Cyber Essentials Plus is an audited version of the Cyber Essentials assessment a government backed framework that demonstrates your businesses commitment to getting cyber security right. Before the audit takes place businesses need to understand what parts of their network are in and out of scope for Cyber Security. The technical audit then verifies the Cyber Essential controls are in place and ensures all business locations meet the minimum criteria for each control section and has adequate defences against the threats in scope.
Cyber Essentials Plus goes one step further and verifies that the five key controls for Cyber Essentials are in place and working. This Cyber Essentials Plus is audited by undertaking several tests on a customer’s site.
The first test audits the first key control Boundary Firewalls:
Remote vulnerability assessment.
The purpose of this test is to assess whether an Internet-based opportunist attacker can hack into the applicant’s system with typical low-skill methods. The auditor mainly will look for open ports on the firewall and assess the security of the services using those ports.
The second test is the requirement for Patch Management (Key control # 5):
Check patching via an authenticated vulnerability scan.
This test identifies if there are any missing patches and security updates that leave vulnerabilities and threats within the scope of the scheme and potentially be easily exploited. Both operating system updates and software updates are tested.
The last three tests focus on Malware Protection (Key control #4) for End User devices (EUDs):
Check malware protection on End User Devices.
This checks that all the EUDs in scope benefit from at least a basic level of malware protection.
Check the effectiveness of EUD defences against malware delivered by email.
A test to decide whether EUDs are protected against malware that is delivered via email attachments. To facilitate this a selection of safe files that should be detected as malware is sent to the applicants’ email system.
Check EUD defences against malware delivered through a website.
This tests whether EUDs have protection from malware delivered through a website. Similar to the test above, a selection of relevant files for your particular operating system is attempted to be downloaded from the internet.
Testing Criteria
Each test has its own criteria for passing, however, if the Cyber Essentials controls have been implemented successfully then there should be no trouble passing the audit tests for Cyber Essentials Plus.
If you want to get started on your Cyber Essentials Plus journey, or just find out more, speak to one of our security experts today.
