cybersecurity is part of the deal.” 2. What You Will Submit You will submit evidence that vendors are required to follow cybersecurity rules, such as: - Contract clauses or agreements that include cybersecurity requirements - Vendor security declarations or questionnaires - Procurement or onboarding documents stating minimum cyber controls - Screenshots or PDFs showing: - Vendor cyber requirements - Incident notification obligations - Security standards vendors must follow (e.g. Cyber Essentials, ISO 27001) This is governance evidence, not a technical system screenshot. 3. How to Collect / Obtain / Generate This Evidence Option A: Contract or Agreement (Most Common) 1. Open a vendor or contractor agreement 2. Locate sections covering: - Cybersecurity obligations - Data protection requirements - Incident or breach notification 3. Export or screenshot the relevant pages only 4. Redact pricing or commercial terms if needed 💡 Even a single paragraph stating vendors must follow cybersecurity requirements is enough. Option B: Vendor Cybersecurity Requirements Document 1. Create a simple document or PDF titled: - “Vendor Cybersecurity Requirements” 2. Include statements such as: - Vendors must protect systems used to deliver services - Vendors must report cybersecurity incidents affecting your data - Vendors must maintain reasonable security controls 3. Save as PDF and upload This works especially well if contracts are short or informal. Option C: Vendor Security Review or Questionnaire (Best Practice) 1. Use a simple checklist or questionnaire 2. Capture answers such as: - Do you follow recognised security standards? - Do you have an incident response process? - Will you notify us of a breach? 3. Save the completed document or screenshot the responses This supports A.6.4.E nicely, but is not mandatory. 5. Evidence Format Accepted file types - PDF - PNG / JPG Suggested naming format YourCompanyName_VendorCompliance_Date Example AcmePteLtd_VendorCompliance_2025-07-01.pdf 5. What “Good” Looks Like Your evidence is strong if it shows: - Visible element: Explicit cybersecurity requirements for vendors Why it matters: Proves expectations are clearly communicated - Visible element: Incident reporting or notification obligation Why it matters: Demonstrates preparedness for supply-chain incidents - Visible element: Applies to vendors or contractors (not just staff) Why it matters: Directly satisfies CSA third-party clauses - Visible element: Recent or currently used documentation Why it matters: Shows this is active, not forgotten paperwork Simple, clear, and readable beats long and fancy. 6. Tips from Sir Stonk 🛡️ - You don’t need enterprise-grade audits. A clear contractual requirement already meets the intent for most SMEs. - Focus on vendors that matter. IT providers, SaaS tools, developers, MSPs — not your office coffee supplier. Supply-chain security doesn’t mean distrusting everyone. It means setting the rules before the drawbridge comes down.4

Last updated on Dec 18, 2025

EOS Stop Gap Guide

1. Purpose of This Guide This guide helps you show that you’re not blindly running systems that are no longer supported without mitigation measures. “EOS” means End of Support — the vendor has stopped providing: - Security patches - Bug fixes - Official support SMEs can’t always replace systems immediately, but it does require you to: - Understand the risk - Get management approval - Put temporary (stop-gap) protections in place - Actively monitor the risk until replacement This artefact proves you’ve done exactly that — no head-in-the-sand behaviour. 2. What You Will Submit You will submit documentation showing how you are temporarily managing EOS risk, such as: - A risk assessment for the EOS system - Remarks about stop-gap measures describing compensating controls for that system in the risk assessment - Evidence of management approval to continue using the EOS system, if relevant - A timeline or plan for replacement or decommissioning This is decision + risk evidence, not a technical configuration screenshot. 3. How to Collect / Obtain / Generate This Evidence Step 1: Identify the EOS Asset From your Asset Inventory, identify: - Asset name (hardware or software) - EOS date - Business purpose - Why it cannot yet be replaced Step 2: Document the Risk Create a short document (1–2 pages is enough) covering: - What risks exist because the system is EOS (e.g. unpatched vulnerabilities, unsupported OS) - What data or systems could be impacted - Overall risk rating (Low / Medium / High) This can be part of: - A Risk Register entry, or - A standalone “EOS Risk Assessment” document Example (remark in the Risk Register Form): “Legacy accounting server — vendor support ended Mar 2024. Replacement scheduled Q4 2025.” Step 3: Define Stop-Gap (Mitigating) Measures Document temporary controls you’ve put in place, such as: - Network isolation or segmentation - Restricted access (only specific users) - Firewall rules or IP allow-listing - Increased monitoring or logging - Additional backups - Manual patching or compensating controls These don’t need to be perfect — they need to be reasonable and intentional. Step 4: Obtain Management Approval Include evidence that: - Senior management is aware of the risk - Continued use is explicitly approved This can be: - An approval email - A signed approval section in the document - A meeting note or decision log Step 5: Define a Replacement Plan Clearly state: - Planned replacement or decommissioning date - Review or monitoring frequency until replacement Auditors want to see this is temporary, not permanent neglect. 4. Evidence Format Accepted file types - PDF - DOCX - PNG / JPG (for signed approvals or emails) Suggested naming format YourCompanyName_EOS_StopGap_Date Example AcmePteLtd_EOS_StopGap_2025-07-01.pdf 5. What “Good” Looks Like Your evidence is solid if it shows: - Visible element: Identification of EOS asset Why it matters: Proves awareness of unsupported systems - Visible element: Risk assessment or risk description Why it matters: Shows the risk is understood, not ignored - Visible element: Clear stop-gap controls Why it matters: Demonstrates active risk mitigation - Visible element: Management approval Why it matters: Confirms accountability and informed decision-making - Visible element: Replacement or exit plan Why it matters: Confirms EOS use is temporary 6. Tips from Sir Stonk 🛡️ - Don’t panic about EOS. Panic is worse than planning. Auditors care about how you manage the risk, not perfection. - Keep it short and honest. One clear page beats ten vague ones. Running EOS systems without controls is risky. Running them with eyes open, approval granted, and armour added? That’s exactly what Cyber Essentials expects.

