We often hear from the clients “we are not sure if we are ready for the Cyber Essentials Plus (CE plus)”. In most cases, we come to know that the client doesn’t know what exactly is involved in Cyber Essentials Plus audit. What is Cyber Essentials Plus? What is involved in the audit?

CE plus is the advanced variation of the Cyber Essentials certification. In this certification process an assessor from the IASME Cyber Certification Body will conduct an on-site (now remote due to the pandemic) audit of the systems. What does the audit involve?

First things first. Cyber Essentials Plus requires the company to pass Cyber Essentials first. Then apply for the Plus and the audit takes place. The audit involves verifying the details on the self-assessment questionnaire. Here is the Cyber Essentials Plus audit process

• Internal Vulnerability assessment
• External vulnerability assessment
• User Access Controls test
• Browser download test
• Email test

DOWNLOAD CYBER ESSENTIALS QUESTIONNAIRE FOR FREE

Internal Vulnerability Assessment

At this stage we perform a vulnerability assessment on selected devices. Ideally a portion of the entire device. For example, if you have 100 devices we will check 15 devices. We will be expecting no critical vulnerabilities on the network in order for you to pass the certification. If there is even 1 critical vulnerability then you will not be able to pass the certification unless it’s a false positive. Critical vulnerabilities have the patches available to them and you will need to apply the patches within the 14 days of their release date. Vulnerabilities are categorised as per their CVSS score. The categories are Critical, High, Medium and Low.

We will also be looking for any unsupported software in your environment. You will only pass the certification if there is no unsupported software. For example, if you have Windows 7 operating system on your network you will only pass if there is a Microsoft extended support agreement in place.

It is worth noting that you will need to keep the ‘High’ category vulnerabilities as low as possible.

External Vulnerability Assessment

Essentially this step involves scanning your public IP addresses for any vulnerabilities. Usually the unusual ports left opened. That’s pretty much it.

GET CERTIFIED TODAY

User access controls test

At this stage, we are checking to see if the user access controls are configured correctly. We will try to execute a test file and see if the PC is prompting for admin credentials.

Browser download test

Your browser should block any malicious downloads. That’s exactly what we are trying to test at this stage. Download various sample malware files and observe how the browser is behaving. Ideally, it should block them all.

Email test

Essentially we are testing your email scanners in this stage. We will send a bunch of emails with malicious attachments and notice how many of them are getting through your email security measures. Ideally, none.

That’s it. That’s exactly what is involved in Cyber Essentials Plus audit. If you are not sure what controls will be audited please check out our ‘Cyber Essentials Checklist’ blog post. Also, If you would like to do a pre-audit and gap analysis on your network get in touch with us. We can organise the pre-audit and produce a gap analysis report. If there are no issues then you can submit your application for the certification.

Hope that helps. If you need any further assistance or if you are looking to get your certification done then please get in touch. We are on 01224 516181. Cheers