If you’re considering gaining formal certification to Cyber Essentials Plus (CE+)…good for you! Complying with the security requirements of CE+ and then having this independently verified will ensure that you align with a solid foundation of cyber security best practice…and significantly reduce the likelihood of being the victim of a breach to your infrastructure and/or data.
Appoint an IASME Cyber Essentials certification body
The Cyber Essentials scheme is owned and overseen by HMG’s National Cyber Security Centre (NCSC). IASME is the accreditation body that manages and administers the scheme on a day-to-day basis. Sitting under IASME are several Certification Bodies (CBs) who assess and issue CE+ certificates to organisations seeking accreditation. The CB is the entity that you will work closely with, both to prepare for and then gain CE+ certification with…so firstly, you will need to appoint a CB.
How to choose a certification body?
All approved Cyber Essentials Plus CBs have to meet with a strict set of minimum requirements to ensure that they (and their assessors) are suitably qualified. You can find a full list of CE+ CBs on the IASME website and use the interactive map to shortlist CBs in your geographical area. Although it is acceptable for the CB to conduct the assessment remotely, we would highly recommend that this be conducted on-site.
We suggest that you contact each of your shortlisted CBs, ask to speak with one of their Cyber Essentials Plus Assessors to get a feel for their approach. Ask them how the certification process works and how they would work with you through the engagement. Explain to them any issues or concerns you may have and ask their advice on how these could be addressed.
How can I prepare?
You’ll need to get certified to Cyber Essentials first. Before formally registering with a Certification Body (and paying!) we would suggest that you download and review the questionnaire. Look at each question to ensure that: You can comply with the requirement.
You can provide evidence of your compliance. The assessor will need to see evidence to qualify each of your questionnaire responses as part of the CE+ assessment.
Once you have achieved the regular Cyber Essentials you have three months to complete your CE Plus application. The Certifying Body will need to conduct the following assessments:
- External vulnerability scan (all external-facing IPs)
- Internal vulnerability scan (a sample of devices)
- Questionnaire audit
- Malware check (AV, Email)
- Mobile device check
The above assessments can be conducted remotely. However, for those organisations that are not cyber security mature, we would recommend conducting the assessment on-site. This way you will benefit from face-to-face time with a highly experienced information security assessor who can provide you with free-flowing cyber security advice and guidance. He/she may also be able to nip any ‘fails’ in the bud whilst with you.
Your CB will explain exactly what they will need to see and how they will need to connect in order to conduct the CE+ assessment so that you can prepare correctly.
In our experience, the following are the main causes of a ‘fail’ being issued:
- Lack of documented security policies
- Lack of patching
- Unsupported OS (usually in mobile devices)
- Unsupported software (detected by the vulnerability scans)
Don’t worry if you are issued with an assessment fail, you’ll have 30 days to correct this. The CB will reassess the area(s) that failed and issue a pass if the issue has been remediated.
When you have met with the requirements of the CE+ scheme and achieved certification, you’ll be operating in a more secure way…and have the badge to prove it.
We hope this post has encouraged you to make the decision to proceed with certifying to the CE scheme. If you are looking for a certifying body that is passionate about what they do and how they engage with clients, look no further. We have helped many UK organisations achieve good cyber security hygiene using the Cyber Essentials scheme and would be happy to help you do the same.
Learn more about Risk Crew’s Cyber Essential solutions on our website or give us a call on 020 3653 1234 and we’ll connect you with one of our experienced CE Assessors.