Last updated on Jan 05, 2026

Asset Inventory List ICT Vendor Guide

1. Purpose of This Guide This guide helps you show that you maintain a clear, up-to-date inventory of hardware and software assets used by ICT vendors to deliver services to your organisation. In simple terms: If a vendor runs systems, software, or cloud resources on your behalf, you know what they are, where they live, and when they expire. This matters because: - You can’t protect what you don’t know exists - Vendor-managed assets are still part of your risk - Asset visibility underpins patching, access control, and incident response This artefact proves you’re tracking vendor assets — not guessing. 2. What You Will Submit You will submit an asset inventory list covering ICT vendor–managed assets, such as: - A spreadsheet or table listing: - Vendor-hosted systems - Third-party software and tools - Cloud instances (OS, software, services) - Records that also track: - Licence or certificate expiry - End-of-support (EOS) dates - Renewal timelines This is documentation evidence, not a screenshot of a live system. 3. How to Collect / Obtain / Generate This Evidence Step 1: Identify In-Scope ICT Vendors List vendors that: - Host systems or applications for you - Manage cloud infrastructure - Provide managed IT, development, or platform services Examples: - Cloud service providers (AWS, Azure, GCP) - Managed service providers (MSPs) - Software vendors hosting SaaS platforms Step 2: List Vendor-Managed Assets For each vendor, record assets such as: - Virtual machines or servers - Operating systems - Databases - Third-party software or tools - Cloud services or subscriptions Include what is hosted, not just who hosts it. Step 3: Capture Key Asset Details Where available, include fields like: - Asset name or description - Vendor name - Asset type (hardware / software / cloud service) - Hosting location (on-prem, cloud, region) - Business purpose - End-of-support (EOS) date - Licence or certificate expiry date - Vendor contact or support reference Don’t worry if some fields are blank — completeness improves over time. Step 4: Review and Save - Review the list for accuracy - Save the document as a spreadsheet or PDF - Make sure it reflects current usage, not historic contracts 4. Evidence Format Accepted file types - XLSX - CSV - PDF Suggested naming format YourCompanyName_AssetInventory_ICTVendors_Date Example AcmePteLtd_AssetInventory_ICTVendors_2025-07-01.xlsx 5. What “Good” Looks Like Your evidence is solid if it shows: - Visible element: Clear list of ICT vendor–managed assets Why it matters: Demonstrates visibility over third-party infrastructure - Visible element: Inclusion of cloud-hosted OS and software Why it matters: Confirms cloud assets aren’t treated as “someone else’s problem” - Visible element: Expiry or EOS tracking Why it matters: Enables proactive risk and lifecycle management - Visible element: Reviewable, structured format Why it matters: Makes audits and updates straightforward 6. Tips from Sir Stonk 🛡️ - Start simple. A clean spreadsheet beats a mythical perfect CMDB. - Review at least annually — or whenever you change vendors or platforms. If vendors are part of your stack, their assets belong on your map.

