A place to find the answers to all your questions.
If you cant find the answer here please email us at [email protected]
Any organisation can apply for either certification.
On many government (UK) contracts a prerequisite of either Cyber Essentials or Cyber Essentials Plus is required before a tender is granted.
If applying for Cyber Essentials Plus your organisation must have already passed Cyber Essentials via IASME prior to a Cyber Essentials Plus audit.
Cyber Essentials is a verified self-assessment questionnaire completed by your organisation that clearly demonstrates your organisations compliance to the Cyber Essentials scheme.
Cyber Essentials Plus is an audit of your network, and is a validation that the information provided in the Cyber Essentials questionnaire is correct and accurate.
The scope section of the document helps us identify some additional information regarding the network that is to be certified. Whatever is involved in the scope, is the area of devices that are certified under the Cyber Essentials scheme. When filling out the scope section of the document consider the following:
- What area of the organisation is to be covered by Cyber Essentials?
- The whole company?
- A specific location, for example if you have offices in the US and UK, is it only one site?
- A specific office or department, for example, finance?
- What devices are covered in the scope?
- Additional Network devices such as routers, switches, servers etc.
- Machines on the network such as laptops, desktops, mobiles.
- Devices in scope must include their version numbers such as Windows 10 1909.
- Are there any third-party IT management systems or providers used by the company?
- Does the company use any cloud systems as part of their operation such as Dropbox, Gmail etc.
When performing a Cyber Essentials Plus audit, the amount of machines that we test is dependant on the size of the organisation. We must a sample of each type of device on the network to ensure Cyber Essentials compliance. The goal is to test a number of
devices that make up 90% of the organisation.
A type of device is a grouping of systems running the same operating system. i.e. all devices running Windows 10 Pro running Version 1903 will be classed as one type, and all devices running Windows 10 Pro Version 2004 would be classed as another type.
Of each type, a certain amount will be required to be tested.
For example:If an organisation has 50 Microsoft Windows 10 1903 desktops, 30 Macbook Pro Catalina Laptops, and 10 Windows Server 2016, we would test 4 desktops, 4 macbooks, and 3 servers.
The 4 key elements of a Cyber Essentials Plus test can be described briefly below:
External Vulnerability Scan
- We scan your external IP addresses (internet facing) and perform a vulnerability assessment.
- Goal – to ensure no High or Critical vulnerabilities present on end devices where a patch is available and has been for more than 14 days.
Internal Vulnerability Assessment (patch audit)
- We scan a “sample” of devices on your network, including desktops/laptops, some types of servers, mobile phones.
- Goal – to confirm patching/configuration is Cyber Essentials complaint across the devices.
Browser/Email Malware protection test
- We test your all browsers/email clients on the chosen sample set against a standardised set of mock malicious files
- Goal – to confirm all devices from the sample protect the end user suffeciantly against malicious files.
- We confirm on all devices from the sample range are equipped with correctly configured and up to date Anti-malware software.
End User Device Compliance Audit
Your questionnaire will be marked against the strict criteria set out by IASME Consortium via the online portal by one of our (ID Cyber Solutions) assessors.
Every organisation is different and requires different levels of support. Organisations with in-house IT that are confident of their network infrastructure and security may not need the same level of assistance in certifying for Cyber Essentials as a smaller organisation for example.
Without Extra, if your organisation has not passed for Cyber Essentials on their first submission, you will be provided either 2 days (Cyber Essentials) or 30 days (Plus) to remediate any issues identified before your resubmission.
With Extra, we will conduct a pre-audit prior to final submission. This will in effect be a dry run of the auditing process so that you can be confident of passing your certification first time. Other benefits include extended phone support if you require a little more help in answering questions.
Please visit this page for further information. Please be aware that the scheme has changed considerably as of April 1st 2020
No, the scheme has fundamentally changed and new documentation will be provided to you for you to complete.
The NCSC (National Cyber Security Centre) has condensed what was 5 accreditation bodies prior to April 1st down to one Cyber Essentials Partner (IASME Consortium) to improve on keeping testing standard consistent across the country.
Our organisation is still using Windows 7 or Windows Server 2008 R2 – is this Cyber Essentials compliant?
Normally no, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).
In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.
If your device is used to connect to the business network or access any business information, the device is included in the scope for Cyber Essentials.
For example, if you use your mobile to view your work emails the device then becomes in scope of the Cyber Essentials.
In this scenario it is important the device has the following:
- A secure lock / pin on the phone
- Malware protection.
- Phones can’t be jailbroken / rooted
- Updates to the phone must be done within the 14 days
We use a cloud service to access all our business data, do we need to worry about our PC’s if they are considered thin clients?
A thin client is considered a device that doesn’t store data currently and connects to a remote service to gather that data.
Since you are using a cloud service, we do require to know some of the information regarding how you use the service to complete your daily operations. It would be useful to detail in the questions how you access the program, do you need credentials? Are the security implementations active on the cloud service?
However, we also require information regarding the user’s thin client. Although the company data may be accessed through your online account to the cloud service there is still risk associated with an unprotected thin client. If the thin client can still access the internet, it is considered within the scope for Cyber Essentials and answers should include an explanation relating to the thin client.
For example, if you use a desktop to access Chrome to access your cloud account containing your client information your desktop should still follow the five cyber essentials controls. It should be configured in the same way as a computer that contains important business information. After all, it is the access point to your business information!
We offer remote testing using our remote access tools. We can access the areas of the device that are required for the Plus test from a mirrored screen on our devices. If you have any concerns, please feel free to monitor our movements which can be viewed on your screen and you can chat with us using the applications chat feature!
Once testing is complete, our assessors will talk you through how to remove the application from the test device.