Cyber Essentials Plus Requirements Explained

From your IT infrastructure to accounting, from sales and marketing strategies right down to the supply chain and manufacturing, every core business process comes with its own cybersecurity risks.

This is why cybersecurity has become such a hot topic over the last decade and why so many organisations invest heavily in their security systems.

But despite these efforts, four in ten businesses (39%) and over a quarter of charities (26%) still fell victim to a cybersecurity breach or attack last year – and sadly, these figures only seem to be rising.

For this reason, the Government decided to step in, creating a Government-backed and industry-supported scheme to help businesses protect themselves from the growing threat of cybercriminals.

This initiative is called Cyber Essentials (CE), and later Cyber Essentials Plus (CE+), and was developed by the National Cyber Security Centre (NCSC).

By gaining the Cyber Essentials Plus certification, businesses can showcase their credentials and prove to customers, vendors and other third parties that they are a trustworthy and secure company.

But how do you go about becoming CE certified? Well, there are certain requirements that you must meet, and we’re going to explain these below.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Before we get into the specifics, let’s first address the differences between Cyber Essentials and Cyber Essentials Plus. CE is the basic package, and this includes access to the online self-assessment option, CE branding for your business and a certificate valid for 12 months upon successful application.

However, Cyber Essentials Plus is much more than the basic Cyber Essentials assessment. It means going through a hands-on technical verification and multiple complex tests in order to be certified. This means the requirements to achieve your certificate are higher, but your business will ultimately be more secure.  

Requirements for Cyber Essentials applicants

In order to become CE+ certified, you must first be CE certified, and you must obtain your certificate via the self-assessment process.

With this in mind, let’s now look at the requirements for the first part of becoming CE+ certified, and that’s the basic Cyber Essentials scheme.

In order to get certified, you must ensure that your organisation meets all the requirements. This might, on occasion, mean providing evidence to your chosen certification body if asked.

Requirements for Cyber Essentials applicants fall under five technical control themes, these include:

1. Firewalls

The aim of this part of the assessment is to ensure that only safe and necessary network services can be accessed from your company’s internet. Using firewalls, you can restrict access to these services and therefore reduce the risk of attacks.

As such, CE guidelines require that every device set out in the scope must be protected by a correctly configured firewall.

2. Secure configuration

Secure configuration is vital to reduce the level of vulnerabilities and only give access to the services that are required to fulfil their role, once again reducing the risk of an attack.

For this category, the business is required to be active in its management of computers, network devices, user accounts, software, password-protection, etc.

3. User access control

In order to reduce the risk of a breach, user accounts must be assigned to authorised individuals only and only provide access to the applications, computers and networks that they are authorised to use.

This means your business is required to be in control of all user accounts and the access privileges that are granted to each account. In particular, this includes those who have access to the organisation’s data and services, as well as accounts that third parties use for access.

4. Malware protection

In order to prevent harmful code from causing damage or giving accessing sensitive data, protection must be used to restrict the execution of malware or untrusted software.

To achieve this, your business is required to get effective and up-to-date malware protection on all devices within the scope.

5. Security update management

Vulnerabilities or security issues can be exploited when there are bugs or glitches within your software; therefore, patches/fixes need to be found and implemented right away.

To do this, your business is required to ensure all its software is kept as up-to-date as possible and that any bugs or issues are patched right away.

Additional requirements for Cyber Essentials Plus

Once your business has met all of the previous requirements adequately and is granted CE certification, the process can begin for becoming Cyber Essentials Plus certified. Because this is more complex, failure in any one area of the assessment will result in a fail overall.

One of the main requirements of CE+ is that you undertake the assessment within three months of achieving your CE status.

In order to achieve Cyber Essentials Plus, a range of external and internal technical tests will need to be carried out. Because of this, your chosen certification body will require access to a sample of devices and systems at your organisation.

As we mentioned, you cannot fail in any one area, which means your systems are required to pass tests such as:

  • Inbound email binaries and payloads test
  • Browser malicious and non-malicious file download test
  • Authenticated vulnerability and patch verification scan
  • Account separation to confirm standard user’s do not have administrative privilege
  • Multi-factor authentication check

Often these tests are conducted remotely and they may vary depending on the scope set out by you and your chosen body.

If the remote audit of your organisation flags any issues or if anything needs to be remedied, the business is required to make these changes within 30 days of the CE+ assessment or the application will be marked as a fail.

Are you ready to become Cyber Essentials Plus certified?

Taking on the Cyber Essentials self-assessment is a good first step towards protecting your business. However, if you want to take your cybersecurity efforts to the next level, it might be worth springing for Cyber Essentials Plus.

With the self-assessment complete, you’ve won half the battle, but by becoming CE+ certified, you can prove to every customer, client or third party that works with your business that you’re doing all you can to protect their sensitive information (and your own, of course).

This can lead to a better reputation and increased trust in your brand. Not to mention it could spare you from the costs of an expensive data breach – it’s a win-win.