A guide to Cyber Essentials Plus
Secure your business with Cyber Essentials Plus: A Comprehensive Guide.
What is The Cyber Essentials Scheme?
Cyber Essentials is a UK government-backed Cyber Security certification scheme. It is designed to help organisations of all sizes and sectors to protect themselves against common cyber-threats. The scheme was first launched in 2014 as part of the UK government’s National Cyber Security Strategy.
The IASME Consortium became the National Cyber Security Centre’s sole partner for the Cyber Essentials scheme in April 2020. They are responsible for delivering the scheme.
IASME collaborates with more than 300 expert certification bodies in the UK. Equilibrium Security is one of these certifying organisations. We help to provide assessments and certify companies to the CE standard.
Equilibrium Security are one of the few Cyber Essentials Certification bodies within the Midlands. We have been working alongside IASME conducting Cyber Essentials and Cyber Essentials Plus assessments since 2016.
Ready to achieve your security goals? We’re at your service.
Whether you are a CISO, an IT Director or a business owner, Equilibrium has the expertise to help you shape and deliver your security strategy.
To chat to our team please call 0121 663 0055, email enquiries@equilibrium-security.co.uk, or start a live chat.
Cyber Essentials 5 Key Security Controls
To get Cyber Essentials Plus certification, you must first meet the requirements of regular Cyber Essentials certification. This includes implementing five security controls:
Firewalls and routers
A firewall must be in place to protect your internet connected devices.
Software updates
Regularly update your applications & critical systems to identify & remediate vulnerabilities.
Malware protection
Protect your organisation from virus’s, malware, and other cyber-risks.
Access controls
Reduce the likelihood of unauthorised access, by controlling who can access sensitive data.
Secure configuration
Prevent hackers gaining unauthorised access to your systems.
What is Cyber Essentials Plus?
Cyber Essentials Plus is part of the certification programme endorsed by the UK government. It is the next stage on from the Cyber Essentials self-assessment questionnaire. CE+ provides best practices for how organisations should protect personal information against common cyber threats.
An independent Cyber Security assessor will carry out a technical assessment. This involves checking your systems and controls meet the requirements of the Cyber Essentials Plus scheme.
Cyber Essentials vs Cyber Essentials Plus:
The Cyber Essentials Plus certification provides a higher level of assurance than the standard Cyber Essentials certification.
It shows you have taken significant steps to protect your systems and data. This demonstrates to customers and suppliers that you are committed to maintaining a strong Cyber Security posture.
The Cyber Essentials Plus requirements
Once you achieve the standard Cyber Essentials certification, you can apply for Cyber Essentials Plus.
- Technical assessment: To gain Cyber Essentials Plus certification, a technical assessment must be completed. This assessment verifies that the implemented controls are effective against common cyber-threats.
- Security tests: The technical assessment typically involves vulnerability scanning and testing of your IT systems, including, websites, web applications and network devices. The assessment identifies vulnerabilities or weaknesses that could be exploited by attackers.
- Remediate and provide evidence: You will then be required to remediate any identified vulnerabilities or weaknesses, and provide evidence that the issues have been addressed.
- Meet the CE+ criteria: The independent assessor will verify that the vulnerabilities have been fixed, and confirm that the requirements of Cyber Essentials Plus have been met.
- Listed on the CE website: Once certified, you will be listed on the Cyber Essentials website and be authorised to display the Cyber Essentials Plus badge. This demonstrates that you have met the high level of Cyber Security required for the Cyber Essentials Plus certification.
- Renewal due in 1 year: The Cyber Essentials Plus certificate lasts for 12 months.
Customer Feedback
What does a Cyber Essentials Plus Assessment involve?
- An assessor will perform an audit on a sample of computers to ensure they are configured according to the scheme.
- The auditor will conduct a vulnerability scan on these machines to confirm that patching and basic configuration are at an acceptable level.
