What to Expect from a Cyber Essentials Plus Audit

If you’re looking to validate your cybersecurity and data protection processes, a Cyber Essentials Plus certification could be right for you.

You might decide to go for Cyber Essential Plus accreditation because:

  • You want an independent assessment of your cybersecurity measures in addition to completing your self-assessment 
  • You want to show clients that data protection is a top priority
  • You work in an industry with higher-than-standard cybersecurity requirements

What’s the Difference Between Cyber Essentials and Cyber Essentials Plus?

For Cyber Essentials Plus, you’ll need a Cyber Essentials certification. To do this, you’ll build IT infrastructure and staff knowledge to meet standards across five categories:

  1. Firewalls
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management

Then, you’ll take a self-assessment to get accredited. If you pass the self-assessment, you’ll be eligible to apply for Cyber Essentials Plus. 

Cyber Essentials Plus involves an independent audit of your devices, systems, and processes for extra validation – this is the key difference between Cyber Essentials and Cyber Essentials Plus.

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

What are the Benefits of a Cyber Essentials Plus Audit?

Some businesses find Cyber Essentials Plus more suitable because an independent assessment is more credible than a self-assessment. An objective, professional opinion ensures you’re as compliant as you think. It offers more peace of mind than you get with Cyber Essentials.

The verification of compliance also makes the certification more trustworthy for prospective and existing clients as there’s some external proof that you take cybersecurity and data management seriously. 

What to Expect from the Auditor

An auditor will audit a sample of your devices on-site or virtually to check they’re configured correctly. They’ll:

  • Confirm your devices
  • Scan devices to identify vulnerabilities using Nessus Professional scanning software
  • Observe how devices process emails with test attachments
  • Observe how devices handle downloads of file attachments from test websites
  • Check the installation and configuration of anti-virus software
  • Test Multi-Factor Authentication on applicable cloud services
  • Test how well your default browsers block malicious activity
  • Confirm account separation between admin and user accounts
  • Capture screenshots for evidence

How to prepare for the audit

Here are some practical ways to prepare for your audit.

Check your software

  • Update software on all devices, including servers
  • Download and install the 7-day trial of Nessus Professional, if you don’t have it already. This means the auditor can complete a Credentialed Patch Scan. If you have an alternative PCI-approved scanning tool already, please speak to your auditor
  • If you use the 7-day trial, create an account and download plugins to complete installation.
  • Remove software you don’t use regularly from every device, e.g., old browsers like Firefox

If you run Windows:

  • Enable file and print sharing. You can find this option in advanced sharing settings

If you run Windows 10:

  • Set the Windows service “RemoteRegistry” start-up type to “manual”. Access this by typing “services” in the home screen search bar

Create a new registry value:

  • Type “regedit” in the home screen search bar
  • Hive and key path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
  • On System, right click and select New –> DWORD (32-bit) Value / REG_DWORD
  • Value name: LocalAccountTokenFilterPolicy
  • Value data: 1 (decimal)

If you run macOS:

  • Enable file sharing and remote login. You’ll find these options in System Preferences –> Sharing
  • Update AV engines and signature files. If you use an enterprise management dashboard to do this, even better
  • Activate and update AV plugins for every browser

The auditor will ask you for:

  • Administrator-level domain access. Create a new admin account for the audit or ensure an admin is there to help
  • A list of all in-scope devices and operating systems. If you use Windows 10, run a registry edit so the auditor can complete a scan
  • User email addresses for the email/web tests
  • A signed consent form

Need More Support?

If you’re not ready for a Cyber Essentials Plus audit or need some advice on which accreditation is right for you, there’s plenty of help available. Don’t rush into it. It’s important to pick based on your industry, goals, size, and the benefits you’ll experience from getting certified. It’s always good to prove your cybersecurity credentials, but that doesn’t always mean going for the most advanced accreditation.

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

Cybersecurity certifications