Published by:
| Cyber Essentials Scheme,

What You Need to Know About the Cyber Essentials Plus Certification Process

All organisations with Cyber Essentials SHOULD be able to achieve Cyber Essentials Plus. This is unknown to a lot of organisations and so opt for the basic Cyber Essentials certification. Unfortunately, this means that they miss out on a lot of benefits that Cyber Essentials Plus offers.

 

What is the Cyber Essentials Scheme:

To clarify, the Cyber Essentials scheme is a UK government-backed initiative designed to help organisations of all sizes protect themselves against a wide range of cyber security threats. The scheme provides a clear and thorough framework to enhance your cyber security posture, significantly reducing the risk of falling for the most common types of cyber attacks. Achieving Cyber Essentials certification not only helps safeguard sensitive data but also demonstrates a commitment to cyber security best practices, which can be a valuable asset in building trust with customers and partners.

There are a number of drivers for this; with increased industry and compliance regulations coming into force across many sectors, Cyber Essentials has become the benchmark to align to for the fundamentals of cyber security. Many organisations require certification as a business enabler to either meet customer demands or to become eligible to quote for contracts and to submit tenders. Plus, certification is fast becoming a pre-requisite for many insurers for cyber insurance.

 

The differences between Cyber Essentials and Cyber Essentials Plus:

Cyber Essentials is a self-assessment questionnaire that, if desired, can be achieved without the help of external cyber security experts like Data Connect. The answers will then be marked by a Certification Body. Many organisations still opt to work with a third party for help throughout the process and to get the full value out the process.

Cyber Essentials Plus is the next step, where the organisation’s self-assessment questionnaire is taken and verified with a technical audit. It is intended to give stakeholders within an organisation, including its customers, some assurances around cyber risk and control implementation. These assurances are from the fact that an independent assessor has seen evidence and reviewed the specified technical security controls.

 

So why would you opt for Cyber Essentials Plus?

  • Peace of Mind: The comprehensive nature of Cyber Essentials Plus provides peace of mind and assurance. As an organisation, you know the cyber security measures have been correctly implemented across the whole scope, are independently verified and robust enough to protect against common cyber attacks.
  • Increased Trust and Credibility: Cyber Essentials can often be seen as ‘ticking your own homework’. By achieving Cyber Essentials Plus certification, it demonstrates a commitment to cyber security, enhancing trust and credibility with clients, partners, and other stakeholders who value robust security practices.
  • Increased Competitive Advantage: Achieving Cyber Essentials Plus can give you a competitive edge over competitors by demonstrating your commitment to security and protecting your valuable data.
  • Compliance with Specific Requirements: Depending on the tender or partnership, some organisations require partners to meet Cyber Essentials Plus rather than Cyber Essentials, opening you up to more opportunities.

Learn more about the impact of Cyber Essentials since it’s launch.

 

Important Factors to Remember:

  • Not all Certification Bodies are approved to assess both the Cyber Essentials Questionnaire, and undertake the Cyber Essentials Plus Audit. It’s important to take this into account in the decision-making process.
  • You will need to achieve Cyber Essentials first. There is a 3 month window for organisations to achieve Cyber Essentials Plus afterwards.
  • A sample set of devices must be tested on the audit day. This will include the main users of that device joining for the testing. It is important to bear this in mind, making sure staff can be available for it.
  • If you fail on your audit day, you will have 30 days to remediate the issue. However, this must be within the 3 month period of passing Cyber Essentials. If there’s numerous failures, then it may be deemed that an organisation is not able to meet the requirements at that time and the assessment will be completed and marked as failed.

 

Testing Procedures completed by a Certification Body

Including in the sample set for devices are servers, end user device (such as laptops, desktops and mobile devices) and cloud infrastructure (e.g. SaaS based applications and cloud hosted infrastructure). Assessors have a minimum number of devices they must test based on the total quantities of devices specified within the scope on the Cyber Essentials self-assessment questionnaire

The following tests are two examples of the technical checks that are completed by a Cyber Essentials Plus assessor. Whilst it is mostly used by Certification Bodies, the Cyber Essentials Plus Illustrative Test Specification can also be insightful if you’re going through the certification process.

