Our Guide to Becoming Cyber Essentials Plus Certified

The Cyber Essentials scheme is a simple way for any organisation to ensure that it has essential security controls in place to provide protection against a cyber security attack. Cyber Essentials Plus is the highest level to which this certification can be taken. Given that security threats are always changing, Cyber Essentials Plus is regularly updated and the newest version came out in April this year. This is what you need to know about becoming Cyber Essentials Plus certified.

Key Actions You can Take to Pass the Cyber Essentials Plus Assessment

• Ensure that all software on devices and servers is up to date. You should be applying high and critical-risk security patches within 14 days of release anyway but it’s especially vital to do this across the board when it comes to Cyber Essentials Plus.
• Review antivirus software configuration. Antivirus software needs to be up to date on all devices and servers and the signatures should be updated within a 24-hour window. If there’s an option to turn on automatic updates it’s a good idea to make sure that this is done.
• Disable any internet-facing services that are no longer required. It’s also a good idea to ensure that where any internet-facing services require authentication to access organisation/user data there is some type of brute-force attack mitigation established.
• Make sure all cloud users have to complete multi-factor authentication. This will be required in order to remain compliant and is essential protection.
• Enforce account separation. What this means is that if there is someone who has an administration account they also have a separate user account for day-to-day work. This is to ensure that the administration account is only being used for admin tasks.

What is an Assessor Likely to be Looking For?

Part of the process of getting Cyber Essentials Plus certified is passing the scrutiny of an external assessor. That assessor is likely to be looking at:

• Carrying out an external network vulnerability scan on the public IP address your organisation uses to highlight vulnerabilities in internet-facing services. All high risk vulnerabilities must be remediated in order to get certified.
• Carrying out device/server vulnerability scans. An assessor will sample workstations and servers that have a desktop GU and look for any patch related vulnerabilities that an attacker could exploit. These will then need to be remediated to get certified.
• Testing general malware protections. This will include testing antivirus, as well as looking at devices to ensure they have been configured for optimum security.
• Testing email client protections against malware. This will include sending infected emails to see whether or not they are being filtered before they reach a user’s mailbox.

Become Cyber Essentials Plus Certified

If you’re considering becoming Cyber Essentials Plus certified then there are many benefits to doing this, including fulfilling customer requirements and getting clear guidance on how to make your business more secure. You’ll also get a certificate and can use the Cyber Essentials Plus logo, enforcing your credibility for potential customers. Here at S.A.D.S, we can help you achieve this. Get in touch today and let’s progress together.