Cyber Essentials Plus Checklist
The Cyber Essentials scheme was designed to help organisations implement a basic level of cyber security to protect against around 80% of common cyber attacks.
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.
Both have the same requirements, but Cyber Essentials Plus certification involves a technical assessment, which provides an extra level of assurance about the effectiveness of the controls your organisation has implemented.
What is Cyber Essentials?
The Cyber Essentials scheme is backed by the UK government and the NCSC (National Cyber Security Centre), and administered by the IASME Consortium, which licenses certification bodies to carry out Cyber Essentials assessments and issue certifications.
The scheme sets out five cyber security controls, covering:
Implementing and maintaining these controls help organisations protect themselves from common cyber attacks, including phishing attacks, and ransomware and other malware attacks.
Why get Cyber Essentials Plus certification?
Like Cyber Essentials certification, Cyber Essentials Plus certification demonstrates that your organisation has implemented the five basic controls, which:
- Prevents around 80% of cyber attacks;
- Improves supply-chain security;
- Enables you to win new business;
- Permits you to work with the UK government and MOD; and
- Reassures stakeholders that you are committed to securing your and your customers’ data.
The extra level of assurance gained by a technical audit of your in-scope systems demonstrates that the cyber security measures you have implemented are working effectively.
Cyber Essentials Plus requirements
Cyber Essentials Plus has the same requirements as Cyber Essentials.
Unlike Cyber Essentials, which organisations can certify to by completing an SAQ, Cyber Essentials Plus certification involves an additional technical audit of in-scope systems, an on-site or remote assessment, internal vulnerability scans and an external vulnerability scan conducted by the certification body.
- The internal scan will check your patches and system configurations.
- The security and the anti-malware test ensure that your organisation’s systems are resistant to malicious email attachments and web-downloadable binaries.
- The external scan will check patches and system configurations for your public-facing infrastructure.
These tests include:
- Inbound email binaries and payloads.
- Malicious and non-malicious browser file download tests.
- Authenticated and unauthenticated vulnerability and patch verification scans.
- Account separation to confirm standard users do not have administrative privileges.
- Multi-factor authentication checks.
Learn more about vulnerability testing for Cyber Essentials Plus certification
Cyber Essentials Plus preparation process
Download and read Cyber Essentials Requirements for IT infrastructure. This will help you define your scope. You are asked to confirm that you have read this as part of your application.
Identify what is in and what is out of scope. Whatever you decide the scope of your certification to be, it must be clearly defined.
Complete your SAQ. Verify that your IT infrastructure is suitably secure and meets the standards set by the scheme.
Submit your SAQ for official assessment. An IT Governance Cyber Essentials assessor will review your submitted SAQ and pass or fail it accordingly. If you are successful, you will be issued with your Cyber Essentials certificate. You will then have three months to complete your Cyber Essentials Plus submission.
Undergo on-site or remote assessment and external scans. All elements of the on-site/remote assessment and internal/external scans must be completed within three months of achieving Cyber Essentials certification.
If we identify any nonconformities, you will receive feedback to help you close these gaps. Reassessment must be conducted within one month of the initial assessment to confirm any vulnerabilities are resolved.
Learn more about achieving Cyber Essentials Plus certification with IT Governance
Cyber Essentials Plus checklist
Firewalls create a barrier between your network and other, external networks. For all firewalls, you should:
- Change any default administrative password to an alternative – using best practices – or disable remote administrative access entirely;
- Prevent access to the administrative interface from the Internet unless there is a clear and documented business need, and protect the interface with one of the following controls:
- A second authentication factor, such as a one-time token; or
- An IP whitelist that limits access to a small range of trusted addresses.
- Block unauthenticated inbound connections by default;
- Ensure inbound firewall rules are approved and documented by an authorised individual; the organisational need for each rule must be included in the documentation; and
- Remove or disable permissive firewall rules as soon as they are not needed. Use a host-based firewall on devices that are used on untrusted networks, such as public Wi-Fi hotspots.
Learn more about firewalls and routers
Applying patches and keeping software up to date will ensure newly discovered security vulnerabilities are closed. You should routinely ensure that software is:
- Licensed and supported;
- Removed from devices when no longer supported; and
- Patched within 14 days of an update being released in cases where the patch fixes a vulnerability with a severity the vendor describes as ‘critical’ or ‘high risk’.
Learn more about software updates
Protecting your organisation from malware will protect your systems from attack. You should:
- Keep anti-malware software up to date, with signature files updated at least daily;
- Configure anti-malware software to scan files automatically upon access. This includes when files are downloaded and opened, and when they are accessed from a network folder;
- Ensure anti-malware software scans web pages automatically when they are accessed through a web browser; and
- Ensure anti-malware software prevents connections to malicious websites.
Learn more about malware protection
Access controls ensure that administrative and other privileges are assigned only to authorised individuals. You should routinely:
- Authenticate users before granting access to applications or devices, using unique credentials;
- Remove or disable user accounts when no longer required;
- Implement two-factor authentication, where available;
- Use administrative accounts to perform administrative activities only; and
- Remove or disable special access privileges when no longer required.
Learn more about access control
Secure configuration refers to security measures that are implemented when building and installing computers and network devices. You should routinely:
- Remove and disable unnecessary user accounts;
- Change default or guessable account passwords to something non-obvious;
- Remove or disable unnecessary software;
- Disable any auto-run feature that allows file execution without user authorisation; and
- Authenticate users before enabling Internet-based access to commercially or personally sensitive data, or data critical to the running of the organisation.
Learn more about secure configuration
Get started with Cyber Essentials Plus
With IT Governance, you can complete the entire Cyber Essentials Plus certification process quickly through our online portal.
Find out more