Cyber Essentials Scheme Patching Requirements

The UK government introduced the Cyber Essentials accreditation/certification in 2014 to protect the businesses being a victim of cyberattacks. Nearly 85% of the most common cyber attacks could be prevented by implementing the fundamental security controls described in the Cyber Essentials framework. The certification has two different levels. The Cyber Essentials and Cyber Essentials Plus. The cyber essentials level 1 is a self-assessment certification whereas Cyber Essentials plus is the more advanced and comprehensive. At the advanced level, an onsite assessment/audit including a vulnerability scan will be performed by the Cyber Essentials Certification body. Check out our blog onwhat exactly is involved in Cyber Essentials Plus audit?' to find out more about the audit. Under IASME, the new (and only) accreditation body and its Cyber Essentials process the applicant’s business has to achieve the Cyber Essentials level 1 before applying for Cyber Essentials Plus.

There are 5 different areas Cyber Essentials focuses on. They are

  • Firewalls
  • Secure configuration
  • User access controls
  • Patch Management
  • Malware management

Check out the article 'what is the process for Cyber Essentials Plus certification?' to understand more about the process. Having performed dozens of these certifications we know what the challenges are and how you can resolve them to avoid any surprises. Here is the checklist & requirements to help you achieve the Cyber Essentials Plus certification in the order of biggest challenge first.

Patch Management - The biggest challenge of all

How do you manage 3rd party software updates?

Likes of Java, Chrome, Adobe, vlc, AutoCAD, etc… More often we come across clients who think SCCM would be enough for the patch management but that's not the case. You will need to keep 3rd party applications up to date. Ideally, a centrally managed console. In most cases, these providers cover Microsoft updates too. Your Antivirus vendor may have a plugin to do this. Check with them. Especially in the current pandemic, a cloud-based central patch management console would do wonders.

Are all systems up-to-date?

    The critical updates have to be applied within 14 days of their release. When we perform the audit we do not expect any critical vulnerabilities on your network. If there are some, then it's not good news.

    Do you have unsupported operating systems on the network?

      Likes of Windows 7, Windows Server 2008 or older. If you do, it's a fail straight away unless you have an extended support agreement in place from Microsoft. If you are an IT manager or security manager or IT admin this can be a great opportunity to build a strong business case to upgrade your systems. Remember, outdated systems are a security vulnerability and security is a continuous investment just like fitness

      Is all the software used in the business properly licensed?

        All software in use needs to be properly licensed to be used in the business.

        Do you have mobile devices that are up to date?

          Yes. You heard that right. Company mobiles are under the scope and you are expected to keep them up to date operating system. If you have older devices that cannot update to the new OS then we have a problem. For example, if you have iPhone 5 in your environment then time for phone shopping.


          Secure configuration

          Did you change the default login details on network devices?

            Likes of firewalls, routers, printers, etc… You cannot leave the default credentials on your routers and firewalls. They would have to be updated to your own and kept secret.

            Have you uninstalled the unnecessary software?

              The truth is if you have the software you don't need you will need to maintain it. It's easier to remove the applications when you no longer need them. They can be a vulnerability.

              Have you disabled unnecessary user accounts on the company’s systems?

                You may have created local user accounts for a purpose or you may still have the user accounts that left the company active. Is that the case? Just like the unnecessary software you will need to remove them.

                Do you have a strong password policy and is it enforced?

                  The good old one. The password policy. What does your policy say? Minimum 8 characters? Ideally, you need to have a policy that is enforced and requiring users to have a strong password. If you don't encourage the users to change the password regularly then you can enable 2-factor authentication to compensate.

                  Get certified today

                  Step 1: Organisation Size

                  Step 2: Pick Cyber Essentials Package

                  • Cyber Essentials Basic - CEB001

                    £300 + VAT


                    2 Days for Remediation

                    1 Day Turnaround

                    £25k Cyber Insurance*

                    The package explained

                    *Insurance details are on IASME website

                  • Guided Cyber Essentials - CEB002

                    £500 + VAT

                    Everything in CEB001 plus


                    Online/Phone Support

                    *Insurance details are on IASME website

                  • Cyber Essentials Plus - CEP001

                    £1500 + VAT

                    Everything in CEB002 Plus

                    30 Day Remediation

                    Systems Audit (remote)

                    *Insurance details are on IASME website

                  • Guided CE Plus - CEP002

                    £2500 + VAT

                    Everything in CEP001 plus

                    Pre- systems Audit

                    Gap Analysis report


                    MOST POPULAR

                    *Insurance details are on IASME website


                  Did you close the opened ports when they are no longer necessary?

                  As part of the audit, we will run an external vulnerability assessment on your Public IPs. We will not be expecting to find any unusual ports left open on the firewall. It's a good practice to regularly check for the opened ports. Try an NMAP scan yourself to see what's left open.

                  Is the opening/closing ports process and authorization documented?

                  If you are going to open ports on the firewall then what's the process for change? If it's a small business I would assume IT Manager authorizes the change, execution opens then the documentation. In an enterprise, it might more be enhanced. As long as you have a documented process that's good.

                  Is admin access restricted to certain IP addresses only?

                  From time to time IT personnel need to access the firewall from outside the network. We usually enable this remote management feature but might not necessarily have restricted access to certain IP addresses. It is a good idea not to open for the world and restrict the remote access to certain source addresses.

                  Do you have a firewall enabled on end-user devices?

                  The soft firewall on the end-user device. This can be the windows firewall or the firewall provided by your Antivirus vendor.


                  Malware protection

                  Do you have anti-virus software installed on all the machines?

                  Antivirus software is to be installed on all systems, regular scanning to be enabled.

                  Is the Anti-virus software regularly updated?

                  Most antivirus software updates themselves every few minutes with the latest knowledge base and signatures. Is that the case with yours? If not, double-check.

                  Does the antivirus software scan automatically and regularly?

                  When you plug in a new device and open a file from it your antivirus should automatically kick off the scan of that device. Also, you must have regular scans enabled on your AV.

                  User access controls

                  Do you have a policy & process for joiners and leavers’ user accounts?

                  It just makes things easier with new joiners and leavers.

                  Do you have a policy for setting user permissions?

                  Who approves the permissions and who executes and how do you monitor the usage?

                  Do you have separate accounts for admin tasks? Is the process documented?

                  This is a critical one. We come across local admin accounts a lot. People using their local admin account for regular tasks. Happens more often in smaller businesses. You are not supposed to use an account with admin privileges for regular browsing. Use the admin account for only admin-related tasks.

                  Do you review the admin accounts regularly?

                  As explained in the above step what do you to monitor the usage of the local admin account? You will need to review them regularly and take the necessary action.

                  If you answered YES to most of the questions above then you are likely to get through the Cyber Essentials Plus certification on the first attempt as you will meet the certification requirements. It’s always a good idea to get a full vulnerability assessment done on the network to understand the overall gaps in the software patching. I hope this article has helped you. Please refer to ‘Everything you need to know about Cyber Essentials’ to know more about the Cyber Essentials certification and the process involved. Also, the National Cyber Security Centre has useful guidance laid out too. For more information on the Accreditation body and the certification bodies please check out ‘IASME’ website.

                  Related Articles


                  Back to start
                  aberdeen skyline graphic