Cyber Essentials Plus

Designed to help organisations of any size demonstrate their commitment to cyber security - while keeping the approach simple and costs low.

What is Cyber Essentials Plus?

Cyber Essentials Plus is a higher level certification than the Cyber Essentials Verified Self-Assessed and includes an audited assessment of the organisations IT systems. All organisations wishing to complete the Cyber Essentials Plus will need a valid Cyber Essentials Verified Self-Assessed which was certified date within 3 months before to complete the Cyber Essentials Plus assessment.

The Cyber Essentials Plus audited assessment of your system based on the scope of the Cyber Essentials . The aim of the assessment is to confirm that all controls that have been declared in Cyber Essentials Verified Self-Assessed are implemented on the organisations network. By undertaking and completing Cyber Essentials Plus, you can declare publicly, that your organisation has been proven to meet baseline security standards set out by Cyber Essentials.

An assessor will pick a sample of computers at your organisation and perform an audit to ensure that the devices are compliant with the Cyber Essentials scheme.

An internal vulnerability scan will beconducted on the sample computers and servers to confirm patching and basic configuration meet the minimum requirements.

An external vulnerability scan will interegate all ports of your internet facing IP addresses to ensure that no clear and obvious misconfigurations or vulnerabilities can be discovered.

All sample computers will carried out on your email and internet browsers to confirm they are to prevent execution of fake malicious files and virus'.

All mobile devices within the sample will be chacked to confirm they are running the latest compliant software build and they are not in developer mode enabling them to download unsigned applications.

The 5 technical control themes of Cyber Essentials

Firewalls

You should protect your Internet connection with a firewall. Many organisations will have a dedicated boundary firewall which protects their whole network.
User Access Control

Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised.
Malware protection

Malware is short for ‘malicious software’ also know as Anti-Virus must be installed on all endpoints that support this software
Secure Configuration

Your accounts should always be password-protected. For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA.
Patch management

No matter which phones, tablets, laptops or computers your organisation is using, it’s important that the manufacturer still supports the device with regular security updates and that you install those updates as soon as they are released.

Why should you get Cyber Essentials?

Protect against approximately 80% of cyber attacks
Reassure customers that you are working to secure your IT against cyber attack
Demonstrates to your customers and supply chain that you have considered you security posture
You have a clear picture of your organisation's cyber security posture
Some Government contracts require Cyber Essentials certification