What exactly is involved in Cyber Essentials Plus audit?
We often hear from the clients “we are not sure if we are ready for the Cyber Essentials Plus (CE plus)”. In most cases, we come to know that the client doesn’t know what exactly is involved in Cyber Essentials Plus audit. What is Cyber Essentials Plus? What is involved in the audit?
CE plus is the advanced variation of the Cyber Essentials certification. In this certification process an assessor from the IASME Cyber Certification Body will conduct an on-site (now remote due to the pandemic) audit of the systems. What does the audit involve?
First things first. Cyber Essentials Plus requires the company to pass Cyber Essentials first. Then apply for the Plus and the audit takes place. The audit involves verifying the details on the self-assessment questionnaire. Here is the Cyber Essentials Plus audit process
- Internal Vulnerability assessment
- External vulnerability assessment
- User Access Controls test
- Browser download test
- Email test
Internal Vulnerability Assessment
At this stage we perform a vulnerability assessment on selected devices. Ideally a portion of the entire device. For example, if you have 100 devices we will check 15 devices. We will be expecting no critical vulnerabilities on the network in order for you to pass the certification. If there is even 1 critical vulnerability then you will not be able to pass the certification unless it’s a false positive. Critical vulnerabilities have the patches available to them and you will need to apply the patches within the 14 days of their release date. Vulnerabilities are categorised as per their CVSS score. The categories are Critical, High, Medium and Low.
We will also be looking for any unsupported software in your environment. You will only pass the certification if there is no unsupported software. For example, if you have Windows 7 operating system on your network you will only pass if there is a Microsoft extended support agreement in place.
It is worth noting that you will need to keep the ‘High’ category vulnerabilities as low as possible.
External Vulnerability Assessment
Essentially this step involves scanning your public IP addresses for any vulnerabilities. Usually the unusual ports left opened. That’s pretty much it.
User access controls test
At this stage, we are checking to see if the user access controls are configured correctly. We will try to execute a test file and see if the PC is prompting for admin credentials.
Browser download test
Your browser should block any malicious downloads. That’s exactly what we are trying to test at this stage. Download various sample malware files and observe how the browser is behaving. Ideally, it should block them all.
Essentially we are testing your email scanners in this stage. We will send a bunch of emails with malicious attachments and notice how many of them are getting through your email security measures. Ideally, none.
That’s it. That’s exactly what is involved in Cyber Essentials Plus audit. If you are not sure what controls will be audited please check out our ‘Cyber Essentials Checklist’ blog post. Also, If you would like to do a pre-audit and gap analysis on your network get in touch with us. We can organise the pre-audit and produce a gap analysis report. If there are no issues then you can submit your application for the certification.
Hope that helps. If you need any further assistance or if you are looking to get your certification done then please get in touch. We are on 01224 516181. Cheers
IASMECyber Essentials questionnaire
Read or Download the IASME Cyber Essentials Questionnaire pdf copy here. The questionnaire has different sections laid out for all the controls as well as providing the preparation advice.More
What is the process for Cyber Essentials Plus Certification?
Cyber Essentials Plus accreditation involves the auditing of your IT systems. Read the article to know what exactly is involved in the process.More
Cyber Essentials most frequently asked questions
Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). Here are the Cyber Essentials scheme most frequently asked questio...More
What is Email Phishing and how to detect & prevent phishing emails?
Email Phishing is a form of social engineering. Phishing is the method of sending a deceptive email to make the recipient reveal sensitive information, click on a link or download a maliciou...More
FOR LATEST UPDATES SUBSCRIBE HERE: