What to Expect from a Cyber Essentials Plus Audit

If you’re looking to validate your cybersecurity and data protection processes, a Cyber Essentials Plus certification could be right for you.

You might decide to go for Cyber Essential Plus accreditation because:

  • You want an independent assessment of your cybersecurity measures in addition to completing your self-assessment 
  • You want to show clients that data protection is a top priority
  • You work in an industry with higher-than-standard cybersecurity requirements

What’s the Difference Between Cyber Essentials and Cyber Essentials Plus?

For Cyber Essentials Plus, you’ll need a Cyber Essentials certification. To do this, you’ll build IT infrastructure and staff knowledge to meet standards across five categories:

  1. Firewalls
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management

Then, you’ll take a self-assessment to get accredited. If you pass the self-assessment, you’ll be eligible to apply for Cyber Essentials Plus. 

Cyber Essentials Plus involves an independent audit of your devices, systems, and processes for extra validation – this is the key difference between Cyber Essentials and Cyber Essentials Plus.

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

What are the Benefits of a Cyber Essentials Plus Audit?

Some businesses find Cyber Essentials Plus more suitable because an independent assessment is more credible than a self-assessment. An objective, professional opinion ensures you’re as compliant as you think. It offers more peace of mind than you get with Cyber Essentials.

The verification of compliance also makes the certification more trustworthy for prospective and existing clients as there’s some external proof that you take cybersecurity and data management seriously. 

What to Expect from the Auditor

An auditor will audit a sample of your devices on-site or virtually to check they’re configured correctly. They’ll:

  • Confirm your devices
  • Scan devices to identify vulnerabilities using Nessus Professional scanning software
  • Observe how devices process emails with test attachments
  • Observe how devices handle downloads of file attachments from test websites
  • Check the installation and configuration of anti-virus software
  • Test Multi-Factor Authentication on applicable cloud services
  • Test how well your default browsers block malicious activity
  • Confirm account separation between admin and user accounts
  • Capture screenshots for evidence

How to prepare for the audit

Here are some practical ways to prepare for your audit.

Check your software

  • Update software on all devices, including servers
  • Download and install the 7-day trial of Nessus Professional, if you don’t have it already. This means the auditor can complete a Credentialed Patch Scan. If you have an alternative PCI-approved scanning tool already, please speak to your auditor
  • If you use the 7-day trial, create an account and download plugins to complete installation.
  • Remove software you don’t use regularly from every device, e.g., old browsers like Firefox

If you run Windows:

  • Enable file and print sharing. You can find this option in advanced sharing settings

If you run Windows 10:

  • Set the Windows service “RemoteRegistry” start-up type to “manual”. Access this by typing “services” in the home screen search bar

Create a new registry value:

  • Type “regedit” in the home screen search bar
  • Hive and key path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
  • On System, right click and select New –> DWORD (32-bit) Value / REG_DWORD
  • Value name: LocalAccountTokenFilterPolicy
  • Value data: 1 (decimal)

If you run macOS:

  • Enable file sharing and remote login. You’ll find these options in System Preferences –> Sharing
  • Update AV engines and signature files. If you use an enterprise management dashboard to do this, even better
  • Activate and update AV plugins for every browser

The auditor will ask you for:

  • Administrator-level domain access. Create a new admin account for the audit or ensure an admin is there to help
  • A list of all in-scope devices and operating systems. If you use Windows 10, run a registry edit so the auditor can complete a scan
  • User email addresses for the email/web tests
  • A signed consent form

Need More Support?

If you’re not ready for a Cyber Essentials Plus audit or need some advice on which accreditation is right for you, there’s plenty of help available. Don’t rush into it. It’s important to pick based on your industry, goals, size, and the benefits you’ll experience from getting certified. It’s always good to prove your cybersecurity credentials, but that doesn’t always mean going for the most advanced accreditation.

And, you can always find out more about which certification is right for you by downloading our guide to cybersecurity certifications in the UK.

Cybersecurity certifications

The Cyber Essentials questionnaire: are you prepared?

In 2015, a research team at Lancaster University concluded that 99% of cyber risks could be avoided through following a set of surprisingly simple security measures. These measures, or controls, make up the basis of the government’s standard for security certification, Cyber Essentials, which is what we help businesses achieve here at CyberSmart.

However, there’s a lot you can do on your own to prepare yourself for the Cyber Essentials assessment or just to improve your general cyber hygiene around its guidelines. We’re going to walk you through some of the processes you will need to have in place when you complete the self-assessment for Cyber Essentials before it is reviewed by an assessor.

Keep in mind that the Cyber Essentials questionnaire is asking you to evaluate every device in your company (laptops, personal computers used for work, phones, the works) and whether it complies with the rules. If it is being used for work, it should be included.

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the settings of your device and try to turn off a function that you don’t need

☐ Find the settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges to your data and on which machines

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

If you can follow this guidance now, you can pass certification quickly and with flying colours. If you struggle with any of them, CyberSmart has helped guide hundreds of SMEs of all sizes and experience through the same process, so feel free to get in touch. We offer a quick and simple step by step process so you can get Cyber Essentials certified today.