Cyber Essential Plus
Two lists outlining the essential services for security, categorized as Security Essentials and Security Essentials Plus
What is Cyber Essentials Plus Scope?
The Cyber Essentials Plus scope is determined by the information provided in the foundational Cyber Essentials questionnaire. Ideally, it should encompass the entire organization, but if necessary, it can be tailored to a single network or exclude specific networks. All hardware and software within this scope must comply with the scheme's requirements if they can create user-initiated outbound connections to devices over the internet, accept inbound network connections from untrusted hosts on the internet, or regulate data flow between any of the devices and the internet.
For expert advice on how to scope your Cyber Essentials/Cyber Essentials Plus assessment, please contact us for a free consultation.
What's entailed in Cyber Essentials Plus Certification?
Within three months of completing the baseline Cyber Essentials certification, your organization must undergo a hands-on technical assessment to achieve Cyber Essentials Plus certification. This evaluation encompasses various checks, all of which must meet compliance standards for the certificate to be issued. Here's a breakdown of the steps involved in obtaining Cyber Essentials Plus:
1. Completion of the Cyber Essentials questionnaire grants the basic certification to the applicant organization.
2. The questionnaire determines the number of devices and servers to be sampled for the Cyber Essentials Plus assessment (servers only require a vulnerability scan, not comprehensive tests).
3. Your assessor obtains your internet-facing IP addresses and provides installation instructions for any required software on sampled workstations, preparing the infrastructure for assessment.
4. The assessor conducts the evaluation (details of the checks are outlined in the following sections). Your organization either passes the evaluation or receives feedback on areas requiring attention for compliance.
5. After considering the feedback, the applying organization proceeds to step 4 once more, addressing any identified areas for improvement.
External Network Vulnerability Scan
An external network vulnerability scan is conducted to identify security weaknesses at your external network border. This scan covers all publicly visible IP addresses and detects issues such as misconfigurations, outdated software, and authentication vulnerabilities. Addressing vulnerabilities posing high or critical risks (with a base CVSSv3 score of 7.0 or higher) is necessary to obtain certification. Additionally, an evaluation of internet-facing services is performed to ensure the implementation of fundamental security measures.
Authorized Patch Scan for Devices and Servers
When a desktop GUI is available, a credentialed patch audit is necessary for a subset of servers and devices. This audit aims to detect unpatched or outdated software that could be exploited by attackers. To pass the assessment, any patch-related vulnerabilities categorized as high or critical risk (with a base CVSSv3 score of 7.0 or higher) and for which a patch has been available for more than 14 days must be addressed. Additionally, action must be taken for any software identified as end-of-life. According to the guidelines, a patch that hasn't been released or was released within 14 days of the scan will be considered acceptable.
Testing Malware Protections
The workstation's antivirus software engine undergoes scrutiny to confirm recent signature updates within 24 hours and program updates within 30 days. To ensure mobile device configurations effectively prevent malware downloads and installations, the assessor conducts various checks, including verifying compliance with Android special installation permissions and device certificates.
Assessing the defenses against malware and executables in email clients involves conducting tests
The assessment of email client defenses includes checking that viruses and harmful executables are appropriately blocked. Various files, including executable attachments (.exe, .bat, .msi, .py, and .sh), and test malware (EICAR) will be sent to the user's mailbox. Before reaching the user's email client, malware files undergo screening, while other executables prompt a warning or allow the user to review actions before execution.
Ensuring web browser security against executables and malware involves conducting tests
Each workstation's installed web browser will undergo assessment to ensure protection against viruses and harmful executables. For each web browser, the assessor will attempt to download and execute various test malware files. Ideally, these files should be blocked from downloading, but compliance is also achieved if they are downloaded but stopped during execution. Similarly to email client checks, the assessor will also attempt to download and execute other file types. The goal is to prompt the user to review their action before execution.
Assessing cloud services for the enforcement of multi-factor authentication involves conducting tests
The assessor will review the cloud services accessible to each device owner, such as Google Workspace or Microsoft Office 365, to confirm the implementation of multi-factor authentication (MFA). This evaluation often includes prompting users to log into the cloud services to verify the visibility of an MFA prompt. To pass this assessment, all cloud services offering an MFA option must enforce MFA for all organization users.
Testing for account separation involves evaluating the segregation of accounts
The assessor will verify that standard user accounts on sampled workstations lack administrator privileges, as elevated access should be reserved for emergency situations only. Additionally, device administrators must maintain a separate regular user account for routine tasks such as checking emails and browsing the internet.
Why Become Cyber Essentials Plus Certified?
Stakeholder Requirements: Both public and private sector organizations' supply chains are witnessing a surge in demand for Cyber Essentials Plus certification. Acquiring this certification demonstrates your commitment to robust cybersecurity practices.
Cost-effectiveness: Cyber Essentials Plus affirms that your company has fundamental measures in place to protect against various common cyber threats. It can serve as a cost-effective progression after achieving basic Cyber Essentials certification.
Clear Security Recommendations: You'll receive guidance on enhancing your company's overall security posture.
Certificate and Logo: Upon obtaining Cyber Essentials Plus certification, your company can showcase its commitment to security by displaying the Cyber Essentials Plus logo on your website and social media platforms.
Preparing for Cyber Essentials Plus entails thorough readiness
All organizations, regardless of size or sector, can benefit from Cyber Essentials Plus. With some initial preparation, you can optimize your performance on the assessment and aim for a flawless score. Here are some key steps to prepare for your Cyber Essentials Plus exam:
Update Your Devices/Servers and Their Software
Ensure all software on your servers and devices is updated to the latest patch, and upgrade or remove any software nearing its end of life. Confirm that all software in your organization is current and devoid of unsupported programs in the days leading up to the evaluation. Timely application of high-risk and critical security fixes within 14 days of release is vital. This reduces the chances of unpatched software being detected during vulnerability scanning.
Checking Anti-Virus Software Configuration
Ensure that your servers and devices are equipped with the latest versions of anti-virus software, and that signatures are updated every 24 hours. Enable automatic updates where possible. Also, confirm that your antivirus program scans files upon access, preferably immediately upon download.
Check Your Internet-Facing Services
Confirm that internet-facing services are deactivated when not in use. Ensure that default passwords are changed and that there are measures in place to mitigate brute-force attacks for any internet-facing services requiring authentication to access user or organizational data. This includes implementing multi-factor authentication and/or establishing an account lockout policy. In instances where throttling or account lockout mechanisms are in place, verify that users are restricted to a maximum of 10 attempts within a 5-minute timeframe.
Confirm that Multi-Factor Authentication (MFA) is mandated for all users of cloud services
An external network vulnerability scan is conducted to identify security weaknesses at your external network border. This scan covers all publicly visible IP addresses and detects issues such as misconfigurations, outdated software, and authentication vulnerabilities. Addressing vulnerabilities posing high or critical risks (with a base CVSSv3 score of 7.0 or higher) is necessary to obtain certification. Additionally, an evaluation of internet-facing services is performed to ensure the implementation of fundamental security measures.
Verify that account separation is upheld for user accounts
Ensure that owners of workstations with administrative user accounts also possess a standard user account for routine tasks. Administrative accounts should only be utilized for critical privileged operations, such as software installation. Additionally, ensure that individuals do not share accounts.
Certification & Support
Cyber Essential Cost:
Employee Count
(Dependent on organization size)
Cyber Essentials Services
Cyber Essentials helps you to guard your organisation against cyber attack.