Vulnerability testing for Cyber Essentials Plus Certification
Organisations seeking certification to Cyber Essentials Plus require a series of internal and external vulnerability tests.
The internal tests can be described as an authenticated internal scan and a test of the security and anti-malware configuration of each device type/build.
The internal scan checks patch levels and system configurations, while the security and anti-malware test ensures that the organisation’s systems are resistant to malicious email attachments and web-downloadable binaries. As the tests are internal, they will be performed on-site by a qualified tester.
The external scan will also check the patch levels and system configurations but of the public facing infrastructure. As the tests are external, they are be performed offsite and reviewed by a qualified tester.
The following internal tests are required for Cyber Essentials Plus:
- Inbound email binaries and payloads.
- Inbound emails containing URLs linking to binaries and browser exploitation payloads.
- Authenticated vulnerability and patch verification scan.
The following external tests are required for Cyber Essentials Plus:
- Unauthenticated vulnerability and patch verification scan.
After completing the tests, we will issue a report stating the outcomes and explaining what actions, if any, should be taken to eliminate any risks or vulnerabilities. Our reports aim to give customers meaningful information about risks to their organisation and activities.
If the internal vulnerability tests result in a fail, we will provide a list of corrective actions to take to repeat the tests before a certificate can be awarded. Any repeat testing will be billed separately.
Secure your organisation with Cyber Essentials
With IT Governance, you can complete the entire certification process quickly and easily using our online portal for as little as £500.