CYBER ESSENTIALS

Cyber Essentials certification benefits

Through certifying against the Cyber Essentials scheme, organisations can:

• promote and demonstrate that they have undertaken essential precautions in minimising their cyber risk.
• satisfy clients, suppliers, insurers and industry regulators including businesses tendering for government contracts.
• gain assurance of the security posture of their systems IT systems and networks.

For further information on the scheme and its benefits please see https://www.cyberessentials.ncsc.gov.uk/getting-certified/

Cyber Essentials assessment areas

The primary security controls that are assessed during a Cyber Essentials or Cyber Essentials Plus are:

• Internet Perimeter Security – establishing the exposure of internet-facing systems, presence of appropriately secure firewall controls and security posture of those systems.
• Access and Authentication Controls – validation of appropriate authentication mechanism to protect an organisation’s application or infrastructure from unauthorised access.
• Security Patch Management – verification of the application of security patches across Operating system and application.
• Malware and Endpoint Protection – a review of the presence and effectiveness of anti-virus and endpoint protection solutions.
• Secure Configuration – checks to ensure systems are configured in the most secure way and common vulnerabilities through implementation weaknesses have been addressed.

Cyber Essentials vs Cyber Essentials Plus

Both schemes consist of the same core cybersecurity assurance activities however the Cyber Essentials Plus assessment includes additional checks and provides a greater depth and breadth of the cybersecurity posture of an organisation providing an enhanced certification and greater peace of mind.

• Self-assessment Questionnaire – The organisation is required to complete a self-assessment questionnaire that covers some of the basic technical and procedural controls that are needed to be in place.
• External Vulnerability Scan – The vulnerability scans offer a deeper level of assurance by scanning the network perimeter of all internet connected locations for infrastructure and web application vulnerabilities, including dedicated hosting platforms.
• Internal Workstation and Mobile Device Security Audit – This stage assesses a sample of workstations for configuration and patching related vulnerabilities. A CREST qualified consultant will conduct a full build review against your standard workstation builds and mobile devices. Common malware will be delivered via emails and web browsing to assess perimeter protections using email (phishing) and web browsing (drive-by) threats to assess the effectiveness. This element is typically delivered onsite.

What happens after a Cyber Essentials assessment?

When an organisational successfully passes a Cyber Essentials Assessment, LRQA Nettitude will issue a Cyber Essentials Certificate. LRQA Nettitude is also able to offer pragmatic advice and guidance on how any identified gaps or security weaknesses can be addressed.

Cyber Essentials Ppre-assessments

When LRQA Nettitude initially engages with organisations, the team undertake a gap analysis to measure the organisation’s existing controls against what is required by Cyber Essentials. Having conducted this assessment, LRQA Nettitude then provides the organisation with a clear road map on how to bridge the gaps and reduce the risks associated with a cyber breach. As the organisation moves towards entry-level certification, LRQA Nettitude can provide ongoing guidance and assistance to ensure all elements of the assessment are being catered for.

General Enquiry