Cyber Essentials (CE) is a government-backed scheme, developed and managed by the National Cyber Security Centre (NCSC), which helps organisations protect themselves against common cyber threats, such as compromised IT systems, viruses, malware and spyware, as well as the financial and reputational damage associated with these attacks. With the scheme’s focus on fundamental security controls that organisations of any size should be able to implement, CE is a practical, accessible and effective starting point for businesses looking to improve their cyber security posture.
If your organisation is looking to certify, there are two levels of certification to consider:
- Cyber Essentials
- Cyber Essentials Plus
The Cyber Essentials certification assessment consists of a self-assessment questionnaire (SAQ). Your answers will need to demonstrate that you have applied the 5 technical controls throughout your organisation.
The Cyber Essentials Plus (CE+) certification adds a technical assessment of your IT systems on top of the CE SAQ, which confirms that these technical controls are in place throughout the in-scope systems.
Each of the five technical controls plays an important part in improving the cyber security posture of your organisation. The five technical controls that the Cyber Essentials scheme focuses on are:
- Firewalls: firewalls should be in place to ensure only secure and necessary services can be accessed by individuals on the internet.
- Secure Configuration: computers and network devices should be securely configured to reduce vulnerabilities (e.g., changing weak default configurations and passwords) and their attack surface (e.g., removing unnecessary applications, services and user accounts).
- Security Update Management: it is critical that security updates are promptly installed to ensure that devices along with software installed on these devices are not vulnerable to publicly-known security issues.
- User Access Control: user accounts should be managed in line with the principle of least privilege i.e., user accounts are assigned only to authorised individuals and access is provided only to applications, services and networks that are needed to perform their tasks.
- Malware Protection: malware protection needs to be in place to restrict execution of malicious software on your systems to prevent damage or unauthorised access to data.
By implementing these security measures, your organisation will be protecting itself from the most common cyber attacks, as these attacks target organisations that don’t have these controls in place (e.g., attackers target organisations with default/easy to guess credentials on services exposed to the internet or have unpatched software running on their systems, etc.).
URM has been involved in the assessment of hundreds of organisations’ CE applications and, in this blog, we share 3 top tips for your organisation when preparing for CE certification.
1. Read the latest version of the official Cyber Essentials documents from the NCSC website.
This may sound somewhat uninspiring, but it’s also a requirement for certification and an area where we often find organisations fall short. You’ll need to confirm that you’ve read the ‘Cyber Essentials Requirements for Infrastructure’ (v3.1, released in April 2023, is the most up-to-date version at the time of writing this blog) when answering the SAQ. While there is a temptation to skim through it and answer ‘yes’ to this question, we suggest you think twice. If you’re looking to obtain the CE certification without any issues, it is important to read the ‘Requirements for Infrastructure’ very carefully, particularly if you are attempting to certify without seeking any external advice.
The latest documentation from the NCSC can be found here: https://www.ncsc.gov.uk/cyberessentials/resources
Reading the ‘Requirements for Infrastructure’ once may even be not enough in order to fully understand the contents, and you may find yourself referring to it multiple times throughout your certification journey. It is, in our opinion, probably the single most important document you will refer to in your CE certification process.
The document clearly defines the scope of the certification, outlines the concept of a subset and how to certify only a subset of your organisation. It also defines the types of assets that should and should not be included in the scope (including ‘bring your own device’ or ‘BYOD’ devices, devices used for home working, wireless devices, cloud services, accounts used by third-parties, managed infrastructure, devices used by third parties, web applications, etc.). Whenever you are unsure about how to answer a CE question, referring back to this document will, in most cases, resolve any uncertainty. Are BYODs in scope? Should you include your wireless access point? Is a minimum password length of 8 characters in line with CE requirements? Does this requirement apply to your infrastructure as a service (IaaS) and mobile devices too? You will find the document answers all of these questions and more.
For each technical control, the ‘Requirements for Infrastructure’ document indicates which assets it applies to (e.g., firewalls apply to boundary firewalls, desktop computers, laptops, routers, servers, IaaS, platform as a service or ‘PaaS’, and selling as a service ‘SaaS’). It also outlines any specific technical requirements (e.g., what brute force protection mechanisms are acceptable: multi-factor authentication or ‘MFA', login throttling or locking accounts after no more than 10 failed attempts).
The CE requirements do change from time to time, so it is important to know what is required at the time of certification to avoid any surprises.
For CE+, the reference document is called “Cyber Essentials PLUS Illustrative Test Specification” (as with the CE reference document, v3.1, released in April 2023, is the current version at the time of writing this blog).
This is mostly aimed at assessors, but it can be useful to understand what constitutes a pass or a fail when you’re looking to certify against CE+.
2. Implement asset management
Although performing asset management is not an explicit CE requirement, it is incredibly useful in helping you meet the 5 technical controls of the CE scheme, creating a solid base for not only security but also other functions such as IT operations, financial accounting, procurement, etc. It also helps enable other, more sophisticated disciplines such as vulnerability management, attack surface management, risk assessment, business continuity, and any other activity where its effectiveness relies on knowing that you have an asset (to protect, manage, dismiss, etc.). Should your organisation be seeking to conform or certify to ISO 27001, you will find that asset management is a key requirement in the risk assessment process. Simply put, you can’t protect what you don’t know you have.
