Vulnerability testing for Cyber Essentials Certification
As a CREST-accredited certification body, we offer an added level of independent assurance by conducting an external vulnerability scan on your Internet-facing networks and applications. This scan will help you to verify that there are no obvious vulnerabilities present.
This level of testing assesses your vulnerability to broad, untargeted and unsophisticated attacks.
The following external tests are required for CREST-accredited Cyber Essentials certification:
- Scan of external TCP ports and top UDP services.
- Vulnerability scan.
- Basic web application scan.
In 2020, the NCSC (National Cyber Security Centre) will implement some changes to the Cyber Essentials scheme to prepare it for the future. The current five Cyber Essentials accreditation bodies will be replaced by one. From 1 April 2020, The IASME Consortium will operate as the sole accreditation body for the scheme.
In support of this change, IT Governance will become an IASME-accredited certification body from April next year. We will continue providing the high level of cost-effective ongoing service our clients expect from us and will ensure the transition to the new arrangements is seamless. In the meantime, and in line with current arrangements supported by the NCSC, our clients will continue to be certified under CREST, and all existing and new certifications will continue to be valid and in line with current requirements.
Vulnerability testing for Cyber Essentials Plus Certification
Organisations seeking certification to Cyber Essentials Plus require an additional series of internal vulnerability tests.
These tests can be described as an authenticated internal scan and a test of the security and anti-malware configuration of each device type/build.
The internal scan checks patch levels and system configurations, while the security and anti-malware test ensures that the organisation’s systems are resistant to malicious email attachments and web-downloadable binaries. Because the tests are internal, the tests will be performed on-site by a qualified tester.
The following internal tests are required for Cyber Essentials Plus:
- Inbound email binaries and payloads.
- Inbound emails containing URLs linking to binaries and browser exploitation payloads.
- Authenticated vulnerability and patch verification scan.
After completing the tests, we will issue a report stating the outcomes and explaining what actions, if any, should be taken to eliminate any risks or vulnerabilities. Our reports aim to give customers meaningful information about risks to their organisation and activities.
If the external or internal vulnerability tests are failed, we will provide a list of actions necessary to repeat the tests before a certificate can be awarded.
Secure your organisation with Cyber Essentials
With IT Governance, you can complete the entire certification process quickly and easily using our online portal for as little as £300.
Find out more