Cyber Essentials Plus: What Does The Audit Involve?

 

Introduction

Cyber Essentials Plus (Level Two) is a technical audit of IT systems. It’s based on the same technical requirements of Cyber Essentials (Level One) and is a way to verify the controls are in place and operating effectively. It can provide more assurance to organisations regarding the risks associated with internet-based threats. The audit for Cyber Essentials Plus covers a representative set of user devices, internet gateways, servers with services accessible to the internet, and cloud services.

 

Cyber Essentials (Level One) and Cyber Essentials Plus (Level Two)

Details of the differences between the two levels of Cyber Essentials can be found in a previous blog located here. In summary

• Cyber Essentials is a verified self-assessment of technical controls aimed at protecting organisations from common internet-based threats
• Cyber Essentials Plus takes it a step further and validates these controls as being in place and operational through independent testing by a qualified expert. This involves detailed testing and vulnerability assessments.

 

Testing for Cyber Essentials Plus

Five key tests are carried out for Cyber Essentials Plus:

1. Remote vulnerability assessment – whether an internet based attacker could hack into systems using typical low-skill methods
2. Vulnerability Fixes – identifying missing patches and security weaknesses that could be exploited by an attacker
3. Malicious software protection – checking devices benefit from a basic level of protection when emailing and web browsing
4. Multi-factor authentication – whether cloud service are configured for MFA / 2FA
5. Account Separation – checking that a standard user account doesn’t have administrator privileges assigned

 

Types of devices being tested for Cyber Essentials Plus

Testing focuses on the following devices:

1. External internet based IP addresses / hosts – including infrastructure and as service
2. A representative sample of end user devices
3. Servers
4. Cloud services

 

Prerequisites to Cyber Essentials Plus testing

• Cyber Essentials certification – issued within the last 3 months
• Written permission from the organisation requesting the testing
• Scope verification – that Cyber Essentials Plus matches Cyber Essentials (Level One)
• Agreement on the scope boundary
• Confirmation that any subsets have been effectively segregated
• Samples to be tested
• When the testing will take place
• Access to the organisation site location – if required
• Appropriate people (from the organisation and certification body) to support the testing
• Email client(s) and web browser(s) to facilitate the testing
• Sending/receiving of emails – an organisation (account) applying for certification

 

Who does the testing, and are there specific tools required

• People: Cyber Essentials Plus Assessors have completed the IASME Cyber Essentials Plus Assessor Workshop, passed the course examination and are licensed by a Certification Body
• Organisation: Cyber Essentials Plus Certification Body, authorised to assess and certify against the Cyber Essentials Plus standard, based on training and licencing through IASME (the delivery partner appointed by the National Cyber Security Centre)
• Tools: Vulnerability assessments must be carried out using an approved tool – PCI Approved Scanning Vendors (ASV) – which include software from Tenable (Nessus), Rapid7, and Qualys

 

What to expect during the testing

1. Remote vulnerability assessment – external IP addresses are scanned through the ASV tool to identify weaknesses
2. Patching – a vulnerability scanning agent is deployed on devices to identify weaknesses and whether fixes are available
3. Malicious software protection – devices are checked for running appropriate software (where possible), testing is also carried out to check that browsers and email are configured to block/prevent malicious software
4. Multi-factor authentication – checks are carried out on the setup of cloud services, to ensure accounts are set up with multi-factor authentication
5. Account Separation – devices are checked to ensure standard accounts (used for web browsing and email) don’t have special/administrative privileges

Key note:

• A Cyber Essentials Plus Test Specification is available for more details – created by the National Cyber Security Centre (NCSC), which is part of the GCHQ 

 

How We Help

At RB Consultancy Ltd we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:

• NCSC Assured Cyber Advisor – we help organisations understand and implement technical controls
• IASME Cyber Essentials Plus Assessor – we assess organisations against the requirements
• IASME Cyber Essentials Plus Certification Body – we issue organisations with certifications

 

Conclusion – What the audit involves for Cyber Essentials Plus

Cyber Essentials Plus provides more reassurance that the technical controls designed to prevent common / internet-based attacks are in place and operational – there are five main tests carried out for the Cyber Essentials Plus audit. Testing is on external devices, a sample of end-user devices, servers, and cloud. Before testing can begin, prerequisites must be completed. Testing is carried out by certified assessors who work for certification bodies. Specific software is required for some testing (vulnerability assessments). Email accounts/web browsers used by organisations form part of the testing too. More details on the testing can be found in a Cyber Essentials Plus Test Specification document, which has been created by the National Cyber Security Centre (NCSC). RB Consultancy Ltd help organisations with Cyber Essentials and Cyber Essentials Plus certification. If you would like assistance, contact us for support.

 

 

Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only.