Cyber Essentials Plus Checklist
The UK government introduced the Cyber Essentials accreditation/certification in 2014 to protect the businesses being a victim of cyber attacks. Nearly 85% of the most common cyber attacks could be prevented by implementing the fundamental security controls described in Cyber Essentials framework. The certification has two different levels. The Cyber Essentials and Cyber Essentials Plus. The cyber essentials level 1 is a self-assessment certification where as Cyber Essentials plus is the more advanced and comprehensive. At the advanced level, an onsite assessment/audit including a vulnerability scan will be performed by the Cyber Essentials Certification body. Check out our blog on 'what exactly is involved in Cyber Essentials Plus audit?' to find out more about the audit. Under IASME, the new (and only) accreditation body and it’s Cyber Essentials process the applicant’s business has to achieve the Cyber Essentials level 1 before applying for Cyber Essentials Plus.
There are 5 different areas Cyber Essentials focuses on. They are
- Secure configuration
- User access controls
- Patch Management
- Malware management
Check out the article 'what is the process for Cyber Essentials Plus certification?' to understand more about the process. Having performed dozens of these certifications we know what the challenges are and how you can resolve them to avoid any surprises. Here is the Cyber Essentials Plus checklist to help you achieve the certification in the order of biggest challenge first.
Patch Management - The biggest challenge of all
How do you manage 3rd party software updates?
Likes of Java, Chrome, Adobe, vlc, AutoCAD, etc… More often we come across clients think SCCM would be enough for the patch management but that's not the case. You will need to keep 3rd party applications up to date. Ideally, a centrally managed console. In most cases these providers cover Microsoft updates too. Your Antivirus vendor may have a plugin to do this. Check with them. Especially in the current pandemic a cloud-based central patch management console would do wonders.
Are all systems up-to-date?
The critical updates have to be applied within 14 days of their release. When we perform the audit we do not expect any critical vulnerabilities on your network. If there are some, then it's not a good news.
Do you have unsupported operating Systems on the network?
Likes of Windows 7, Windows server 2008 or older. If you do, it's a fail straight away unless you have an extended support agreement in place from Microsoft. If you are an IT manager or security manager or IT admin this can be a great opportunity to build a strong business case to upgrade your systems. Remember, outdated systems are a security vulnerability and security is continuous investment just like fitness
Is all the software used in the business properly licenced?
All software in use need to be properly licenced to be used in the business.
Do you have mobile devices that are up to date?
Yes. You heard that right. Company mobiles are under the scope and you are expected to keep them up to date operating system. If you have older devices that cannot update to new OS then we have a problem. For example if you have iPhone 5 in your environment then time for phone shopping.
Did you change the default login details on network devices?
Likes of firewalls, routers, printers, etc… You cannot leave the default credentials on your routers and firewalls. They would have to be updated to your own and kept secret.
Have you uninstalled the unnecessary software?
The truth is if you have the software you don't need you will need to maintain it. It's easier to remove the applications when you no longer need them. They can be a vulnerability.
Have you disabled unnecessary user accounts on the company’s systems?
You may have created local user accounts for a purpose or you may still have the user accounts that left the company active. Is that the case? Just like the unnecessary software you will need to remove them.
Do you have a strong password policy and is it enforced?
The good old one. The password policy. What does your policy say? Minimum 8 characters? Ideally you need to have a policy that is enforced and requiring users to have a strong password. If you don't encourage the users to change the password regularly then you can enable 2-factor authentication to compensate.
Step 1: Organisation Size
Step 2: Pick Cyber Essentials Package
Cyber Essentials Basic - CEB001
£300 + VAT
2 Days for Remediation
1 Day Turnaround
Guided Cyber Essentials - CEB002
£500 + VAT
Everything in CEB001 plus
Cyber Essentials Plus - CEP001
£1500 + VAT
Everything in CEB002 Plus
30 Day Remediation
Systems Audit (remote)
Guided CE Plus - CEP002
£2500 + VAT
Everything in CEP001 plus
Pre- systems Audit
Gap Analysis report
Did you close the opened ports when they are no longer necessary?
