What is Cyber Essentials PLUS?

Cyber Essentials PLUS is a UK government-backed certification designed to help protect organisations from common cyber attacks. The assessment provides you with a clear picture of your organisation’s level of cyber security and assures current and prospective stakeholders that you have adequate measures in place. You may also require a Cyber Essentials PLUS certification to bid on government contracts.

To become Cyber Essentials PLUS certified, you will need to complete an online assessment followed by a technical audit conducted by an IASME Certified Body. This will need to be completed within three months of obtaining your Cyber Essentials Basic certificate.

How to prepare for Cyber Essentials PLUS

We’ve helped many organisations pass their Cyber Essentials PLUS certification. Liam Romanis, a Principal Security Consultant at Rootshell Security, shares his advice on how best to prepare for your assessment:

  • Unsupported Software: Ensure that all software is currently supported. This may require purchasing extended support for some software.
  • Vulnerabilities which score 7.0 or more on the Common Vulnerability Scoring System (CVSS) 3.x scale: These would be ‘high’ or ‘critical’ risk vulnerabilities. Ensure that all operating systems and software is fully patched, including third party software and libraries.
  • Accessible Services that do not require authentication: Ensure that no services are present (externally facing) which do not require authentication before access is granted.
  • Can the authentication methods be bypassed with low skills? Ensure that implemented authentication methods are robust and that strong complex passwords are configured. Check that no default passwords are present and consider implementing Multi-Factor Authentication (MFA) where possible. Read more on MFA service accounts.
  • Does the service lock accounts after a certain number of invalid logins? Ensure all lock thresholds are set to 10 or less.
  • Anti-Malware: Ensure that Anti-Malware is installed on all End User Devices (EUDs) tested, that it is up to date and appropriately configured. Ensure Anti-Virus (AV) definitions are up to date.
  • Email attachments: Ensure that when a potentially dangerous file type is sent via an attachment that it is either blocked at the gateway or that a warning message is displayed, indicating that the file type could be dangerous. This must occur even if the file is in a compressed file or the extension has been modified. If an attachment is infected then it must be blocked at the gateway or by the chosen Anti-Malware before it can be opened.
  • Browser downloads: Ensure that dangerous file types are blocked at the gateway or that the user receives a warning message about the file type. If the file is infected then it must be blocked at the gateway or before the user can open it.

Become Cyber Essentials PLUS certified with Rootshell Security

As an IASME licensed Cyber Essentials PLUS Auditor, Rootshell Security can carry out your technical audit and provide the support you need. We can also help you plan how to maintain your cyber security beyond your Cyber Essentials PLUS certification. Get in touch to discuss how we can help.