| 💼 1 Firewalls | 6 | | | |
| 💼 1.1 Change default administrative passwords | | | | |
| � 💼 1.2 Prevent access to the administrative interface from the internet | | 35 | 37 | |
| 💼 1.3 Block unauthenticated inbound connections by default | | 2 | 3 | |
| 💼 1.4 Ensure inbound firewall rules are approved and documented | | | | |
| 💼 1.5 Remove or disable unnecessary firewall rules | | | | |
| 💼 1.6 Make sure you use a software firewall on devices which are used on untrusted networks. | | | | |
| 💼 2 Secure configuration | 2 | | | |
| 💼 2.1 Computers and network devices | 6 | | | |
| 💼 2.1.1 Remove and disable unnecessary user accounts | | | | |
| 💼 2.1.2 Change any default or guessable account passwords | | 2 | 3 | |
| 💼 2.1.3 Remove or disable unnecessary software | | | | |
| 💼 2.1.4 Disable any auto-run feature which allows file execution without user authorization | | | | |
| 💼 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services | | 3 | 3 | |
| 💼 2.1.6 Ensure appropriate device locking controls for users that are physically present | | | | |
| � 💼 2.2 Device unlocking credentials | 3 | | | |
| 💼 2.2.1 A credential such as a biometric, password or PIN must be in place before a user can gain access to the services. | | | | |
| 💼 2.2.2 You must protect your chosen authentication method against brute-force attacks | 2 | | | |
| 💼 2.2.2.1 Shouldn’t allow more than 10 guesses in 5 minutes | | | | |
| 💼 2.2.2.2 Lock devices after more than 10 unsuccessful attempts. | | | | |
| 💼 2.2.3 Technical controls must be used to manage the quality of credentials. | | | | |
| 💼 3 Security update management | 4 | | | |
| 💼 3.1 All software on in-scope devices must be licensed and supported | | 5 | 5 | |
| 💼 3.2 All software on in-scope devices must be removed from devices when it becomes unsupported | | | | |
| 💼 3.3 All software on in-scope devices must have automatic updates enabled where possible | | 1 | 1 | |
| 💼 3.4 All software on in-scope devices must be updated within 14 days of an update being released | | | | |
| 💼 4 User access control | 6 | | | |
| 💼 4.1 Have in place a process to create and approve user accounts | | | | |
| 💼 4.2 Authenticate users with unique credentials before granting access to applications or devices | 4 | | | |
| 💼 4.2.1 Passwords are protected against brute-force password guessing | | | | |
| 💼 4.2.2 Use technical controls to manage the quality of passwords. | | 2 | 3 | |
| 💼 4.2.3 Support users to choose unique passwords for their work accounts | | 1 | 1 | |
| 💼 4.2.4 The password element of the multi-factor authentication | | 2 | 3 | |
| 💼 4.3 Remove or disable user accounts when they're no longer required | | | | |
| �💼 4.4 Implement MFA, where available | | | | |
| 💼 4.5 Use separate accounts to perform administrative activities only | | | | |
| 💼 4.6 Remove or disable special access privileges when no longer required | | | | |
| 💼 5 Malware protection | 2 | | | |
| 💼 5.1 Anti-malware software | 4 | | | |
| 💼 5.1.1 Anti-malware software must be configured to be updated in line with vendor recommendations | | | | |
| 💼 5.1.2 Anti-malware software must be configured to prevent malware from running | | | | |
| 💼 5.1.3 Anti-malware software must be configured to prevent the execution of malicious code | | | | |
| 💼 5.1.4 Anti-malware software must be configured to prevent connections to malicious websites over the internet. | | | | |
| 💼 5.2 Application allow listing | 2 | | | |
| 💼 5.2.1 Must actively approve such applications before deploying them to devices | | | | |
| 💼 5.2.2 Must maintain a current list of approved applications | | | | |