Cyber Essentials Plus Audit

Here at CyberSmart, we understand that organisations would like a bit more information on how the Cyber Essentials Plus process works. So, to demystify the process, we’ve put together this guide. 

The Cyber Essentials Plus audit aims to secure your business from known vulnerabilities, safeguarding your customers’ data. This not only helps ensure your business is working safely, but also builds trust with your customers and can help you win new business.

The first step in completing the Cyber Essentials Plus audit is to let our team know that you are ready to be sent the information for this assessment.

How To Schedule a Cyber Essentials Plus Audit  

Once you have confirmed, you’re ready to begin your Cyber Essentials Plus journey. We’ll send you the Qualys agent to deploy to your devices. This agent will scan your machines for known vulnerabilities and compare them against the National Vulnerability Database. Any vulnerabilities found with a CVSSv3 score of 7 and higher (Critical/High) will need to be resolved. 

Unsure which certification is best for you? Check out our guide to cybersecurity certifications in the UK.

The Assessment Process

On the day of the assessment, the following will take place:

• Internal vulnerability credentialed patch audit scan of all sample devices in scope using Qualys.  (unless you have your own PCI DSS approved scanner)
• External vulnerability scan of externally facing IPs/services
• Observing how devices process emails with test attachments – access to user device required via screen sharing. The email address of the user of the in-scope device will be required not a generic generated one for the assessment
• Observing how devices handle downloads of file attachments from our test websites – access to user devices is required via screen sharing.
• Checking the installation and configuration of anti-virus software.
• iOS / mobile checks (If in scope)
• Perform Multi-Factor Authentication (MFA) test on all listed Cloud Services provided in Cyber Essentials self-assessment to ensure MFA is enabled on Admin and User accounts
• Confirm Account separation between Admin and User accounts

Consent Form and Certificate

During the assessment, our assessors will carry out the Cyber Essentials Plus audit which includes a scan of your external IP addresses. Please note, that the scan can only be completed if you have signed our consent form. This will be emailed to you during the process.

It’s vital the consent form is returned to us before the day of the audit in order to ensure that it can be completed without delay. 

Once the audit has been successfully completed, our assessors will upload the results to IASME and issue your certificate.

Additional Resources

Your organisation is completely in charge of how quickly or slowly you want to take this process and our CX team is on hand to help at every stage. 

For more information on the Qualys agent please see our guide to deploying the Qualys agent.

Qualys Installation guide

If you have any questions on the Cyber Essentials Plus process please reach out to your account manager, or directly to our CX team through our Live Chat feature.

In 2015, a research team at Lancaster University concluded that 99% of cyber risks could be avoided through following a set of surprisingly simple security measures. These measures, or controls, make up the basis of the government’s standard for security certification, Cyber Essentials, which is what we help businesses achieve here at CyberSmart.

However, there’s a lot you can do on your own to prepare yourself for the Cyber Essentials assessment or just to improve your general cyber hygiene around its guidelines. We’re going to walk you through some of the processes you will need to have in place when you complete the self-assessment for Cyber Essentials before it is reviewed by an assessor.

Keep in mind that the Cyber Essentials questionnaire is asking you to evaluate every device in your company (laptops, personal computers used for work, phones, the works) and whether it complies with the rules. If it is being used for work, it should be included.

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the settings of your device and try to turn off a function that you don’t need

☐ Find the settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges to your data and on which machines

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

If you can follow this guidance now, you can pass certification quickly and with flying colours. If you struggle with any of them, CyberSmart has helped guide hundreds of SMEs of all sizes and experience through the same process, so feel free to get in touch. We offer a quick and simple step by step process so you can get Cyber Essentials certified today.