A step-by-step guide to achieving CE+

Cyber Essentials Plus is a UK government-backed certification scheme designed to help organisations protect themselves against common online threats. 

It builds upon the basic Cyber Essentials certification by requiring a more thorough, hands-on technical verification of cybersecurity measures. Here's what an organisation needs to do to achieve Cyber Essentials Plus certification.

Understand the requirements

Cyber Essentials Plus covers five critical technical controls:

Firewalls: Ensuring boundary firewalls and internet gateways are appropriately configured to secure the network.

Secure Configuration: Configuring devices and software to reduce vulnerabilities and minimise the potential for exploitation.

User Access Control: Implementing robust access controls to manage who has access to data and services.

Malware Protection: Utilising appropriate anti-malware solutions to prevent malicious software infections.

Patch Management: Ensuring that all software and firmware are updated with the latest security patches.

Initial self-assessment (Cyber Essentials)

Before pursuing Cyber Essentials Plus, an organisation must achieve the basic Cyber Essentials certification. This involves completing a self-assessment questionnaire to demonstrate that the five essential controls are in place. An external certification body will assess the organisation based on the self-assessment and evidence provided.

Preparation for Cyber Essentials Plus assessment

Once Cyber Essentials certification is achieved, the organisation must prepare for the more rigorous Cyber Essentials Plus assessment. This preparation includes:

Review and Update Policies: Ensuring all IT and security policies are current and comprehensive.

Internal Audit: Conducting an internal audit to identify and remediate potential security weaknesses.

Employee Awareness and Training: Ensuring all staff are aware of cybersecurity best practices and the importance of compliance.

Engage a certification body

An accredited certification body must be engaged to conduct the Cyber Essentials Plus assessment. This body will perform a technical audit, including:

On-Site Technical Assessment: An assessor will visit the organisation's premises to test the IT systems and controls. This hands-on testing will verify that the Cyber Essentials controls are functioning effectively.

External Vulnerability Scan: The organisation's internet-facing systems will be scanned to assess their exposure.

Internal Vulnerability Assessment: The certification body may perform an internal vulnerability assessment, including testing for internal system and configuration weaknesses.

Malware Protection Testing: Testing will ensure that anti-malware solutions are correctly configured and effective.

Remediation (if necessary)

If any vulnerabilities or non-compliant areas are identified during the assessment, the organisation must address these issues. The certification body may require a follow-up assessment to effectively implement remediation actions.

Achieving certification

Once the organisation meets all the requirements, the certification body will award the Cyber Essentials Plus certification. This certification demonstrates that the organisation has implemented and maintained higher cybersecurity controls, verified through rigorous testing.

Maintaining certification

Cyber Essentials Plus certification is valid for one year. Organisations must undergo an annual re-assessment to maintain the certification. This ensures that the cybersecurity controls remain effective and that the organisation keeps up with evolving cyber threats.

Additional considerations

Documentation and Evidence: Thoroughly document all security controls, configurations, and policies. This documentation is crucial for the certification process.

Continuous Improvement: Cybersecurity is a continually evolving field. Organisations should regularly review and update security measures to adapt to new threats and vulnerabilities.

Benefits of Cyber Essentials Plus

Achieving Cyber Essentials Plus certification offers significant advantages for organisations. It demonstrates a strong commitment to advanced cybersecurity practices, showcasing the organisation's dedication to protecting its digital infrastructure against common threats.

This certification indicates that robust security measures are in place, providing more protection for sensitive information. Additionally, Cyber Essentials Plus certification enhances customer assurance and stakeholder confidence. 

By obtaining this certification, organisations can effectively communicate that they prioritise data security and are proactive in safeguarding their systems. This commitment to cybersecurity protects customers' personal information and strengthens the organisation's reputation as a trusted and reliable entity.

Moreover, the certification is crucial for organisations engaging with the public sector. Many UK government contracts require suppliers to have Cyber Essentials Plus certification, making it a key criterion for participation in these opportunities. 

Thus, achieving this certification meets compliance requirements and opens new avenues for business growth and collaboration within government supply chains.

Summary of Guide to Cyber Essentials Plus

Achieving Cyber Essentials Plus certification is valuable in enhancing your organisation's cyber security posture. It helps protect your business from common cyber threats and builds trust with customers and partners. 

Following the steps outlined above, you can navigate the certification process and demonstrate your commitment to safeguarding sensitive data. 

Cyber security is an ongoing journey, and maintaining a proactive approach is key to staying secure in an ever-changing digital landscape.

If all this seems a little daunting and an admin nightmare, don't worry. Help is at hand. We can help you achieve or renew CE+ certification. Contact Dale Shubrook via hello@oryxalign.com.

References