What to expect from Cyber Essentials audits

If you’re looking to strengthen your cybersecurity and data protection processes, a Cyber Essentials or Cyber Essentials Plus certification could be right for you.

Cyber Essentials is a framework that provides guidance to help businesses protect themselves against cyber threats. The final step in the process is a self-assessment to ensure you’ve implemented the necessary tools and measures to protect your business. 

Cyber Essentials Plus adheres to the same security controls, but it offers hands-on technical verification and an independent, third-party audit for added peace of mind.

Why consider Cyber Essentials or Cyber Essentials Plus accreditation?

You might decide to go for Cyber Essentials or Cyber Essentials Plus accreditation because of:

• Client assurance: demonstrate to clients that data protection is a top priority
• Industry standards: you work in an industry with higher-than-standard cybersecurity requirements
• Bid for government contracts: having Cyber Essentials is mandatory when bidding for government contracts and creates a clear distinction from other businesses
• Improved security processes provide a framework to improve your internal processes, saving time, money, and stress when implementing your cybersecurity

What’s the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is an independently verified self-assessment certification that ensures an organisation adheres to the most robust cybersecurity controls.

Cyber Essentials Plus requires the exact same technical expectations as Cyber Essentials but also includes an independent technical audit of your IT systems. It adds an extra level of assurance, but the pass bar is slightly higher than Cyber Essentials’ self-assessment.

To achieve Cyber Essentials Plus, you first need to be Cyber Essentials certified. Here’s a breakdown of the steps involved:

Cyber Essentials 

Cyber Essentials has five security controls you must meet to achieve certification. 

• Firewalls
• Secure configuration
• User access control
• Malware protection
• Security update management

Obtaining the Cyber Essentials certification includes completing a self-assessment questionnaire, which the certification body reviews. Business owners must approve the self-assessment answers before sending them. 

Is there a Cyber Essentials audit?

There is no Cyber Essentials audit. The self-assessment will provide a range of questions that relate to the five control areas of Cyber Essentials, and the certification will expire after 12 months.

Cyber Essentials Plus 

Cyber Essentials Plus includes an additional technical audit of your IT systems to verify you have the right controls in place. An external auditor assesses your devices, systems, and processes for additional validation and added protection. 

Benefits of a Cyber Essentials Plus audit

• Credibility: an independent audit is more credible than a self-assessment
• Independent assessment: provides an additional layer of validation beyond the self-assessment required for Cyber Essentials
• Compliance assurance: an objective, professional opinion ensures compliance, providing peace of mind
• Client trust: provides external proof that you take cybersecurity and data management seriously, enhancing trust with clients

What to expect from the Cyber Essentials Plus auditor

During the Cyber Essentials Plus audit, the auditor will:

• Confirm which devices need auditing
• Scan devices to identify vulnerabilities using Nessus Professional scanning software
• Observe email processing with test attachments
• Check downloads of file attachments from test websites
• Verify that you’ve installed and configured your antivirus software correctly
• Test multi-factor authentication (MFA) on applicable cloud services
• Assess how well default browsers block malicious activity
• Confirm account separation between admin and user accounts
• Capture screenshots for evidence

Prepare for your Cyber Essentials Plus audit:

Information to give the auditor

• Administrator-level domain access or create a new admin account
• A list of all in-scope devices and operating systems
• User email addresses for email/web tests
• A signed consent form

Check and update software:

• Ensure all devices, including servers, are up to date
• Download and install the 7-day trial of Nessus Professional for a credentialed patch scan or use an alternative PCI-approved scanning tool
• Remove unused software from all devices

If you run Windows:

• Enable file and print sharing. You can find this option in advanced sharing settings

If you run Windows 10:

• Set the Windows service “RemoteRegistry” start-up type to “manual.” Access this by typing “services” in the home screen search bar

• Create a new registry value:
• Type “regedit” in the home screen search bar

• Hive and key path: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
• On System, right-click and select New –> DWORD (32-bit) Value / REG_DWORD
• Value name: LocalAccountTokenFilterPolicy
• Value data: 1 (decimal)

If you run macOS:

• Enable file sharing and remote login. You’ll find these options in System Preferences –> Sharing
• Update AV engines and signature files. If you use an enterprise management dashboard to do this, even better
• Activate and update AV plugins for every browser

Need more support?

If you’re not ready for a Cyber Essentials self-assessment or Cyber Essentials Plus audit, don’t rush into it. Make sure you’re prepared and consider your industry, goals, size, and the benefits of gaining a certification. 

Proving your cybersecurity credentials is important, and you can take it slow by starting with Cyber Essentials before graduating to Cyber Essentials Plus. By following these steps, you’ll be well-prepared for your Cyber Essentials self-assessment or Cyber Essentials Plus audit. 

For more guidance, download our comprehensive guide to cybersecurity certifications in the UK.