Last updated on Dec 18, 2025

Data At Rest / In Motion Encryption Guide

1. Purpose of This Guide This guide helps you show that business-critical and sensitive data is protected by encryption, both: - At rest (when stored), and - In motion (when transmitted) Encryption ensures that even if data is accessed without authorisation, it remains unreadable and unusable. This artefact proves you’re protecting data properly — not just relying on passwords or good luck. 2. What You Will Submit You will submit evidence showing encryption is enabled, such as: - Screenshots showing: - Full disk encryption enabled on devices - Database or storage encryption settings - TLS / HTTPS enabled for applications or services - Configuration pages from: - Cloud storage services - Databases - Email or file transfer systems Multiple screenshots are perfectly acceptable. 3. How to Collect / Obtain / Generate This Evidence Part A: Encryption at Rest Collect one or more of the following: Endpoints (Windows / macOS) - Screenshot showing: - BitLocker (Windows) enabled, or - FileVault (macOS) enabled Servers / Databases - Screenshots showing: - Disk or volume encryption enabled - Database encryption at rest turned on Cloud Storage - Screenshots showing: - Server-side encryption enabled - Managed keys (or customer-managed keys, if used) Part B: Encryption in Motion Collect screenshots showing secure data transmission, such as: Web Applications - Browser address bar showing https:// - Certificate details (padlock icon) Email / File Transfer - TLS enabled in mail server settings - Secure transfer protocols (e.g. SFTP, HTTPS) APIs or Services - Configuration pages showing TLS enabled for endpoints 4. Evidence Format Accepted file types - PNG - JPG - PDF Suggested naming format YourCompanyName_DataEncryption_AtRest_InMotion_Date Example AcmePteLtd_DataEncryption_2025-07-01.pdf 5. What “Good” Looks Like Your evidence is strong if it shows: - Visible element: Encryption enabled at rest Why it matters: Protects stored data from unauthorised access - Visible element: Secure protocols in use for data in motion Why it matters: Prevents interception or tampering during transfer - Visible element: Recognised encryption technologies Why it matters: Demonstrates industry-accepted protection methods - Visible element: Applies to business-critical or sensitive data Why it matters: Shows protection where it matters most 6. Tips from Sir Stonk 🛡️ - Screenshots beat statements. Show the toggle switched on. - Redact keys, certificates, or secrets — auditors don’t need those. Locks on doors are good. Locks and encryption? That’s how you keep the treasure safe.

Last updated on Dec 18, 2025

Network Diagram Segmentation Guide

1. Purpose of This Guide This guide helps you show that your network is intentionally designed and segmented, not one big flat battlefield. Network segmentation means: - Critical systems are separated from user devices - Public-facing services are isolated from internal systems - A breach in one area doesn’t automatically spread everywhere else This artefact proves you’ve thought about network boundaries and put basic defences in place. 2. What You Will Submit You will submit a network diagram that clearly shows segmentation, such as: - A diagram illustrating: - Internet connection - Firewalls or gateways - Segmented networks (e.g. user network, server network, DMZ) - Visual separation between: - Public-facing services (e.g. web apps) - Internal business systems - Databases or critical services This is a visual architecture document, not a configuration screenshot. 3. How to Collect / Obtain / Generate This Evidence Step 1: Identify Key Network Zones At a minimum, show: - Internet - Firewall or security gateway - Internal user network - Critical systems (servers, databases) - Any cloud or hosted environments If applicable, also include: - Management or admin networks - IoT or guest networks Step 2: Draw the Segmentation Use any tool you’re comfortable with: - PowerPoint / Google Slides - Draw.io / Lucidchart - Visio / Miro Clearly label: - Each network segment - Traffic flow direction (arrows help) - Where firewalls or controls sit between segments Clarity matters more than artistic flair. Step 3: Review for Simplicity Before saving: - Remove unnecessary technical detail - Ensure segmentation is obvious at a glance - Make sure labels are readable One clean page is ideal. 4. Evidence Format Accepted file types - PDF - PNG - JPG Suggested naming format YourCompanyName_NetworkDiagram_Segmentation_Date Example AcmePteLtd_NetworkDiagram_Segmentation_2025-07-01.pdf 5. What “Good” Looks Like Your evidence is solid if it shows: - Visible element: Clear separation between network zones Why it matters: Limits lateral movement during attacks - Visible element: Firewalls or gateways between segments Why it matters: Demonstrates enforced traffic control - Visible element: Public-facing services isolated from internal systems Why it matters: Reduces exposure of sensitive assets - Visible element: Cloud and on-prem systems clearly labelled Why it matters: Shows full environment awareness 6. Tips from Sir Stonk 🛡️ - Flat networks are easy to draw — and easy to break. - Don’t over-engineer. Even basic segmentation earns real points here. A good map doesn’t show every tree. It shows where the walls are.