- An external port scan of your internet-facing IP addresses will be conducted to identify any misconfigurations or vulnerabilities.
- A test will be conducted on your default email/internet browser to confirm its configuration and ability to prevent the execution of fake malicious files.
- Screenshots will be taken as evidence that the system is compliant with Cyber Essentials.
Cyber Essentials Plus checklist
- Multi-factor authentication checks.
- Inbound email binaries and payload test.
- Account separation to confirm standard users do not have administrative privileges.
- Malicious and non-malicious browser file download tests.
- Authenticated and unauthenticated vulnerability and patch verification scans.
- A representative selection of user devices, all internet gateways, and all servers with services that can be accessed by unauthenticated internet users.
Curious About Cyber Essentials In Action?
Learn how a software development company nailed the security basics with Cyber Essentials, making their continuous security journey easier and more manageable.
Why get Cyber Essentials plus?
A Cyber Essentials Plus certification is a valuable investment. It helps protect against cyber-threats, demonstrate commitment to Cyber Security and improve reputation and credibility. It is beneficial for any brand.
There are several reasons why you should consider obtaining Cyber Essentials Plus certification:
- Cyber Essentials Plus can help reduce the risk of common attacks. These include phishing attacks, malware infections, and hacking attempts.
- Implementing security controls as recommended by Cyber Essentials Plus can reduce the risk of security breaches, improve information security and minimise the impact if an attack does occur.
- Cyber Essentials Plus can open up new business opportunities and government contracts. Organisations often require this certification from their suppliers and partners.
- Obtaining a Cyber Essentials Plus certification shows customers, partners, and other stakeholders that you have implemented basic level security controls and take Cyber Security seriously.
- The certification can enhance your reputation and credibility. It provides an independent validation of your Cyber Security posture.
How do I pass Cyber Essentials plus?
To pass a Cyber Essentials Plus certification, you must fully comply with the CE+ standard criteria.
If your IT infrastructure is well-maintained, achieving Cyber Essentials certification should be a simple process. However, if your infrastructure is not up to par, you will need to either:
- Update the necessary areas within the scope before the assessment.
- Consider having the certification body perform a pre-assessment to pinpoint and improve any weak areas, and increase your chances of passing the certification.
If the assessor discovers vulnerabilities or weaknesses during the assessment, you must provide proof that they have been dealt with before meeting the requirements to pass Cyber Essentials Plus.
It is important to:
- Prepare for the technical assessment and ensure all necessary security controls have been implemented and tested beforehand.
- Provide clear documentation and evidence of the security controls and their implementation.
It is recommended that you hire a Cyber Security service provider with experience. They can guide you through the certification process and provide support in implementing and testing security controls.
Do I need Cyber Essentials before Cyber Essentials Plus?
Yes, to obtain Cyber Essentials Plus certification, you must first achieve standard Cyber Essentials.
A Cyber Essentials certification is a self assessment questionnaire which requires implementing basic security controls to protect against common threats. You must complete a questionnaire consisting of eight sections and a total of 70 questions, which are based around the 5 security controls:
- Boundary firewalls and internet gateways
- Secure configuration
- User access controls
- Malware protection
- Patch management
Once the standard Cyber Essentials certification has been achieved, you can move onto Cyber Essentials Plus.
How long does it take to get a Cyber Essentials Plus certification?
Obtaining a Cyber Essentials Plus certification may take different lengths of time.
This depends on factors like:
- The size and complexity of your IT systems.
- The current state of security controls.
- The availability of internal resources to provide access, information and implement/ test the required security controls.
- How thoroughly you implement the technical pre-requisites which prepare your systems for the remote assessment.
Typically, the process for obtaining Cyber Essentials Plus certification involves the following steps:
- Self-assessment- (Allow ample time for amendments and team input when completing the self-assessment questionnaire, as certain answers may require more details or feedback).
