Why preparation matters
Cyber Essentials Plus is the independently tested version of Cyber Essentials. It gives customers, suppliers and internal stakeholders greater confidence that your organisation has implemented the basic technical controls required by the scheme.
Preparation matters because the assessment is practical and time-bound. Devices are tested, common weaknesses are checked and any issues need to be resolved before certification can be completed.
A small amount of preparation can reduce avoidable failure, remove last-minute pressure and make the process more useful.
Confirm the scope first
Before arranging a Cyber Essentials Plus assessment, make sure the scope is clear.
You should know:
- which organisation is being certified;
- which networks, offices, cloud services and remote workers are in scope;
- which devices are used by staff;
- whether bring-your-own-device is allowed;
- whether servers, cloud systems or hosted services are included;
- whether the assessment is being driven by a customer deadline.
Unclear scope is one of the most common causes of delay. It can also lead to surprises if devices or services are included that have not been prepared.
Check that Cyber Essentials is accurate
Cyber Essentials Plus depends on Cyber Essentials. The self-assessment should be complete, accurate and current before Plus testing takes place.
Check that the answers reflect how the organisation actually works, not how you would like it to work.
Pay particular attention to remote working, cloud services, administrator access, unsupported software, mobile devices, personal devices and multi-factor authentication.
Review internet-facing services
Check what is visible from the internet. This may include websites, VPN portals, remote access services, firewalls, cloud systems, email services or old test environments.
Any internet-facing service should be known, required, supported and maintained. Old or unmanaged services can create avoidable problems during assessment.
Check patching and supported software
Patching is one of the most important areas for Cyber Essentials Plus.
Before assessment, check that operating systems, browsers, office software and commonly used applications are fully updated. Unsupported software should be removed, replaced or properly isolated if it cannot be upgraded.
Look for outdated browsers, old productivity software, unpatched VPN clients, remote access tools, and devices that have not been online recently enough to receive updates.
Prepare user devices
Cyber Essentials Plus testing will usually involve a sample of user devices. These need to be available, up to date and representative of how the organisation works.
Check that each device has current operating system and browser updates, active malware protection, appropriate firewall controls and no unnecessary administrator rights.
If staff work remotely, make sure devices can still be assessed and that users know what is expected.
Review administrator access
Administrator access should be limited to people who need it.
Check who has administrator rights, whether separate admin accounts are used, whether former staff accounts have been removed and whether day-to-day user accounts have unnecessary privileges.
A good rule is that normal daily work should not be done using administrator accounts.
Check multi-factor authentication
Review where multi-factor authentication is required and whether it is actually enforced. This is especially important for cloud services and remote access.
Check Microsoft 365 or Google Workspace, VPN and remote access, administrator portals, cloud hosting platforms and important third-party applications.
Avoid relying on optional MFA. For assurance purposes, enforced MFA is usually much stronger.
Leave time for remediation
Do not plan the assessment for the day before a customer deadline.
If issues are found, you may need time to install updates, remove software, change configuration, enforce MFA, replace unsupported systems or retest affected devices.
A better approach is to allow time for review, testing, remediation and certification.
Common reasons assessments run into problems
Common issues include unsupported operating systems, missing updates, outdated browsers, local administrator rights, MFA not being enforced, old internet-facing services, unclear scope and unavailable devices.
Most of these can be found and fixed before the formal assessment.
How Be Secure Cyber can help
Be Secure Cyber supports organisations preparing for Cyber Essentials and Cyber Essentials Plus. We can help confirm scope, review likely gaps, assess internet-facing exposure, advise on remediation and carry out the Cyber Essentials Plus assessment where appropriate.