Please note: This sample shows only a section of the complete Gap Assessment tool.
VERSION:
DATED:
APPROVAL:
Gap Assessment Tool
CONTROLS
Control 1: Firewalls
[1] [Enterdate here] [Entername of approverhere]
COMPLIANT? ACTION NEEDED FOR COMPLIANCE ACTION OWNER POSSIBLE EVIDENCE
l A firewall is in place to protect the internal network from the internet. Yes
l The administrator password of the firewall(s) has been changed from the default.
l The firewall rules (defining traffic that is allowed or denied a route through the firewall) have been documented and approved.
Yes
l Vulnerable network services are blocked unless explicitly required. Yes
l Changes to firewall rules are controlled and documented.
l Firewall rules are reviewed on a regular basis to ensure they remain appropriate. Yes
l Only devices that need access to the internet are allowed to connect to it.
l The admin interface of the firewall is only accessible from within the internal network. Yes
Total: 8
Network Diagram
Network Security Policy
Password Policy
Firewall Configuration Standard
Firewall Configuration Standard
Firewall Rule Change Log
Firewall Rule Change Process
Firewall Review Form
Configuration Standard
Information Security Policy
Control 2: Secure Configuration
l All user accounts have been verified as active and required on all computers in the internal network, and inactive ones have been removed.
l All default passwords have been changed. Yes
l There is a policy for passwords which is approved, communicated and followed. Yes
l Where sensitive data is accessed, multi-factor authentication is used (e.g. a one-time code sent to a phone).
l Auto-run is disabled for USB ports on computers. Yes Information Security Policy
l Only software that is required is installed on the organisation's computers.
l Installation of software on computers by users is restricted (either prevented or restricted to a vendor store, if appropriate).
l Client firewalls are active and appropriately configured on all computers.
l A secure standard configuration is used for all new computers. Yes Configuration Standard
l Remote access to the organisation's network is controlled via the use of Virtual Private Networks (VPNs).
l A list is maintained of all cloud services used. Yes
Total: 11
Cloud Services Register
Cyber Essentials Gap Assessment dashboard
To refresh chart data, click on “Refresh All” on the Data ribbon.