Cyber Essentials Plus is an audited version of the basic assessment. Part of the process before the audit takes place is to understand what parts of the network are in and out of scope for the purposes of Cyber Security. The technical audit then verifies the Cyber Essential controls are in place and ensures all business locations meet the minimum criteria for each control section and has adequate defences against the threats in scope.
Auditing for Cyber Essentials Plus can be done by undertaking several tests on a customer’s site (the applicant).
Remote Vulnerability Assessment
The purpose is to test whether an Internet-based opportunist attacker can hack into the Applicant’s system with typical low-skill methods. We look for open ports on the firewall and assess the security of services using those ports.
Check patching via an authenticated vulnerability scan
This identifies missing patches and security updates that leave vulnerabilities and threats within the scope of the scheme and potentially be easily exploited. Both operating system updates and software updates are tested.
Check EUD defences against malware delivered through a website
This tests whether EUDs have protection from malware delivered through a website. Similar to the test above, a selection of relevant files for your particular operating system are attempted to be downloaded from the internet.
Check effectiveness of EUD defences against malware delivered by email
A test to decide whether EUDs are protected against malware that is delivered via email attachments. To facilitate this a selection of safe files that should be detected as malware are sent to the applicants email system.
Check malware protection on End User Devices
This checks that all of the EUDs in scope benefit from at least a basic level of malware protection.
Testing Criteria
Each test has its own criteria for passing, however, if the Cyber Essentials controls have been implemented successfully then there should be no trouble passing the audit tests for Cyber Essentials Plus.
To be Cyber Essentials Plus accredited as well as fulfilling the above criteria the business will be verified by external assessors with their tests to prove that the technical controls are in place.
You can check if an organisation that you are looking to use the services of are certified by clicking on the link and doing a search: https://iasme.co.uk/cyber-essentials/ncsc-certificate-search/