Cyber Essentials Plus

[Nichele Seibel]

Theability for admins to add Enhanced Security and Compliance features is a feature in Public Preview. The compliance security profile and support for compliance standards are generally available (GA).

UK Cyber Essentials Plus compliance controls (UKCE+) provide enhancements that help you with cyber essentials compliance for your workspace. UKCE+ is a certification created by the UK government to simplify and standardize IT security practices for commercial organizations who interact with UK government data.

UKCE+ require enabling the compliance security profile, which adds monitoring agents, enforces instance types for inter-node encryption, provides a hardened compute image, and other features. For technical details, see Compliance security profile. It is your responsibility to confirm that each workspace has the compliance security profile enabled and confirm that UKCE+ is added as a compliance program.

To configure your workspace to support processing of data regulated by the UKCE+ standard, the workspace must have the compliance security profile enabled. You can enable the compliance security profile and add the UKCE+ compliance standard across all workspaces or only on some workspaces.

A 2022 study by the Ponemon Institute found that the relationship between the cost of a data breach and cloud maturity level is indirectly proportional. In other words, better security posture reduces the average cost of recovery. Cyber essentials checklist helps you implement basic security controls and best practices to reduce the chances of a security breach.

Cyber essentials is a checklist of security best practices and critical controls that help organizations of all sizes strengthen their posture against a wide range of cyber threats and vulnerabilities.

This checklist acts as a guide for small businesses, security professionals, and even local government bodies to understand, implement, and maintain good security practices. It is consistent with security frameworks like NIST and similar standards.

The only difference between cyber essentials and cyber essentials plus is that the latter has to be accredited by a third party, independent body. Your IT systems and controls will undergo an external audit.

If you are going for cyber essentials plus, a Cyber Essentials Verified Self-Assessed certification not older than three months is mandatory. This certification helps you demonstrate a strong security posture and confirm that your organization has met the security baselines.

If your business infrastructure operates on the cloud, securing the networks that connect the systems and devices is critical. One way to reduce the exposure to cyber-attacks is by minimizing unauthorized access.

You can ensure this by implementing firewalls to limit inbound and outbound traffic flow. These limitations are known as firewall rules and block the source of traffic based on its source, destination, and communication protocol.

Poorly configured networks and devices are a source of exploitable vulnerabilities and a disaster waiting to happen. Vendor-provided devices and software are not always configured to provide the strongest level of protection. Malicious actors can easily exploit vulnerabilities like unnecessary user accounts, publicly known passwords, lack of MFA, and pre-installed applications.

This is why you should configure computers, networks, servers, remote devices, mobile devices, IaaS, PaaS, SaaS, thin clients, and other system infrastructures to minimize security vulnerabilities, unauthorized access, and cyber risks.

Some accounts like administrative accounts contain sensitive data or critical information. Common functions associated with admin accounts are making system changes, configuring security settings, creating new user accounts, and allowing or restricting special access privileges.

Malware includes a wide range of threats like viruses, worms, ransomware, and more. Essentially, these are malicious codes designed to enter your system as a normal application and inflict damage once inside.

If you have ISO 27001, you need not comply with the cyber essentials requirements checklist as ISO 27001 is pretty rigorous. However, cyber essentials is quite basic and does not help you implement an ISMS. So if you need a strong security posture and wish to unlock sales deals, ISO is a solid choice.

The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to assess Cyber Attacks against businesses. They discovered that implementing basic technical controls could stop or significantly mitigate 70% of cyber attacks. This set of technical controls are what make up the Cyber Essentials scheme.

The scheme is designed to reduce the effectiveness of web based cyber-attacks against a business. In April 2023, the NCSC and its partner, IASME, updated the technical requirements for Cyber Essentials. These updates will help ensure the scheme continues to help UK organisations protect themselves against cyber threats.

Cyber Essentials Plus is an enhanced version of Cyber Essentials. It includes all the requirements of Cyber Essentials, plus, an extra verification step by an external Certification Body. This includes a full audit of the network, a comprehensive vulnerability assessment, internal and external penetration testing.

These additional steps verifies that the Cyber Essential controls are in place and ensures all business locations meet the minimum criteria for each control section and has adequate defences against the threats in scope.

This identifies missing patches and security updates that leave vulnerabilities and threats within the scope of the scheme and potentially be easily exploited. Both operating system updates and software updates are tested.

A test to decide whether EUDs are protected against malware that is delivered via email attachments. To facilitate this a selection of safe files that should be detected as malware are sent to the applicants email system.

This tests whether EUDs have protection from malware delivered through a website. Similar to the test above, a selection of relevant files for your particular operating system are attempted to be downloaded from the internet.

Each test has its own criteria for passing, however, if the Cyber Essentials controls have been implemented successfully then there should be no trouble passing the audit tests for Cyber Essentials Plus.

Cyber Essentials certification has also become a fundamental requirement for government contracts. This is to ensure that suppliers have basic cyber defences in place, protecting the integrity and confidentiality of government data.

There are a number of reasons why becoming a Cyber Essentials certified business is a necessary next step. Obtaining a Cyber Essentials certification ultimately reduces the risk of over 70% of cyberattacks and provides credence that your business is taking cyber security and data protection seriously. Additionally, it:

Cyber essentials and Cyber Essentials Plus certification helps SMEs mitigate cyber security risks. They do this by providing a robust framework to help businesses implement essential security measures. By achieving this certification, SMEs demonstrate their commitment to protecting sensitive data. This also reduces the likelihood of cyberattacks and enhances trust with clients and partners.

The initial level of Cyber Essentials certification is delivered through SecurePortal as a self-assessment questionnaire that covers the five technical controls and then an external vulnerability scan of your external facing network.

You are assessed against the answers to your questionnaire and the results of the external Penetration Test. Stage 1 certification awards the Cyber Essentials accreditation and the associated use of the logo.

The more advanced level of Cyber Essentials certification relies upon the same protections as Stage 1 but the certification is carried out on your business premises and also includes an internal vulnerability scan of a common workstation build.

Your antivirus protections both via the web and email are manually tested whilst onsite to ensure that your tools of choice are protecting the level of cybersecurity required to achieve Cyber Essentials Plus.

You are assessed against the answers to your questionnaire and the results of the external vulnerability scan. Stage 2 certification awards the Cyber Essentials Plus accreditation and the associated use of the logo.

When you have undertaken your assessment and met all of the requirements of Cyber Essentials or Cyber Essentials plus you will receive the following: - An official PDF of your Cyber Essentials Certificate. - A compliant report detailing all findings from the assessment along with any recommendations where appropriate. - High-resolution Cyber Essentials logos along with branding guidelines on how to use the logos on your website and marketing materials. - Your organisation will be listed on the Government Website that shows your level of certification.

In the overall process, your team will spend around 2hours to complete the questionnaire as well as organising the audit. If you can fix the issues identified quicker then we can get you certified quicker.

Cyber Essentials is Stage 1 Consists of a Self Assessment Questionnaire and external vulnerability assessment of your Internet-facing infrastructure. Cyber Essentials Plus is Stage 2 extends Stage 1 by performing an onsite assessment of security controls including an internal authenticated scan of your workstations and mobile devices.

Cyber Essentials is a scheme led by the UK Government to help organisation protect themselves against common cyber-security threats. There are two levels of certification that both demonstrate an ability to implement technical controls relating to information security.

3a8082e126