How to pass Cyber Essentials PLUS first time

As anyone who’s ever run a race will know, it’s all about the preparation. As the saying goes, ‘if you fail to plan – you plan to fail’. The Government’s Cyber Essentials (CE) scheme is no different, especially at the Cyber Essentials PLUS (CE+) level where more work is involved.

Ascentor is an accredited certification body for CE, licensed by the IASME Consortium. In every case where clients have followed our advice at CE+ level, they’ve passed first time. So, we thought we’d share some of our preparation tips and give an insight into our process.

This article is written for anyone who is considering CE+ for their organisation. You might be the CISO, the Head of IT, Security or Risk. In a smaller organisation, you might be the person tasked with cyber or information security.

Why go for Cyber Essentials PLUS?

The CE scheme helps you to identify and guard against the most common cyber threats and demonstrate your commitment to cyber security. It’s also mandatory for businesses supplying products and services to Government.

There are two levels of certification, CE and CE+. Obtaining CE is a pre-requisite to obtaining the higher level CE+. Please download our Guide to Cyber Essentials for full details of each.

CE is an independently verified self assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided. These controls cover firewalls, secure configuration, access controls, malware and patch management.

CE+ is a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks. It involves a technical audit of the systems that are in-scope for CE by checking the CE controls have been applied as per the self-assessment.

Obtaining CE+ is good for your organisation but it’s also very reassuring for your customers and demonstrates a higher level of commitment to security that’s likely to increase their confidence.

The scope of Cyber Essentials PLUS assessment

There are a number of tests in CE+ over and above the basic CE assessment. It’s a step up in complexity and effort where failure in any one area will result in an overall fail.

To achieve CE+, a certification body conducts a range of external and internal technical tests at your site to validate your approach to the additional elements.  If the tests are successful, the certification body awards the CE+ certificate. IASME stipulate that CE+ should be completed within 3 months of obtaining CE.

The additional tests for CE+ are:

  • Authenticated vulnerability scanning of representative user endpoints including internet facing servers
  • Vulnerability scanning of external internet facing infrastructure
  • Password guessing of exposed authentication services
  • Email attachment tests
  • Browser download checks
  • Review of mobile devices

Tests for CE+ include a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. It is recommended that other devices such as additional servers and network hardware are also scanned to provide a complete assessment of the infrastructure.

Cloud services are considered out of scope where they are provided as Software as a Service (SaaS) such as Office 365. Where cloud services are used as Infrastructure as a Service (IaaS) and the customer is responsible for patching and other services such as installing software, these are considered in scope. Platform as a Service (PAAS) can be a grey area and is considered on a case by case basis.

Ascentor’s CE+ preparation process

We offer a consultative approach to CE+, we recommend that no client starts the process on their own or without our thorough pre-assessment appraisal.

We run a scoping session with you to discuss the process and provide guidance. This includes providing details of the vulnerability scanning software and settings, so the necessary preparation can be carried out before the assessment. We strongly recommended pre-scans are completed pre-audit by the client.

If there are any questions or queries as a result of the pre-scan we can provide high level guidance via telephone or email as part of the audit.

During our CE+ service, we conduct the following activities:

  • We arrange a call to discuss the scope and process. The scope includes:
    • Head office including all internet facing devices
    • Scans of each computer build type
    • 20% of remote offices will be scanned from head office (or sites visited if remote scanning is not possible).
  • We run a vulnerability scan on your internal network using credentials (we use Nessus for vulnerability scanning which is commercial software and we recommend customers download a free trial if they’re scanning themselves or Ascentor can provide a pre-audit service to run the test scans).
  • Check your antivirus (AV) software detects the EICAR files – developed by the European Institute for Computer Antivirus Researchto test the response of computer AV.
  • Check User Access Control (UAC) is running (by running a file as administrator and making sure it prompts for admin details).
  • After the onsite tests we carry out an external vulnerability scan and an email test.

Additional CE+ tips

In addition to our preparation process, we recommend the following best practice tips:

  • Keep your software up to date and don’t use unsupported software.
  • Use suitable firewalls.
  • Ensure any exposed services are configured with strong and hard to guess passwords. We’ve seen passwords set to ‘password’ – please don’t!
  • Make sure your patch management processes are as robust as they can be. Although meant to fix security vulnerabilities and other bugs, patching can sometimes introduce new problems or, in worst case scenarios, server failure. All missing patches for critical or security updates more than 14 days old will result in CE+ failure. Read more on our patching tips here.
  • Your devices should also run with the latest version of the operating system, and all applications should be up to date.

Conclusion

With any process requiring higher standards and more assessment, it follows that the potential for failure can increase with the greater level of scrutiny. However, CE+ doesn’t have to feel like a marathon, especially when you’ve done the preparation beforehand.

If your organisation is looking to protect itself at this higher level, and make a statement to potential customers, we believe it is worth the extra work and investment, particularly as our experience enables us to help you identify your own areas of weakness and make the necessary adjustments.