Cyber Essentials and Audit
The Cyber Essentials Plus certification additionally requires you to carry out an independent External Vulnerability Assessment of your infrastructure to provide more assurance that you are complying with the Cyber Essentials Scheme above the basic self-assessment level.
You need to complete your Cyber Essentials PLUS audit within 3 months of your last Cyber Essentials basic certification – however both can also be completed at the same time.
What happens during the vulnerability assessment?
Our External Vulnerability Assessment directly tests the controls in place on your network perimeter and highlights any obvious vulnerabilities via:
- A full TCP port scan for all IP addresses within specified ranges
- Scanning for known common UDP services for all IP addresses within specified ranges
- Basic web application scanning for common vulnerabilities performed from an unauthenticated user perspective
- Testing of inbound email binaries and payloads using a remote test account and desktop/laptop to send multiple emails containing one of the test files detailed by the certificating body
- A test from a website page with URLs linking to a set of test binaries
- Authenticated vulnerability scan of hosts using an approved industry- standard workstation build review tool to perform an administrator-level scan including local checks for each host within a sample set. This stage also includes a patch check for operating system updates and common applications, and a check of any antivirus solutions in use
What do I get on completion?
When the assessment has been all successfully completed, we will deliver the following: A report listing all identified risks scored using the CVSSv2 standard covering all five Cyber Essentials technical control themes, Recommendations to further comply with the government standard, and your Cyber Essentials Plus Certificate and badge.
Gaining your Cyber Essentials Plus certificate evidences your commitment to cyber security.