As part of the audit we will running an external vulnerability assessment on your Public IPs. We will not be expecting to find any unusual ports left opened on the firewall. It's a good practice to regularly check for the opened ports. Try an NMAP scan yourself to see what's left open.
Is opening/closing ports process and authorisation documented?
If you are going to open ports on the firewall then what's the process for change? If it's a small business I would assume IT Manager authorises the change, execution opens then the documentation. In an enterprise it might more enhanced. As long as you have a documented process that's good.
Is admin access restricted to certain IP addresses only?
From time to time IT personnel need to access the firewall from outside the network. We usually enable this remote management feature but might not necessarily have restricted the access to certain IP addresses. It is a good idea not to open for the world and restrict the remote access to certain source addresses.
Do you have a firewall enabled on end user devices?
Soft firewall on the end user device. This can be the windows firewall or the firewall provided with your Antivirus vendor.
Do you have an anti-virus software installed on all the machines?
Antivirus software is to be installed on all systems, regular scanning to be enabled.
Is the Anti-virus software regularly updated?
Most antivirus software update themselves every few minutes with the latest knowledge base and signatures. Is that the case with yours? If not, double check.
Does the antivirus software scans automatically and regularly?
When you plugin a new device and open a file from it your antivirus should automatically kick off the scan of that device. Also, you must have regular scans enabled on your AV.
User access controls
Do you have a policy & process for joiners and leavers’ user accounts?
It just makes things easier with new joiners and leavers.
Do you have a policy for setting user permissions?
Who approves the permissions and who executes and how do you monitor the usage?
Do you have separate accounts for admin tasks? Is the process documented?
This is a critical one. We come across local admin accounts a lot. People using their local admin account for regular tasks. Happens more often in smaller businesses. You are not supposed to use an account with admin privileges for regular browsing. Use the admin account for only admin related tasks.
Do you review the admin accounts regularly?
As explained in the above step what do you to monitor the usage of the local admin account? You will need to review them regularly and take necessary action.
If you answered YES to most of the questions in the Cyber Essentials Plus Checklist then you are likely to get through the Cyber Essentials Plus certification on the first attempt as you will meet the certification requirements. It’s always a good idea to get a full vulnerability assessment done on the network to understand the overall gaps in the software patching. I hope this article has helped you. Please refer to ‘Everything you need to know about Cyber Essentials’ to know more about the Cyber Essentials certification and the process involved. Also, the National Cyber Security Centre has useful guidance laid out too. For more information on the Accreditation body and the certification bodies please check out ‘IASME’ website.
If you are unsure whether you are ready for the cyber essentials plus certification we have a package for you. It’s called ‘Cyber Essentials Plus Extra’ where we will perform a per-assessment, gap analysis and advise you of the gaps so that you can resolve them before submitting the application. It saves time, stress and money. Get in touch.
TechForce Cyber Talks Cyber Security to the Portlethen Academy Students
TechForce's Arbrar visits Portlethen Academy to educate the students on Cyber Security wellness and provide hints and tips for ensuring they are cyber safe.More
5 Reasons to get Cyber Essentials and Plus for your Business
There have been a few changes made to the framework in the year 2022 and 2023. The changes in 2022 were major and 2023 were not so much.More
What Exactly Happens During the Cyber Essentials Plus Technical Audit?
This is one of the most frequently asked questions, what exactly happens during the Cyber Essentials Plus audit or sometimes we get asked ‘what is the exact process for Cyber Essentials Plus...More
Cyber Essentials for Remote Businesses
Cyber essentials refer to the fundamental technical controls and practices that businesses need to have in place to protect their digital systems and data from cyber threats.More
FOR LATEST UPDATES SUBSCRIBE HERE: