*The Cyber Essentials scheme will be updated on the 24th April 2023. We’ve written a new guide to Cyber Essentials Plus certification to reflect these changes*.
Cyber Essentials Plus certification is the highest accreditation offered by the government-backed Cyber Essentials Scheme which aims to help organisations implement the fundamental baseline cyber security controls.
While the basic Cyber Essentials is a self-assessed evaluation of an organisation’s basic controls (a questionnaire), Cyber Essentials Plus involves a hands-on evaluation of these controls by a qualified cyber security professional.
In January 2022, a significant update was issued to the scheme, resulting in both the basic Cyber Essentials and Cyber Essentials Plus undergoing a major overhaul. In this guide we’ll explore what Cyber Essentials Plus certification now involves, why you should get certified, and what you can do to prepare your organisation to pass first time around.
Key Cyber Essentials Plus Changes for 2022
Changes to Sampling Requirements: New requirements around device sampling may increase the number of devices that need to be assessed to achieve Cyber Essentials Plus certification. A sample needs to be taken for each type of operating system in scope, even if these devices make up a proportionally small number of the total device list.
Changes to Remediation Requirements: Previously, high and critical-risk vulnerabilities identified that relate to unpatched software during the authenticated device scans had to meet certain CVSS parameters to be classified as a failure. Under the updated guidance, all high and critical-risk vulnerabilities relating to unpatched software must be remediated regardless of the CVSS parameters. This may increase the amount of remediation required to obtain Cyber Essentials Plus certification.
Two Additional Device Checks: There are two additional checks for each workstation sampled during the Cyber Essentials Plus assessment. Assessors will now be checking for account separation (i.e. ensuring that device owners with administrator accounts have a standard user account) and for two-factor authentication on cloud services (e.g. for MS Office365 – to ensure that users can’t log into the service without completing an additional step for authentication).
What Does Cyber Essentials Plus Certification Involve?
The certification process starts with understanding the number of devices in scope, and what operating system type they are running. This information is used to calculate the number of devices that need to be sampled for the assessment. Other specifics will also be determined at this stage including the assessment dates and the public IP addresses in scope. When the assessment begins, the assessor will run through a number of tests:
External Network Vulnerability Scan
An external network vulnerability scan is undertaken on all internet-facing IP addresses that are in scope. This scan will highlight potential areas of weakness on your external network perimeter that could be exploited by malicious third parties, providing you with the opportunity to remediate these weaknesses to mitigate their exploitation in future. An evaluation will also be conducted on the internet-facing services identified to check that basic security controls have been implemented.
Authenticated Vulnerability Scan
An authenticated vulnerability scan will run on all devices sampled during the assessment and this will highlight security misconfigurations and vulnerabilities relating to unpatched software that could be exploited by malicious third parties. Any high or critical-risk vulnerabilities that relate to software patches released more 14 days prior to testing must be remediated.
Testing System Malware Protections
The assessor will inspect the primary malware protections on each sampled device. For workstations, this will often be the anti-virus software installed. The assessor will be looking for evidence that the anti-virus itself (the engine) has been updated in the last 30 days and that the malware signatures present have been updated within the last 24 hours.
Testing Email Client Defences Against Executables/Malware
The assessor will send to the email client of each sampled device a number of emails, each with a different file attached. The assessor will be looking to ensure that the malware files are blocked from being accessed and that the other executables cannot be executed without a prompt or the opportunity to evaluate the action being taken.
Testing Web Browser Defences Against Executables/Malware
For each browser installed on the sampled devices, the assessor will access a Cyber Essentials portal hosting a number of files (including test malware files). The assessor will be looking for evidence that the malware files are blocked on download or on access and that the non-malware executables present a prompt or an opportunity to click away before they can be accessed/executed.
Testing for Two-Factor Authentication (Cloud Services)
The assessor will be observing that each sampled device user can only access cloud services (such as MS Office365) after completing a two-factor authentication step. The user of the device may be asked to log into the cloud service to verify that two-factor authentication is being enforced.
Testing for Account Separation (Standard/Administrator Users)
The assessor will verify that the day-to-day user account for each sampled device does not have administrator privileges, since administrator accounts should only be used when necessary. Device owners who have access to an administrator account must also have a standard user account which they use for day-to-day activities such as accessing emails and browsing the web.
Why Become Cyber Essentials Plus Certified?
Customer Requirements: Cyber Essential Plus has become increasingly mandated in the supply chains of both public and private sector organisations and it demonstrates your commitment to good cyber security practices.
Cost Effective: Cyber Essentials Plus can be a cost-effective next step after achieving your basic Cyber Essentials certification and can verify you have the fundamental controls in place to protect your organisation against a range of common threats.
Clear Security Recommendations: You will receive recommendations and areas for improvement to help your organisation improve its overall security posture.
Certificate and Logo: Passing your Cyber Essentials Plus certification means that you will also earn the right to use the Cyber Essentials Plus logo which can be displayed on your website and social media to demonstrate that you take security seriously.
Preparing your Organisation to Pass Cyber Essentials Plus
Cyber Essentials Plus is designed to be accessible to organisation of all sizes and across all industries, and with a little preparation, you can be ready to get the most out of the certification and pass first time. Here are some of the key actions you can take to prepare for your Cyber Essentials Plus assessment:
Update your Devices and their Applications
Ensure that the operating system and software is up to date on all devices in scope for the assessment. Take some time a few days before your assessment is due to double check that all software has been fully patched to their latest versions and that there is no unsupported software. Updating regularly is important to ensure that critical security patches are applied to vulnerable software within 14 days of release (this will also help to ensure a pass for the vulnerability scans).
Double Check your Anti-Virus
Ensure that your anti-virus software is up to date and that the signatures are configured to update at least every 24 hours so that the latest malware identifiers are present. You should also check that your anti-virus software is scanning files on access and ideally (although not a requirement) scanning files on download from the internet as well.
Double Check Your Externally Accessible Services
Ensure that you have disabled any internet-facing services that are no longer required and that any internet-facing services that host confidential/private data require authentication, have the default password changed, and either have two-factor authentication in place or brute-force attack mitigations. These mitigations can include throttling the number of authentication attempts allowed over a given time period or ensuring that a lockout is enforced for user accounts after no more than 10 attempts.
Enforce Two-Factor Authentication (2FA) for Cloud Service Accounts
Ensure that two-factor authentication is enforced for cloud service administrator accounts and standard user accounts (if you have stated that standard users have 2FA enabled in the Cyber Essentials questionnaire). The use of two-factor authentication for standard users will only become mandatory under the updated scheme from January 2023.
Enforce Separation for Standard and Administrator User Accounts
Ensure that all users that have access to an administrator account are not using this account as their main user account. Users with access to an administrator account should have a standard user account which is used for non-administrative activities, only using the administrative privileges when necessary. Please also ensure that accounts are not shared between multiple users.
Predatech is a CREST-accredited organisation and IASME Cyber Essentials Plus Certification body. If you are interested in achieving or renewing your Cyber Essentials Plus certification, please contact us today for a free consultation.