Last updated on Dec 18, 2025

Security Testing Guide

1. Purpose of This Guide This guide helps you show that your software and systems have been tested for security weaknesses — before going live and on a regular basis. Security testing (like vulnerability assessments or penetration testing) is how you prove: - You actively look for weaknesses - You don’t wait for attackers to find them first - High-risk issues are identified and addressed This artefact demonstrates that security testing is intentional, documented, and repeatable — not a one-off panic exercise. 2. What You Will Submit You will submit evidence that security testing has been performed, such as: - A Vulnerability Assessment (VA) report - A Penetration Testing (PT) report - A combined VA/PT report - Executive summaries or extracts from testing reports The report does not need to expose sensitive exploit details to be valid. 3. How to Collect / Obtain / Generate This Evidence Option A: External Security Testing Provider (Most Common) 1. Engage a third-party security firm to conduct: - Vulnerability Assessment (VA), and/or - Penetration Testing (PT) 2. Ensure the report includes: - Scope of testing (application, environment, URLs, IPs) - Date of testing - Summary of findings and risk ratings 3. Export the final report (PDF preferred) You may redact exploit steps or sensitive IP details. Option B: Internal or Platform-Based Security Testing If testing is done internally or via a platform: 1. Run the security scan or test 2. Export: - Test summary - Risk ratings (e.g. Low / Medium / High) - Evidence that testing completed successfully 3. Save as PDF or screenshot key summary pages This is acceptable as long as testing is documented and recent. Option C: Pre-Commissioning Testing Evidence If your system was tested before going live: 1. Use the most recent pre-production or go-live security testing report 2. Ensure the report clearly shows: - Testing occurred before production use - Issues were identified and assessed This is especially useful for newer systems. 4. Evidence Format Accepted file types - PDF - DOCX Suggested naming format YourCompanyName_SecurityTesting_Date Example AcmePteLtd_SecurityTesting_2025-07-01.pdf 5. What “Good” Looks Like Your evidence is strong if it shows: - Visible element: Clear testing scope and date Why it matters: Confirms relevance and recency - Visible element: Identified vulnerabilities with risk ratings Why it matters: Shows structured security assessment - Visible element: Coverage of production or pre-production systems Why it matters: Confirms real-world relevance - Visible element: Summary or conclusion section Why it matters: Helps auditors quickly understand outcomes You do not need to show every exploit detail to pass. 6. Tips from Sir Stonk 🛡️ - Redact responsibly. Keep risk ratings and findings, remove step-by-step exploit instructions. - Repeat testing after major changes — new features deserve fresh scrutiny. Security testing isn’t about proving perfection. It’s about proving you’re brave enough to look for cracks — and fix them.

Last updated on Dec 18, 2025

WAF Screenshot Guide

1. Purpose of This Guide This guide helps you show that your internet-facing web applications are protected by a Web Application Firewall (WAF). A WAF acts like a shield in front of your website or application. It: - Filters malicious traffic - Blocks common attacks (e.g. SQL injection, cross-site scripting) - Reduces the risk of your app being the easiest target on the internet This evidence proves you’re not leaving your web apps exposed to known attack patterns. 2. What You Will Submit You will submit a screenshot showing that a Web Application Firewall is enabled and active, such as: - A WAF dashboard from your cloud provider or security platform - Configuration pages showing: - WAF enabled - Associated website, domain, or application - Rule or policy overview screens The screenshot should clearly show that the WAF is on, not just available. 3. How to Collect / Obtain / Generate This Evidence Option A: Cloud Provider WAF (Most Common) AWS 1. Go to AWS Console 2. Navigate to WAF & Shield 3. Select your Web ACL 4. Open the overview page showing: - Web ACL name - Associated resource (ALB, CloudFront, API Gateway) - Status as Enabled 5. Take a screenshot Azure 1. Go to Azure Portal 2. Navigate to Application Gateway or Front Door 3. Open Web Application Firewall 4. Screenshot the page showing: - WAF enabled - Mode (Detection / Prevention) - Associated frontend Cloudflare 1. Log in to Cloudflare Dashboard 2. Select your domain 3. Go to Security → WAF 4. Screenshot: - WAF enabled status - Active rules or protections Option B: Third-Party or Managed WAF If you use a managed security provider: 1. Open the provider’s WAF dashboard 2. Ensure the page shows: - Protected domain or application - WAF status (active / enabled) 3. Capture a clear screenshot 4. Evidence Format Accepted file types - PNG - JPG - PDF Suggested naming format YourCompanyName_WAF_Screenshot_Date Example AcmePteLtd_WAF_Screenshot_2025-07-01.png 5. What “Good” Looks Like Your evidence is strong if it shows: - Visible element: WAF enabled status Why it matters: Confirms protection is active, not just configured - Visible element: Protected domain, app, or endpoint Why it matters: Links the WAF to real internet-facing assets - Visible element: Rules, policies, or protection mode Why it matters: Demonstrates meaningful filtering, not a blank setup - Visible element: Platform or provider name Why it matters: Shows this is a recognised, managed security control 6. Tips from Sir Stonk 🛡️ - Prevention mode beats detection mode, if your setup allows it — but detection is still better than nothing. - Redact internal IPs or account IDs if they appear in the screenshot. A WAF won’t make you invincible — but it does stop a whole class of lazy attacks before they even knock.

