Cyber Essentials Plus certification requirements 2023

Although Cyber Essentials certification has been around for a while it's becoming more prominent among the businesses recently. We have been getting increased amount of enquiries about the certification of late. There is lots of information available on the NCSC website, IASME website and internet in general and yet many organisations are not clear on what exactly is needed in order to achieve the certification. We made a checklist a few years ago which was very popular and we now updated the checklist for 2023. Please note there will be changes coming to Cyber Essentials scheme in April 2023 and we will be updating this blog accordingly.

So what's needed to pass the certification? Here is the checklist. You can also download the PDF version here. There are essentially 5 different security controls in the framework and if you tick all the boxes below you are pretty much ready to achieve the certification. Here they are

DOWNLOAD THE CYBER ESSENTIALS PLUS REQUIREMENTS 2023 PDF COPY

1. FIREWALLS

Default passwords are changed
Unnecessary ports are closed
Port opening process documented
IP allow list for Remote access or MFA enabled
Unauthenticated inbound traffic blocked
Removed unnecessary firewall rules
Protecting devices offsite/home-based workers
Document business case for any new services

2. SECURE CONFIGURATION

Changed the default login credentials
Removed the unnecessary software
Disabled the unused user accounts
Enforced strong password policy
Disabled the auto-run feature
Set-up device locking
Have protection against brute-force attack

GET CERTIFIED TODAY WITH FIXED COST

Step 1: Organisation Size

Select Company Size:

Step 2: Pick Cyber Essentials Package

Cyber Essentials Basic - CEB001
£300 + VAT
Self-Assessment
2 Days for Remediation
1 Day Turnaround
£25k Cyber Insurance*
The package explained
Buy Now
*Insurance details are on IASME website
Guided Cyber Essentials - CEB002
£500 + VAT
Everything in CEB001 plus
Pre-assessment
Online/Phone Support

Buy Now
*Insurance details are on IASME website
Cyber Essentials Plus - CEP001
£1500 + VAT
Everything in CEB002 Plus
30 Day Remediation
Systems Audit (remote)
Enquire Today
*Insurance details are on IASME website
Guided CE Plus - CEP002
£2500 + VAT
Everything in CEP001 plus
Pre- systems Audit
Gap Analysis report
-
MOST POPULAR
Enquire Today
*Insurance details are on IASME website

3. SECURITY UPDATE MANAGEMENT

Automatic updates enabled where possible
All operating systems are up to date
No outdated or unsupported software exist
Software properly licensed for business
Mobile device software is up to date
Internet browser and malware protection must be kept up to date

4. USER ACCESS CONTROLS

Have a policy for joiners and leavers
Have a policy for setting user permissions
Separate accounts for admin tasks
Review admin accounts regularly
Apply MFA to all cloud services that support MFA
Encourage users to use strong/unique passwords
Brute force protection for user accounts
Train your users to use strong passwords
All Cloud services MUST have MFA

5. MALWARE PROTECTION

An antivirus is installed on all hosts
Antivirus software is regularly updated
Prevent malware from running
Prevent connections to malicious web pages
Application allow listing is being used

Hope this information helps. Check out our other blogs on Cyber Essentials Plus process, lead times and FAQs. Do get in touch if you are looking to achieve the certification.