- Security tests and vulnerability assessment
- Remediation
The time it takes to complete these steps can vary. Typically an assessment will only take a day or two. But, preparation, remediations, and retesting could extend the process to several weeks.
Start the certification process early. This will give you enough time to fix any problems that arise and finish the process before any critical deadlines.
The Cyber Essentials Process
Before we can provide a quote or proceed with the assessment we need to understand your environment so that we can fully define the technical scope of what the test will cover.
You can then move onto populating the online questionnaire. Before this is submitted, our consultants will review your answers to check they meet the scheme’s criteria. If changes are required, we provide detailed guidance on areas which need improvement. Once successful, you will be issued with a Cyber Essentials certificate for 12 months.
Our experts will remotely conduct external and internal vulnerability tests, as well as a series of other security checks to test the information obtained in your Cyber Essentials questionnaire.
If vulnerabilities are discovered, or other areas of non-compliance, we will provide detailed remediation guidance which needs to be applied within 30 days of the Cyber Essentials Plus assessment.
Once you have followed all remediation steps, we will conduct a retest to check you comply with the CE+ criteria, you will then be awarded your CE+ certificate for 12 months.
How much does Cyber Essentials Plus cost?
The cost of Cyber Essentials Plus certification can vary depending on several factors. Such as the size and complexity of your infrastructure, the level of support required, and the chosen certification body.
Cyber Essentials Plus certification is not a one-time cost. You will need to renew your certification on an annual basis to maintain compliance and demonstrate ongoing commitment to Cyber Security best practices.
Whilst the cost of a Cyber Essentials Plus certification may appear large, it is a much smaller investment than the possible cost of a cyber-attack.
Looking for a top Cyber Essentials certification body near you? It’s recommended to reach out to an accredited certification body like Equilibrium Security to get a quote based on your specific requirements.
To chat to our team about Cyber Essentials Plus pricing please call 0121 663 0055, email enquiries@equilibrium-security.co.uk or start a live chat.
- Yearly cost to renew.
- Pricing can vary based on level of support required and the size of company.
- Consider pre-assessment and remediation costs.
- Quality comes at a price - the most trustworthy and capable certification body may not be the cheapest.
- The pricing will be tailored to meet your specific requirements.
Frequently Asked Questions
Equilibrium is a Certification Body for The IASME Consortium, the Cyber Essentials Partner to the National Cyber Security Centre (NCSC). We have been certifying businesses since 2016, which means we are well versed with the schemes criteria.
As a certification body we can help you achieve:
- Cyber Essentials
- Cyber Essentials Plus
- IASME Cyber Assurance
- GDPR Readiness Assessments
If you would like to find out more about our Cyber Essentials pricing please arrange an expert call or call us on 0121 663 0055.
The simple answer is no. Before you can move onto the Cyber Essentials Plus, you must first pass the Cyber Essentials basic certification, as the Plus audit assesses the information provided in your Cyber Essentials questionnaire. Once CE basic is achieved, you must pass your CE+ within 90 days.
Find out more about whether you can achieve Cyber Essentials Plus without Cyber Essentials Basic.
Cyber Essentials basic is a self-assessed and independently verified questionnaire. The assessment has 70 questions which qualify that your current approach to securing your business is in-line with the CE framework. Cyber Essentials Plus provides a higher level of assurance, it involves us auditing your systems utilising many vulnerability tools to test the effectiveness of the security measures in place.
Find out more about the difference between Cyber Essentials Scheme and CE Plus.
Cyber Liability Insurance is provided as part of the Cyber Essentials certification package on an ‘opt-in’ basis. The cyber insurance is available for businesses with an annual turnover of under 20 million, conditions apply.
Find out more about how to sign up for Cyber Essentials Liability Insurance.
Yes, Cyber Essentials and Cyber Essentials Plus certificates are due for renewal after 12 months. If you choose not to renew, your business will be removed from the NCSC’s ‘certified organisations’ list, you will also lose your cyber insurance and ability to work with public sector companies.