We were asked this question a few times now:

What's the process for Cyber Essentials Plus?

What's involved and what are the usual challenges in achieving the Cyber Essentials Plus certification?

If you have the same question please read on.

If you are reading this you probably already know what the Cyber Essentials scheme is. If not please read our blog Everything you need to know about Cyber Essentials Scheme. There are two levels of certification in the scheme and today we are focusing on the advanced level which is Cyber Essentials Plus. The process is as follows

• Customer engages the Certification Body (TechForce).
• TechForce issues the paperwork (authorization forms, cyber essentials questionnaire, etc...).
• The customer returns the completed paperwork.
• TechForce assessor will assess the completed questionnaire within 24 hours.
• If it's a pass the assessor will go ahead and schedule the systems audit/assessment for Cyber Essentials Plus (CE Plus).
• If it's a fail then the customer has 2 days to fix issues and resubmit.
• The systems audit involves internal & external vulnerability scans, email tests, web browser tests and malware tests. You can read more about the audit in our blog What exactly is involved in the Cyber Essentials Plus audit?
• If the audit is pass then the customer will receive the CE plus certification.
• If the audit is a fail then the customer has 30 days to fix the issues and resubmit the application. You might need to pay for another assessment.
• If it fails again then the process needs to be started again from the beginning. It's probably a good idea to consider our Guided Cyber Essentials Plus package to save time and money. As part of the package, we will perform a mock assessment and highlight any gaps that need to be fixed prior to the final assessment.
  
  

That is the usual process. You can find more info on our Cyber Essentials and FAQ blog post. However, the challenges we see are listed below.

• The biggest challenge we come across often is 3rd part patching. Companies usually have something in place for Windows patching but often struggle with the 3rd party patching. The likes of Java, Adobe, Chrome, VLC, and other applications they use in business.
• In small businesses, sometimes we use the issue of local admin rights. The users have been using an account with the local admin permissions for their everyday usage. This is a big no. You will need to use admin accounts for administrative purposes only.
• Out of support Operating systems would be another challenge we come across often. If you think you have them on your network you either need to purchase extended support from the vendor or isolate these systems from directly accessing the internet. You can read more about patch management on our blog post Cyber Essentials Scheme Patching Requirements.
  
  

DOWNLOAD CYBER ESSENTIALS QUESTIONNAIRE FOR FREE