Are you thinking about Cyber Essentials for your business? Wondering what it involves? Maybe you just want to have a look at the requirements and see how many your business already meets?
First of all, for any newbies here, let's break down what Cyber Essentials actually is.
Feel free to skip this part if you're ready for the nitty-gritty.
Cyber Essentials is a government-operated cyber security scheme that offers businesses a framework to help significantly reduce their risk against common internet-based attacks. Developed by the National Cyber Security Centre, Cyber Essentials incorporates 5 fundamental technical controls that, if implemented, can reduce your risk by up to 80%.
Nowadays, the NCSC has a single delivery partner for the scheme - The Information Assurance for Small and Medium Enterprises Consortium (IASME). IASME works with a number of Certification Bodies across the UK like Cyber Tec Security, all of whom have the ability to certify businesses to the standard.
Your Cyber Essentials journey starts out by achieving the Basic certification and is fully complete when you've secured the Plus certificate.
What's the difference?
Well, at the Basic level, you're just filling out a questionnaire relating to the security processes, policies and controls you have within your business, but nothing is actually verified. You can still fail if your answers are not in line with what the standard requires, but even if they are, no one actually tests your devices and systems to confirm.
The Plus assessment, however, requires an official auditor to actually scan your infrastructure in order to determine whether or not you are complying with the standard.
Essentially, this is why we always recommend achieving Cyber Essentials Plus, because it's properly verified and therefore a true testament to how secure your organisation really is.
It's also worth noting here that you do need to complete Plus within 90 days of completing your Basic in order for the certification to be valid. At Cyber Tec, we help you prepare for Plus while you're doing your Basic so there's no danger of surpassing this deadline.
Still with me?
Let's dive into the technical requirements...
As of January 2022, there have been some updates that can make the assessment more challenging so it's more important than ever that you have a good understanding of what is expected from you in order to comply with the standard.
Now, we won't go through every question (there are a fair few!), rather this will focus on the questions that are most important or that many find particularly difficult. You'll be able to download the full question set provided by IASME at the bottom of this page -> skip there now if you'd like!
The first few sections are there to gather information about your company and determine the scope of the assessment. Be prepared to provide information about devices, servers and networks that will be included in the scope of the assessment. You'll also need to list any cloud services used by your organisation.
Cyber Essentials grants free insurance to companies with a turnover of less than £20million so details relating to this will need to be collected at the start of the questionnaire but does not affect your assessment result.
This question was introduced in the 2022 standard and seeks to establish what method you have of enforcing firewall controls on devices outside of the network you control, for example, devices may be connected to Azure AD and receive policy settings through this.
You have to show you are aware of this process. Explain how the password was configured and where it can be managed. The question preceding will also ask you to confirm that you change all default passwords for new routers and firewalls.
Other requirements relating to firewalls include:
You have to make sure that all applications and services that aren't used are not active. Some companies may utilise solutions like Endpoint Manager and AppGuard to limit users from installing and changing software so only known and legitimate software is being used.
If yes, you'll need to state again which password method you use (listed above) to keep these processes secure.
Your password policy should offer guidance on creating strong unique passwords and how to store them, and be easily accessible to employees.
Where a device requires the physical presence of a user to gain access to the user has to unlock the device using biometrics, a password or PIN.
This is a crucial section of the Cyber Essentials assessment, and one where a lot of companies can fail, so take note!
Be prepared to list your Internet browsers, email and office applications so it can be verified whether or not they are in support. You'll also be asked about your malware protection - note that all MAC devices will need 3rd party anti-virus protection.
Under the current standard (2022), this now includes any and all security updates with a CVSS score of over 7.0. This will actually be tested for the Plus assessment and can catch a lot of people out. It's strongly recommended that any browsers not in use are removed as often these won't update unless actually opened and used.
Ideally, this should be a 'yes', but you may or your MSP may be using something else for patch management.
Any and all software no longer supported by the developer (i.e. end-of-life) must be removed because they will no longer be receiving security updates. If you do have any, from 2023 you'll have to prove that it has been placed on its own sub-set, prevented from inbound and outbound internet access.
Often companies will have shared admin accounts, particularly if they outsource IT support, but this is not compliant with Cyber Essentials. IT providers should have unique accounts per engineer, not a shared account on your system.
You'll need to answer questions relating to your management of administrative accounts, including:
This question asks you to outline your methods of ensuring strong, healthy passwords. This might include:
With the 2022 updates, many of the questions in this section of the assessment now include cloud services. Wherever your cloud services support Multi-Factor Authentication, it must be enabled. Password quality control will also refer to any cloud accounts.
For most, the first two will apply here. Sandboxing is rare. Don't forget MACs must have fully working 3rd party anti-virus.
Anti-virus will usually update by default but this will be checked in the Plus assessment so make sure this is the case!
Other requirements relating to malware protection:
While this Cyber Essentials checklist has not been exhaustive, it should give you a good idea of what's covered and where it's important not to go wrong. The scheme is going to continue to update in line with our evolving security landscape so it is always advisable to take advantage of guided options when going through the assessment. IASME auditors are highly knowledgeable about the standard's requirements and can save you a lot of extra hassle by offering their direct counsel throughout the assessment process.
At Cyber Tec Security, we also provide a Pre-Assessment scanning process with the Cyber Essentials Plus certification, so you can get all your systems checked and verified to the standard before officially completing the final assessment. With some of the new technical changes, especially relating to patch management, it can be very easy to fail Cyber Essentials Plus without proper preparation.
Find out more about achieving Cyber Essentials Plus with an Assured Pass here.
To review the full question set for Cyber Essentials, as produced by IASME, you may download this below. If you have any questions, feel free to contact us and one of our friendly assessors will be happy to help.