What Exactly is Involved in Cyber Essentials Plus Audit?
We often hear from the clients “we are not sure if we are ready for the Cyber Essentials Plus (CE plus)”. In most cases, we come to know that the client doesn’t know what exactly is involved in Cyber Essentials Plus audit. What is Cyber Essentials Plus? What is involved in the audit?
CE plus is the advanced variation of the Cyber Essentials certification. In this certified process, an assessor from the IASME Cyber Certification Body will conduct an on-site (now remote due to the pandemic) audit of the systems. What does the audit involve?
First things first. Cyber Essentials Plus requires the company to pass Cyber Essentials first. Then apply for the Plus for the audit to take place. The audit involves verifying the details on the self-assessment questionnaire. Here is the Cyber Essentials Plus audit process
- Internal Vulnerability assessment
- External vulnerability assessment
- User Access Controls test
- Browser download test
- Email test
Internal Vulnerability Assessment
At this stage we perform a vulnerability assessment on selected devices. Ideally a portion of the entire device. For example, if you have 100 devices we will check 15 devices. We will be expecting no critical vulnerabilities on the network in order for you to pass the certification. If there is even 1 critical vulnerability then you will not be able to pass the certification unless it’s a false positive. Critical vulnerabilities have the patches available to them and you will need to apply the patches within the 14 days of their release date. Vulnerabilities are categorised as per their CVSS score. The categories are Critical, High, Medium and Low.
We will also be looking for any unsupported software in your environment. You will only pass the certification if there is no unsupported software. For example, if you have Windows 7 operating system on your network you will only pass if there is a Microsoft extended support agreement in place.
It is worth noting that you will need to keep the ‘High’ category vulnerabilities as low as possible.
External Vulnerability Assessment
Essentially this step involves scanning your public IP addresses for any vulnerabilities. Usually the unusual ports left opened. That’s pretty much it.
Get certified today
Step 1: Organisation Size
Step 2: Pick Cyber Essentials Package
Cyber Essentials Basic - CEB001
£300 + VAT
2 Days for Remediation
1 Day Turnaround
Guided Cyber Essentials - CEB002
£500 + VAT
Everything in CEB001 plus
Cyber Essentials Plus - CEP001
£1500 + VAT
Everything in CEB002 Plus
30 Day Remediation
Systems Audit (remote)
Guided CE Plus - CEP002
£2500 + VAT
Everything in CEP001 plus
Pre- systems Audit
Gap Analysis report
User access controls test
At this stage, we are checking to see if the user access controls are configured correctly. We will try to execute a test file and see if the PC is prompting for admin credentials.
Browser download test
Your browser should block any malicious downloads. That’s exactly what we are trying to test at this stage. Download various sample malware files and observe how the browser is behaving. Ideally, it should block them all.
Essentially we are testing your email scanners in this stage. We will send a bunch of emails with malicious attachments and notice how many of them are getting through your email security measures. Ideally, none.
That’s it. That’s exactly what is involved in Cyber Essentials Plus audit. If you are not sure what controls will be audited please check out our ‘Cyber Essentials Checklist’ blog post. Also, If you would like to do a pre-audit and gap analysis on your network get in touch with us. We can organise the pre-audit and produce a gap analysis report. If there are no issues then you can submit your application for the certification.
Hope that helps. If you need any further assistance or if you are looking to get your certification done then please get in touch. We are on 01224 516181. Cheers
Do check out our other cybersecurity case studies:
- Maersk Ransomware Attack
- British Airways Data Breach Fine by ICO of £183.4million
- Colleges and Universities in the UK targeted by cyber-attacks during the pandemic
- Microsoft Servers Hit by Cyberattack 2021
- Peterson Control Union Email Phishing & Security Awareness training
Also check out our blogs on Cyber Essentials & Cyber Essentials Plus certification:
TechForce Cyber Talks Cyber Security to the Portlethen Academy Students
TechForce's Arbrar visits Portlethen Academy to educate the students on Cyber Security wellness and provide hints and tips for ensuring they are cyber safe.More
5 Reasons to get Cyber Essentials and Plus for your Business
There have been a few changes made to the framework in the year 2022 and 2023. The changes in 2022 were major and 2023 were not so much.More
What Exactly Happens During the Cyber Essentials Plus Technical Audit?
This is one of the most frequently asked questions, what exactly happens during the Cyber Essentials Plus audit or sometimes we get asked ‘what is the exact process for Cyber Essentials Plus...More
Cyber Essentials for Remote Businesses
Cyber essentials refer to the fundamental technical controls and practices that businesses need to have in place to protect their digital systems and data from cyber threats.More
FOR LATEST UPDATES SUBSCRIBE HERE: