Cyber Essentials Plus Checklist

Cyber Essentials Plus

The Cyber Essentials scheme helps organisations protect against around 80% of common cyber attacks.

There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.

Both have the same requirements, but Cyber Essentials Plus certification involves a technical audit, which provides an extra level of assurance about the effectiveness of your organisation’s controls.

What is Cyber Essentials?

Cyber Essentials is supported by the UK government and NCSC (National Cyber Security Centre), and administered by IASME Consortium, which licenses certification bodies to conduct assessments and provide certifications.

The scheme sets out five cyber security controls, covering:

  1. Firewalls
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Security update management

Implementing and maintaining these controls helps organisations protect themselves from cyber attacks, including phishing, ransomware and other malware.

Cyber Essentials

Cyber Essentials, the lower level of certification, relies on organisations completing an SAQ (self-assessment questionnaire). It is designed for organisations that want a base-level security certification to demonstrate they have implemented essential cyber security controls.

Get started

Cyber Essentials

Cyber Essentials Plus is designed for organisations that need a more in-depth audit of their security measures, have employees who work remotely, or allow third parties access to their premises or IT.

Get started

Why get Cyber Essentials Plus certification?

Like Cyber Essentials certification, Cyber Essentials Plus certification demonstrates that your organisation has implemented the five basic controls, which:

  • Prevent around 80% of cyber attacks;
  • Improve supply chain security;
  • Enable you to win new business;
  • Permit you to work with the UK government; and
  • Reassure stakeholders that you are committed to securing your and your customers’ data.

However, Cyber Essentials Plus goes a step further than Cyber Essentials by requiring a technical audit of your in-scope systems. This provides an extra level of assurance that your cyber security measures are effective.

By achieving Cyber Essentials Plus certification, you will also meet the security requirements necessary to bid for MOD contracts.

Cyber Essentials Plus requirements

Cyber Essentials Plus has the same requirements as Cyber Essentials.

Cyber Essentials Plus certification involves an additional technical audit of in-scope systems, which includes a series of on-site internal vulnerability scans, tests of your in-scope systems and an off-site external vulnerability scan conducted by the certification body.

  • The internal scans check your patches and system configurations.
  • The tests check your Internet gateways, servers with public-facing services and a sample of user devices.
  • The external scan checks patches and system configurations for your public-facing infrastructure.

Learn more about vulnerability testing for Cyber Essentials Plus certification

Cyber Essentials Plus preparation process

  1. Download and read Cyber Essentials Requirements for IT infrastructure. This will help you define your scope and understand what requirements you must meet. You will be asked to confirm that you have read this as part of your application.

  2. Clearly define what parts of your infrastructure are in and out of scope.

  3. Complete your SAQ. Verify that your IT infrastructure is suitably secure and meets the scheme’s requirements.

  4. Submit your SAQ for official assessment. An IT Governance Cyber Essentials assessor will review your submitted SAQ and pass or fail it accordingly. If you are successful, you will be issued with your Cyber Essentials certificate. You will then have three months to complete your Cyber Essentials Plus submission.

  5. Undergo the technical audit. All scans and tests must be completed within three months of achieving Cyber Essentials certification.

  6. If we identify any nonconformities, you will receive feedback to help you resolve them. Reassessment must be conducted within one month of the initial assessment to confirm you have resolved all nonconformities.

Learn more about achieving Cyber Essentials Plus certification with IT Governance

Cyber Essentials Plus checklist

Firewalls create a barrier between your network and other, external networks. For all firewalls (or equivalent network devices), you must:

  • Change any default administrative password to a strong alternative or disable remote administrative access entirely;
  • Prevent access to the administrative interface from the Internet, unless there is a clear and documented business need, in which case you must protect the interface with one of the following controls:
    • An additional authentication factor, such as an OTP (one-time password).
    • An IP whitelist that limits access to a small range of trusted addresses.
  • Block unauthenticated inbound connections by default;
  • Ensure inbound firewall rules are approved and documented, along with the business need for each rule, by an authorised individual;
  • Remove or disable permissive firewall rules as soon as they are no longer needed; and
  • Use a host-based firewall on devices that are used on public or other untrusted networks.

Learn more about firewalls and gateways

Secure configuration refers to selecting the most secure settings or configurations when installing computers and network devices to minimise inherent vulnerabilities and provide the minimum amount of access necessary to fulfil their role. You must routinely:

  • Remove and disable unnecessary user accounts;
  • Change default or guessable account passwords to a strong alternative;
  • Remove or disable unnecessary software;
  • Disable any auto-run feature that allows file execution without user authorisation; and
  • Authenticate users before allowing access to organisational data or services.

In addition, physically present users must use appropriate device locking controls.

Learn more about secure configuration

Good user access control ensures that only authorised individuals have a user account, which gives them the minimum amount of access necessary to perform their duties. You must:

  • Have a user account creation and approval process;
  • Authenticate users, using unique credentials, before granting them access to applications or devices;
  • Remove or disable user accounts when no longer required;
  • Use or implement MFA (multifactor authentication) where available, and always authenticate to Cloud services using MFA;
  • Use administrative accounts to perform administrative activities only; and
  • Remove or disable special access privileges when no longer required.

Learn more about access control

Malware protection ensures that harmful or untrusted software cannot execute on your systems, potentially compromising them or the data they hold. For all in-scope devices, you must use at least one of anti-malware software, whitelisting or sandboxing.

If you use anti-malware software, you must:

  • Keep it up to date, with signature files updated at least daily;
  • Configure it to scan files automatically upon access, whether accessed from a network folder or downloaded and opened;
  • Have it scan web pages automatically when accessed through a web browser; and
  • Have it prevent connections to malicious websites, unless you have a clear, documented business need to access them, and understand and accept the associated risk.

If you whitelist, ensuring that only actively approved applications can execute on devices, you must:

  • Maintain an up-to-date list of approved applications; and
  • Prevent users from installing applications that are unsigned or have an invalid signature.

With sandboxing, you ensure all code of unknown origin is first run in a sandbox to prevent it from accessing other resources on your network unless a user explicitly allows otherwise. If you use sandboxing, the other resources to protect include:

  • Other sandboxed applications;
  • Data stores;
  • Sensitive peripherals (such as cameras and microphones); and
  • Local network access.

Learn more about malware protection

Keeping devices and software up to date – for example, by installing patches – will ensure they are not vulnerable to any known security issues, including newly discovered ones. All software on in-scope devices must be:

  • Licensed and supported;
  • Removed from devices when no longer supported;
  • Enabled for automatic updates where possible; and
  • Patched within 14 days of an update being released in cases where it:
    • Fixes a vulnerability the vendor describes as ‘critical’ or ‘high risk’;
    • Fixes a vulnerability with a CVSS (Common Vulnerability Scoring System) v3 score of at least 7; and
    • Fixes a vulnerability of unknown risk.

Learn more about security update management

PROTECT YOUR
BUSINESS
THIS WINTER