Cyber Essentials PLUS Assured

This is our recommended route if you want the smoothest path to Cyber Essentials (CE) and Cyber Essentials PLUS (CE+) certification, supported by ongoing compliance assurance.

It includes targeted advisory support and key activities focused on areas that, based on our assessors’ experience, most commonly create challenges during assessment.  It also provides ongoing monthly scanning to help you maintain compliance, together with enhanced scanning during the CE+ assessment process.

This offering includes Cyber Essentials Assured, 1 year of access to the Abriska CE+ module, a half-day sample-based CE+ pre assessment, the formal CE+ assessment, and 1 included retest within the NCSC remediation window in line with the Danzell scheme’s remediation process, plus:

• An additional half day of ad hoc advisory time
• Additional scans in the 3 days immediately preceding the CE+ assessment
• Daily internal vulnerability scans (on all assets) if the initial assessment is not successful
• Unlimited CE+ certification attempts* within 3 months of your CE certification date.

Because this offering includes Cyber Essentials Assured, your journey includes both the initial  scoping workshop and the Technical Scope Verification where evidence will be captured.  This ensures your certification scope is defined fully and accurately before the CE submission is finalised and that any issues likely to cause problems later in the certification journey are identified as early as possible.

* If additional retests are as a result of a scope change or the same vulnerabilities are identified and not addressed or URM’s advice and guidance is not followed then charges may apply.  Please note that once you have undertaken a CE+ assessment you have 30 days to remediate all issues and for there to be a retest including a second sample.

Abriska CE+ Module (Assured)

Your 1 year access to the Abriska CE+ module (Assured) provides:

• Monthly compliance scans of all external IP addresses in scope for CE
• Monthly compliance scans of all servers and end user devices in scope**
• An interactive view of the assets and vulnerabilities that could cause a compliance failure
• Actionable recommendations aligned to CE and CE + requirements
• 1 daily authenticated internal Qualys scan of all assets in the 3 working days prior to the official CE+ assessment
• 1 daily authenticated internal vulnerability scan of all assets if the initial CE+ assessment is not successful until the scheduled retest date within the NCSC remediation window.

** You are responsible for ensuring all in scope devices are correctly enrolled. URM can only provide scan results for devices that have been correctly enrolled

CE+ Pre Assessment and Advisory Support

A sample-based CE+ pre assessment is typically scheduled within the 2 weeks prior to your official CE+ assessment.  This pre assessment tests a small, representative sample of your devices, identifies likely failure points before the formal assessment, and provides initial advice on any issues identified.

In addition, half a day of advisory time is included.  This can be used to review pre assessment findings, discuss required remediation actions, answer questions, or provide targeted advice ahead of the formal CE+ assessment.

To provide further assurance immediately before the official CE+ assessment, this offering also includes daily internal vulnerability scans for all in scope devices during the 3 working days prior to assessment.  This allows compliance to be monitored in the days preceding the assessment and avoids any unforeseen issues.

Technical Scope Verification (TSV)

In most cases, the Technical Scope Verification is conducted separately from the CE+ assessment and must be passed at least seven working days before the assessment start date.  For this Cyber Essentials PLUS Assured offering, the TSV is typically conducted as part of the review included within Cyber Essentials Assured.

This approach significantly reduces the risk of booking CE+ assessment time that cannot be used due to issues with the declared scope.  Any factors that could prevent a successful CE+ assessment are identified and addressed early in the process.

For some small or micro-organisations (e.g., where the whole organisation is in scope and only a very small number of devices are involved) it may be possible to agree that the TSV is performed at the start of the CE+ assessment rather than as a separate activity in advance.***

*** Performing the TSV on the day of the CE+ assessment may reduce cost and administrative effort, but it increases risk.  If issues are identified that cannot be immediately resolved, the CE+ assessment time will need to be either repositioned as advisory activity or postponed, and postponement charges will apply. By choosing this option, you acknowledge that passing the TSV is a prerequisite for proceeding with the formal CE+ assessment and that this approach carries a higher risk.

Retests And Certification Attempts

If the CE+ assessment identifies failing items or vulnerabilities that have not been addressed, URM will perform 1 retest in line with the Danzell scheme’s remediation process.

If the initial CE+ assessment is unsuccessful due to vulnerabilities identified through authenticated scanning, adopting this route will enable you to monitor compliance of all your assets via the daily vulnerability scans included immediately ahead of your retest.

You should be aware that under the Danzell remediation rules, if the retest using a second sample set fails due to the same vulnerabilities, your CE certificate will be revoked and the whole CE and CE+ process will need to be restarted.

‍

Why URM?

As an accredited certification body, URM has an unrivalled record in assisting organisations of all sizes achieve certification to Cyber Essentials and Cyber Essentials Plus. URM is also an accredited Assured Service Provider under the NCSC Cyber Advisor scheme  and  has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process.

Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards.

As such, you can be assured that you are getting advice that is right for you and your organisation, taking into account your sector, size and the information you are looking to protect. Our large team of assessors also enables us to guarantee a super-fast turnaround.

‍