Cyber Essentials Plus Audit
Here at CyberSmart, we understand that organisations would like a bit more information on how the Cyber Essentials Plus process works. So, to demystify the process, we’ve put together this guide.
The Cyber Essentials Plus audit aims to secure your business from known vulnerabilities, safeguarding your customers’ data. This not only helps ensure your business is working safely, but also builds trust with your customers and can help you win new business.
The first step in completing the Cyber Essentials Plus audit is to let our team know that you are ready to be sent the information for this assessment.
How To Schedule a Cyber Essentials Plus Audit
Once you have confirmed, you’re ready to begin your Cyber Essentials Plus journey. We’ll send you the Qualys agent to deploy to your devices. This agent will scan your machines for known vulnerabilities and compare them against the National Vulnerability Database. Any vulnerabilities found with a CVSSv3 score of 7 and higher (Critical/High) will need to be resolved.
The Assessment Process
On the day of the assessment, the following will take place:
- Internal vulnerability credentialed patch audit scan of all sample devices in scope using Qualys. (unless you have your own PCI DSS approved scanner)
- External vulnerability scan of externally facing IPs/services
- Observing how devices process emails with test attachments – access to user device required via screen sharing. The email address of the user of the in-scope device will be required not a generic generated one for the assessment
- Observing how devices handle downloads of file attachments from our test websites – access to user devices is required via screen sharing.
- Checking the installation and configuration of anti-virus software.
- iOS / mobile checks (If in scope)
- Perform Multi-Factor Authentication (MFA) test on all listed Cloud Services provided in Cyber Essentials self-assessment to ensure MFA is enabled on Admin and User accounts
- Confirm Account separation between Admin and User accounts
Consent Form and Certificate
During the assessment, our assessors will carry out the Cyber Essentials Plus audit which includes a scan of your external IP addresses. Please note, that the scan can only be completed if you have signed our consent form. This will be emailed to you during the process.
It’s vital the consent form is returned to us before the day of the audit in order to ensure that it can be completed without delay.
Once the audit has been successfully completed, our assessors will upload the results to IASME and issue your certificate.
Additional Resources
Your organisation is completely in charge of how quickly or slowly you want to take this process and our CX team is on hand to help at every stage.
For more information on the Qualys agent please see our guide to deploying the Qualys agent.
If you have any questions on the Cyber Essentials Plus process please reach out to your account manager, or directly to our CX team through our Live Chat feature.