Cyber Essentials Plus is a professionally accredited scheme designed to help organisations identify and guard against the most common cyber threats and demonstrate their commitment to cyber security. Find out more about this certification below.
Cyber Essentials Plus checklist
British Assessment Bureau can help clients achieve certification to Cyber Essentials (CE) and Cyber Essentials Plus (CE+), both of which are accredited by the IASME Consortium, which is itself the sole Cyber Essentials accreditation body for the National Cyber Security Centre (NCSC), the government department that operates the scheme.
What is Cyber Essentials?
Cyber Essentials is a professionally accredited scheme designed to help organisations identify and guard against the most common cyber threats and demonstrate their commitment to cyber security. Cyber Essentials accreditation is mandatory for businesses supplying products and services to some government departments, such as the Ministry of Defence and HMRC.
There are two levels of certification, Cyber Essentials, and Cyber Essentials Plus.
- Cyber Essentials (CE) – CE is an independently verified self-assessment. Organisations assess themselves against five basic security controls, and a qualified assessor verifies the information provided. These controls cover firewalls, secure configuration, access controls, malware, and patch management.
- Cyber Essentials Plus (CE+) – CE+ is a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks. It involves a technical audit of the systems that are in-scope for CE by checking the CE controls have been applied as per the self-assessment.
Organisations need to obtain CE certification before gaining CE+ certification.
Why you should get Cyber Essentials certification
Achieving Cyber Essentials certification protects your organisation against cyber attacks, keeping important data safe and reassuring customers of your organisation’s resilience to cyber threats.
Benefits include:
- Customer reassurance – build trust and confidence in your IT systems and your ability to protect sensitive customer data.
- Protect your business – prevent cyber attackers from stealing intellectual property or compromising information systems.
- Tender requirements – many businesses and organisations require suppliers to hold valid Cyber Essentials certification.
- IT awareness – build an understanding of your existing IT robustness to meet compliance and governance requirements.
Read our guide to Cyber Essentials and working with the MoD.
Cyber Essentials Plus requirements
There are several tests in Cyber Essentials Plus over and above the basic Cyber Essentials assessment. Tests have greater complexity with more effort required. Failure in any one area of the assessments will result in an overall fail.
To achieve Cyber Essentials Plus, a certification body conducts a range of external and internal technical tests to validate approaches to the additional elements. A successful pass means that the certification body awards the CE+ certificate. IASME requirements mean that your organisation will need to undertake CE+ certification within three months of obtaining CE.
Additional Cyber Essentials Plus elements include:
- Authenticated vulnerability scanning of representative user endpoints, including internet-facing servers.
- Vulnerability scanning of external internet-facing infrastructure.
- Password guessing of exposed authentication services.
- Email attachment tests.
- Web browser download checks.
- Review of mobile devices such as smartphones and tablets.
Tests for CE+ include a representative set of user devices, all internet gateways, and all servers with services accessible to unauthenticated internet users. It is recommended that other devices such as additional servers and network hardware are also scanned to provide a complete assessment of the infrastructure.
Cloud services are considered out of scope where they are provided as Software as a Service (SaaS) such as Microsoft Office 365. Where cloud services are used as Infrastructure as a Service (IaaS) and the customer is responsible for patching and other services such as installing software, these are considered in scope. Platform as a Service (PAAS) can be a grey area and is considered on a case-by-case basis.
Cyber Essentials Plus – preparation process
While Cyber Essentials can be independently verified through self-assessment, your organisation should conduct a pre-assessment appraisal through a certification body such as British Assessment Bureau when seeking to obtain Cyber Essentials Plus certification. A pre-assessment appraisal details the overall process and the vulnerability scanning software and settings, allowing you to prepare for the assessment properly.
Pre-scans should be conducted before pre-auditing, allowing issues to be flagged and discussed with the certification body before the audit.
Typical CE+ certification pre-assessment preparation includes:
- Assessment scoping:
- Head office including all internet-facing devices
- Scans of each computer build type
- Remote office scanning from head office – usually 20% of remote offices, with visitation required if remote scanning is not possible.
- Internet network vulnerability scanning
- Anti-virus software compliance with EICAR files – This is a file format developed by the European Institute for Computer Antivirus Research to test the response of anti-virus software.
- User Access Control (UAC) operations.
Following any onsite tests, British Assessment Bureau also conducts an external vulnerability and email test.
Cyber Essentials Plus checklist
As well as conducting preparation planning ahead of undergoing a Cyber Essentials Plus assessment, it’s important to monitor and keep IT systems updated and security controls in place and effective.
Our Cyber Essentials Plus checklist includes:
- Keep your software up to date and don’t use unsupported software.
- Use suitable firewalls that are maintained and updated with controls regularly monitored.
- Ensure exposed services are configured with strong passwords, using combinations of letters, numbers, and symbols.
- Regularly change passwords and require users to update passwords when accessing services.
- Ensure patch management processes are robust. (While software patches can fix security vulnerabilities and bugs, patching can sometimes introduce new vulnerabilities or compatibility issues. Missing patches for critical or security updates more than 14 days old will result in CE+ failure).
- Ensure device software and applications are up-to-date, and devices are running the latest operating system.
Effective Cyber Essentials Plus preparation can save time and money, providing insights into your IT infrastructure and identifying gaps and issues before undertaking a certification assessment. CE+ requires higher standards and more detailed assessment, with a greater level of scrutiny that raises the bar in terms of successful certification.
If your organisation is looking to protect itself at this higher level and make a statement to potential customers, we believe it is worth the extra work and investment, particularly as, in our experience, the process of achieving Cyber Essentials certification helps you identify areas of weakness and make the necessary adjustments.
Cyber Essentials Plus support
If you’re looking to achieve Cyber Essentials certification or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the expert team at British Assessment Bureau or request a quote today.