Example one: An internal vulnerability assessment of the sample devices must be carried out and must be done with an approved scanning tool such as Nessus or Qualys. If an organisation has their own internal scanning tool and it’s also on the approved list of tools for Cyber Essentials then it may be used by the assessor to run the tests. Otherwise, the assessor will need to run their tools to perform the scans.

The specific areas of difficulty we see organisations struggle with are updates for Microsoft Office applications, Java, browsers and Zoom. Java and Zoom are example of software that typically can’t be automatically patched. Depending on the amount of devices you have, this can be a tedious and long task. Vulnerability management is the number one area where we see organisations struggle when it comes to Cyber Essentials. We designed the vSOC Recon service to to give you full visibility of your vulnerabilities and step-by-step remediation.

For the majority of web browsers, vulnerabilities are found on a weekly basis, resulting in frequent updates being released. Whilst, they usually can be automatically updated, typically they don’t update until the next time the device owner uses them.

The scope for this testing includes mobiles, servers, laptops, desktops and thin clients (Including IaaS).

 

Example two: The next test is to confirm that Multi-factor Authentication (MFA) is enabled for the cloud services that are defined in your Cyber Essentials questionnaire.

A test will be carried out for both administrative access and standard user access to confirm MFA is in place. The easiest way for us to do this is through an incognito browser window which will not use any stored authentication cookies to perform a new login. As soon as an MFA prompt is seen then the test is passed.

This must be done on each and every cloud application listed. It can often take some logistical planning to ensure you have someone available with access to all listed cloud services, this remains the responsibility of the applicant. You may use native MFA built into an application or you may use single sign-on through another identity management solution to provide MFA such as Okta or more commonly Microsoft Entra ID.

SCOPE: Cloud SaaS

 

 

Without experience of going through the certification process it is understandable why organisations feel apprehensive about Cyber Essentials Plus. We hope this blog helps you understand more about the process, demystify the requirements, and build confidence in your ability to achieve the certification. As a Certification Body for both levels of the standard, a Cyber Essentials Cyber Advisor and a NCSC certified Assured Service Advisor, our mission is to educate about the benefits of the standard and help bolster cyber security defences.

To find out more about the process, we put together a 30 minute webinar called “Cyber Essentials Plus: Your Extensive Guide to Readiness and Success” going into more depth about the process and the technical audit testing.

WATCH WEBINAR – Cyber Essentials Plus: Your Extensive Guide to Readiness and Success

*UPCOMING CHANGES TO THE CYBER ESSENTIALS SCHEME*

Coming into effect in April 2025 is a new question set that will replace the current Montpellier version. One of our Cyber Essentials assessors have created a 10 minute video talking you through all the changes you can expect. You can watch this video and download the new self-assessment questionnaire here.

 

Share this post

Related Posts

Willow: New Cyber Essentials Question Set Published by IASME and NCSC

Willow: New Cyber Essentials Question Set Published by IASME and the NCSC   Willow, the new Cyber Essentials question set, was published on Monday (23rd...

The Impact of Cyber Essentials: A 10-Year Review

The Impact of Cyber Essentials: A 10-Year Review   The Cyber Essentials scheme has celebrated its 10th anniversary this year, so we thought it would...

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification   To maintain a valid Cyber Essentials certificate, organisations must complete the recertification process every...

Get in touch

SPEAK WITH AN EXPERT

01423 425 498

Related Posts

Willow: New Cyber Essentials Question Set Published by IASME and NCSC

Willow: New Cyber Essentials Question Set Published by IASME and the NCSC   Willow, the new Cyber Essentials question set, was published on Monday (23rd...

The Impact of Cyber Essentials: A 10-Year Review

The Impact of Cyber Essentials: A 10-Year Review   The Cyber Essentials scheme has celebrated its 10th anniversary this year, so we thought it would...

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification   To maintain a valid Cyber Essentials certificate, organisations must complete the recertification process every...