Cyber Essentials Plus

With cyber-attacks on the increase and high-profile security breaches making regular headlines, it is no longer just good enough for businesses to claim they can resist potential cyber threats. They must be able to prove it, particularly if they hope to secure government or public sector work.

Since 2014, Cyber Essentials Plus has been a mandatory requirement when applying for government contracts and it looks as though we are transitioning to a point where businesses must hold a badge to be considered for most public sector contracts.

When making decisions about what suppliers to choose, clients are also adopting stricter vetting procedures and actively seeking evidence that an organisation has robust security standards.

Organisations should now be striving to achieve the Cyber Essentials Plus standard. It not only ensures an organisation is properly protected, but it also alleviates any customers’ fears when it comes to the security of their personal information and confidential data.

An essential sign of approval

There are currently two different certifications available to businesses – the standard Cyber Essentials and the Cyber Essentials Plus.

Cyber Essentials represents the most basic level of cyber security. It requires organisations to complete a questionnaire regarding their current security controls, which is sent to a recognised body for review.

The organisations will typically undergo an external vulnerability assessment from a certifying body, which directly tests that individual controls on the internet facing network perimeter, have been implemented correctly.

Cyber Essentials Plus, however, requires an organisation to undergo a much more thorough assessment, which is based on internal security assessments of end-user devices.

Using a range of specialist tools and techniques, the Cyber Essentials Plus assessment directly tests that individual controls have been implemented correctly and recreates various attack scenarios to determine whether a system can withstand potential threats.

The Cyber Essentials Plus certification requires five technical controls:

Boundary firewalls – prevent unauthorised access to or from private networks, but require good set up to achieve maximum effectiveness;

Secure configuration – ensuring systems are configured securely to suit the requirements of an organisation;

Access control – only allowing those with authority to have access to systems;

Malware protection – ensuring the latest supported version of applications is used and all the necessary patches have been applied.

Patch management – ensuring the latest supported version of applications is used and all the necessary patches have been applied.

Once a company passes these tests, they can be awarded the badge, which the organisation can use in all its marketing to demonstrate it values cyber security and can cope with cyber attacks.

Simple steps to compliance

To achieve Cyber Essentials Plus, first visit and select one of the official accreditation bodies listed, remembering you must first complete the basic Cyber Essentials certification process.

When an independent assessor has reviewed your answers and performed the basic tests on your security controls, you will be awarded the Cyber Essentials certificate. To achieve the upgrade to Plus, you will need to introduce the appropriate security controls to your system.

Think benefits not badges

The perceived security and business advantages of becoming Cyber Essentials Plus compliant is undeniable, but achieving certification should only be the start of your company’s continued efforts to achieving optimum protection.

Adopting wider security frameworks and being proactive in your efforts to lighten security should be an ongoing responsibility for you and your team.

More sophisticated assessments are available to companies who are looking to push their security further than the Cyber Essentials scheme, including Penetration Testing and Simulated Targeted Attack and Response, which assesses specialist business functions with a market or country influence.

If you think your organisation could benefit from these additional levels of assessments, then please get in touch and we’ll help you achieve total security for your business and clients.

Ready for the ultimate step in security? Then you’ll need ISO27001: 2013, which we can also help advise you about, as we achieved this standard a few years ago.

Like what you read?