An important aspect of the asset management process is the creation and maintenance of an up-to-date asset inventory, which includes the hardware and the software in use throughout your organisation (with varying degrees of details from operating systems to libraries installed as other software dependencies). Effective asset management allows your organisation to understand what technology and information it has, identify out of date and unsupported software, identify any unnecessary systems to dismiss or plan future technology cycles in advance.
This tip is not always easy to implement if you don’t already have something in place, as asset management requires diligence and constant maintenance to provide accurate and up-to-date information.
However, while asset management alone is not sufficient for meeting the requirements of the CE technical controls, not conducting it makes the effective implementation of the NCSC-recommended security controls (and completion of the CE questionnaire) much more difficult.
3. Centralise and standardise management of IT assets
This may not apply to micro-organisations with less than 10 employees, but as the IT estate grows it becomes increasingly difficult to consistently manage all the servers, network devices, workstations, and mobile devices singularly.
Having systems that allow you to manage all your IT assets from one or few central locations in an easy and consistent way is a significant help in meeting the Cyber Essentials technical control requirements, as well as in reducing overall management complexity, the enemy of security.
Example of these systems include but are not limited to:
- Servers, endpoint and mobile device management tools that allow IT administrators to deploy updates to servers and end user devices, including third-party software installed on them;
- Configuration management and automation tools or standard/golden builds when deploying new devices which allow IT administrators to define an acceptable base operating system build that meets all security and business requirements of your organisation;
- Identity management solutions that allow IT administrators to centrally manage corporate user accounts.
One of the CE requirements that most organisations struggle to comply with is patching of all critical and high-risk vulnerabilities within 14 days from the patch release date. This includes operating systems, but also applications installed on devices (e.g., Java, PDF readers, .NET Framework, browsers, Zoom, Dell Support Assist, Printer drivers, SQL servers, VPN clients, etc.). Server and endpoint management tools can greatly assist in meeting this requirement.
The use of configuration management and automation tools or standard/golden builds help in meeting other CE requirements such as configuring local firewalls, removing unnecessary software and users, and configuring device locking.
The use of identity management solutions can help you meet other important CE requirements such as the use of MFA, setting password requirements, managing the user account lifecycle and defining user access permissions.
What about CE+?
In our experience, organisations that follow the above 3 tips are more likely to pass a CE+ assessment than organisations that don’t. This is because the CE+ assessment includes a technical audit which verifies that what’s been declared in the SAQ is reflected in the devices used by the organisation. In practice, the actual security of the devices is more in line with what the management expect.
A very common example relates to the patching of critical/high risk vulnerabilities. It is not unusual for organisations to think they are meeting the CE patching requirements, and then discover during a CE+ assessment that multiple users have out of date software downloaded on their workstations. In many cases, organisations are not fully aware that software has been installed, which is affected by critical or high risk vulnerabilities and which could be protected by patches that were released months ago. It’s difficult to patch software that you don’t know you have, or that require individual users to perform the updates themselves.
This is not to say that this will never happen to organisations that have a working asset management process, a centralised patch management system that covers third-party software, and standard OS builds. However, we definitely see a huge difference in the overall security posture when these systems, processes and policies are implemented, which is the primary objective of the Cyber Essentials scheme.
Extra tip: Seek professional advice
For different reasons, organisations may not have the time, knowledge, or resources to go through the certification process by themselves.
For example, smaller organisations without a specialised IT expert may struggle to understand the ‘Cyber Essentials Requirements for Infrastructure’ document from the NCSC. If it’s the organisation’s first time going through the certification process, or if the organisation is more complex and there are edge cases not covered by the official documentation (should my K8s cluster be included in the scope?), it may be difficult to understand what needs to be included in the certification scope, what can be excluded, and to answer all the SAQ questions correctly.
In these cases, seeking professional advice from organisations with CE and CE+ expertise can result in a better outcome than trying to do everything without help.
How URM can Help
If your organisation would benefit from assistance certifying to the Cyber Essentials security scheme, URM is ideally-placed to provide that assistance. We have facilitated hundreds of CE and CE+ assessments in our capacity as an accredited certification body, providing our assessors with a comprehensive understanding of the scheme and its requirements. Meanwhile, as an Assured Service Provider under the NCSC Cyber Advisor scheme, our team of Cyber Advisors (Cyber Essentials) are able to offer you practical and reliable advice on achieving CE/CE+ certification as well as improving your cyber security posture in general.
In the early stages, prior to assessment, one of our Cyber Advisors (Cyber Essentials) can conduct a gap analysis to help you identify whether your existing policies and controls meet the requirements for certification, and offer advice on how to remediate any areas of non-compliance. When you are ready for assessment, we can also offer an application review service prior to you formally submitting your SAQ. URM’s assessor can either go through a Cyber Essentials checklist with you before you fill out the questionnaire, explaining each question and enabling you to successfully complete the SAQ yourself, or check your already completed SAQ before submission. Regardless of which option you select, you will be able to submit your SAQ secure in the knowledge that you have completed it accurately.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
URM’s blog offers advice on answering questions in the Cyber Essentials SAQ which relate to access control, admin accounts and authentication methods.
URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes
URM’s blog provides 3 useful top tips to help your organisation prepare for successful Cyber Essentials or Cyber Essentials Plus certification assessment.