Cyber Essentials Plus involves an audit of your system by one of the trained assessors. They are involved to confirm that all controls that have been declared in Cyber Essentials are implemented within the organisation's network. This is done by undertaking and completing Cyber Essentials Plus,it is your choice whether to declare publicly to your supply chain and customers that your organisation has been proven to meet Cyber Essentials baseline standards which enables you to interact with clients, business partners and staff confidently and securely.
There some key elements of cyber essentials plus audit which can be summarised as follows:
The whole process begins by assessing where your organisation is currently at in terms of the five technical security controls. But what are the five technical controls? We have written more extensively about the standards you need to meet to achieve Cyber Essentials PLUS certification, but below is a brief overview:
A vulnerability scan does exactly what it says on the tin – it scans your information system to find vulnerabilities. It is looking for weaknesses in your cyber security that a hacker could exploit in order to launch an attack on your system.
Vulnerability scans are typically automated, using software to highlight areas of concern.
They seek out known flaws – missing software patches or weaknesses that have already been identified in the industry – and suggest remediation.
However, vulnerability scans cannot find flaws that are not already widely known in the cyber security world. They shouldn’t be thought of as foolproof.
It’s possible to purchase this software and carry out the scan yourself. Of course, the benefit of Cyber Essentials PLUS – apart from having someone else do the heavy lifting – is that you put all this in the hands of experts who know exactly what they are looking for and what to do with what they find.
At this stage, the job is to detail the gap between where your system currently is – as identified by steps 1 and 2 – and where it needs to be. Having identified what the weaknesses are, what work needs to be done to close the gap and secure your system?
The vulnerability scan may suggest remediation measures, but don’t forget you may also be falling short on the five technical controls in other ways – limiting user access, adding password protection, for examples – that will not show up in the vulnerability scan results. The gap analysis will indicate all of the gaps, both physical and virtual.
Based on the findings of the gap analysis, it’s time to create a Statement of Works (SOW).
This will detail exactly what action is to be taken to close up the gaps discovered in step 3. A SOW should include not only the required remediation, but also the resources needed to carry out the work.
This may include everything from time out for staff meetings to run through cyber security best practice, to the creation of a white list, to software and device upgrades and everything in between. It’s in your interest to have as comprehensive a plan as possible to ensure there are no surprises once the work begins.
Having created your SOW, it’s time to carry it out.
Though Cyber Essentials PLUS might seem like an ‘IT thing’, it impacts the whole organisation and requires buy-in across the board to make it work. Cyber Essentials PLUS isn’t just about software and data. It’s about understanding best practice and achieving it in action.
Your Cyber Essentials PLUS partner should be able to help you with every aspect of certification, including any necessary training. Be prepared to give this step the necessary time. Failure to carry out the works in full will undo the hard work you’ve put in up to now.
This step tests how successful your remediation works have been by performing another vulnerability scan. The initial assessment from step 1 will also be repeated to ensure that you now meet all aspects of the five technical controls, including limiting user access, securing with passwords, etc.
Provided the re-assessment is successful, congratulations are in order! You have achieved Cyber Essentials PLUS certification. Well done.
Cyber Essentials certification requires patches to be implemented within two weeks of being available. This principle extends to the certification itself, which must be completed within 14 days.
The government recommends that Cyber Essentials certification is renewed annually. But there’s no doubt that the first certificate is the most complicated and once best practice is implemented it is much easier to prove compliance going forward.
In conclusion, cyber essential plus is required to help your network keep all your personal information safe from cybercriminals. As long as you follow all the required steps that are stated above you should be safe and secure in your network of choice. This is also an extension to cyber essentials which covers everything in that topic.