Cyber Essentials Compliance

This example project demonstrates how TraceabilityLite can be used to manage Cyber Essentials compliance activities through clear traceability between requirements, policy documents, and practical configuration guidance.

It includes a set of infrastructure requirements derived from the official Cyber Essentials Requirements for IT Infrastructure v3.2, together with supporting Word and Excel documents used to define, implement, and maintain secure operational controls.

To create a project based on this template: select Projects => Create New Project => tick Based on Template, select "Cyber Essentials Compliance", select a location and project name, then click Create.

Cyber Essentials Compliance example project traceability diagram

The content of each linked policy can then be viewed against each requirement, as shown below.

Cyber Essentials Compliance example showing linked policy content against individual requirements

Requirements

This section contains the core compliance requirements mapped from the official Cyber Essentials infrastructure criteria, providing the baseline control objectives that the remaining project documents support.

Cloud Services Configuration Guide

This guide defines the Microsoft Intune and Azure configuration settings required to support Cyber Essentials compliance, including endpoint management and cloud security controls that can be audited and maintained over time.

Cyber Essentials Requirements for IT Infrastructure v3.2

This source document captures the formal infrastructure requirements used to derive the project requirement set and acts as the authoritative reference for interpretation and compliance intent.

Cyber Security Regular Review Policy

This policy sets out recurring Microsoft 365 and wider security review activities to help ensure vulnerabilities, misconfigurations, and emerging risks are identified and addressed promptly.

Leavers and Joiners Policy

This policy defines the configuration and access-control changes required when staff join or leave, helping ensure identities, permissions, and devices are managed securely throughout the employment lifecycle.

New and Old Device Policy

This policy describes the control steps for onboarding new devices and handling older devices, helping ensure device posture remains compliant and that legacy risks are reduced as equipment ages.

Supported and Unsupported SW

This spreadsheet is used to track supported and unsupported software, with unsupported software expected to be isolated on a separate VLAN with no internet access to minimise exposure and reduce organisational risk.

Firewall Configuration Guide

This document is not included in the example project, but it should be added and tailored to the selected edge firewall vendor (for example, Cisco Firepower) so network boundary controls align with the wider Cyber Essentials control set.