Cyber Essentials Plus
Cyber Essentials is a UK Government-backed scheme designed to help organisations guard against the most common cyber threats. Cyber Essentials Plus demonstrates an even higher level of commitment to cyber security and data protection.
The National Cyber Security Centre (part of GCHQ) launched the Cyber Essentials scheme to enable organisations to gain one of two badges: Cyber Essentials (CE) and Cyber Essentials Plus (CE+)
Becoming CE+ Certified
Cyber Essentials is a self-assessment certification that requires a questionnaire to be completed and submitted to the IASME Consortium, who were appointed by the NCSC as their selected Accreditation Partner in April 2020.
Organisations holding certifications are publicly listed on IASME’s certificate-search database making it easy to identify if you are CE/CE+ certified or not:
https://iasme.co.uk/cyber-essentials/ncsc-certificate-search/
Being CE Certified means that you will ensure your security defences stand up to cyber-attacks as you will learn how to address, protect and prevent common threats.
The Basic Cyber Essentials certification verifies that an organisation meets the requirements outlined under five specific technical control themes:
- Firewalls
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
The Cyber Essentials Plus certification additionally requires you to carry out an independent External Vulnerability Assessment of your infrastructure to provide more assurance that you are complying with the Cyber Essentials Scheme above the basic self-assessment level.
You need to complete your Cyber Essentials PLUS audit within 3 months of your last Cyber Essentials basic certification – however both can also be completed at the same time.
What happens during the vulnerability assessment?
Our External Vulnerability Assessment directly tests the controls in place on your network perimeter and highlights any obvious vulnerabilities via:
- A full TCP port scan for all IP addresses within specified ranges
- Scanning for known common UDP services for all IP addresses within specified ranges
- Basic web application scanning for common vulnerabilities performed from an unauthenticated user perspective
- Testing of inbound email binaries and payloads using a remote test account and desktop/laptop to send multiple emails containing one of the test files detailed by the certificating body
- A test from a website page with URLs linking to a set of test binaries
- Authenticated vulnerability scan of hosts using an approved industry- standard workstation build review tool to perform an administrator-level scan including local checks for each host within a sample set. This stage also includes a patch check for operating system updates and common applications, and a check of any antivirus solutions in use
What do I get on completion?
When the assessment has been all successfully completed, we will deliver the following:
- A report listing all identified risks scored using the CVSSv2 standard covering all five Cyber Essentials technical control themes
- Recommendations to further comply with the government standard
- Your Cyber Essentials Plus Certificate and badge
Gaining your Cyber Essentials Plus certificate evidences your commitment to cyber security. Get in touch with us about becoming CE+ certified today.