Last updated on Dec 18, 2025

Vulnerability Management Process Guide

1. Purpose of This Guide This guide helps you show that your organisation systematically identifies, prioritises, and fixes security weaknesses, using recognised industry standards. Bugs are normal, ignoring them is not. This matters because you are expected to: - Enforce secure configurations (not defaults) - Use industry benchmarks (e.g. CIS, OWASP) - Regularly test systems for vulnerabilities - Remediate high-risk findings, not just document them This artefact proves your vulnerability management is: - Intentional - Risk-based - Aligned with recognised security standards, not ad-hoc or reactive. 2. What You Will Submit You will submit a documented Vulnerability Management Process, which explains how your organisation: - Identifies vulnerabilities across systems and applications - Uses industry standards to assess risk - Prioritises and remediates high-risk vulnerabilities - Verifies fixes after remediation This is process and governance evidence, not raw scan output. 3. How to Collect / Obtain / Generate This Evidence StrongKeep customers can adapt the provided template. Non-StrongKeep customers can follow the steps below: Step 1: Define the Standards You Follow Your document should clearly state that vulnerability management is aligned to recognised benchmarks, for example: - CIS Benchmarks for: - Desktops - Servers - Network devices - OWASP Top 10 for: - Web applications - APIs - Risk scoring based on: - CVSS scores - Vendor-provided severity ratings - Business impact You do not need to implement every benchmark in full — you need to show alignment and intent. Step 2: Explain How Vulnerabilities Are Identified Describe how vulnerabilities are discovered, such as: - Automated vulnerability scanning - Security baseline analysis - Internet-facing scans (e.g. mail server / web server scans) - Penetration testing (periodic or before commissioning) - Vendor security advisories This demonstrates that vulnerabilities are actively looked for, not passively discovered. Step 3: Describe Risk Assessment and Prioritisation Your process must explain how vulnerabilities are classified, including: - Risk ratings (e.g. Low / Medium / High) - Factors considered: - Severity (e.g. CVSS score) - Exposure (internet-facing vs internal) - Impact on availability, confidentiality, integrity Key requirement: High-risk vulnerabilities are explicitly prioritised for remediation. Step 4: Define Remediation Expectations Your document should clearly state that: - High-risk vulnerabilities must be remediated - Remediation methods may include: - Patching - Configuration hardening - Feature removal - Compensating controls - Fixes are applied: - Before production use (where applicable) - After major changes - On a periodic basis This is a core requirement — auditors look for this explicitly. Step 5: Verification and Follow-Up Explain how fixes are confirmed, such as: - Re-scanning after remediation - Validation checks - Tracking status (open / mitigated / resolved) Optional but strong: - Reference to a risk register - Reference to security testing reports 4. Evidence Format Accepted file types - PDF - DOCX Suggested naming format YourCompanyName_VulnerabilityManagement_Process_Date Example AcmePteLtd_VulnerabilityManagement_Process_2025-07-01.pdf 5. What “Good” Looks Like Your evidence is strong if it shows: - Visible element: Reference to CIS benchmarks and/or OWASP Top 10 Why it matters: Demonstrates industry-aligned secure configuration - Visible element: Defined process for identifying vulnerabilities Why it matters: Shows proactive security posture - Visible element: Clear prioritisation of high-risk issues Why it matters: Meets mandatory remediation expectations - Visible element: Verification after fixes Why it matters: Confirms vulnerabilities are actually resolved 6. Tips from Sir Stonk 🛡️ - You don’t need perfect CIS compliance — you need reasonable, documented alignment. - Say the words “High-risk vulnerabilities are remediated.” Auditors look for that exact intent. Secure configuration isn’t about being flawless. It’s about knowing where the cracks are — and fixing the dangerous ones first.

Last updated on Jan 05, 2026