Cyber Essentials PLUS: A Step-By-Step Guide to Implementation

As you might expect, cyber security keeps hitting the headlines. In 2018, data breaches affected over 100 million people, and that was just Facebook. Many more organisations were affected, exposing the personal information of millions of people.

Of course, it’s not just the majors—businesses of all sizes are under attack, so the government introduced the Cyber Essentials scheme.

The scheme aims to help organisations strengthen their cyber security, defend against attacks and minimise the damage when breaches occur. It consists of five technical controls—standards that organisations must prove they meet to achieve Cyber Essentials certification.

What is Cyber Essentials PLUS?

Cyber Essentials is a self-assessment scheme. Applicants must undertake the necessary steps to achieve the five technical controls before a certification body awards certification.

More: Cyber Essentials vs. Cyber Essentials PLUS - What's the difference?

Cyber Essentials PLUS follows the same standards, but is independently assessed, giving applicants the additional boost of a stamp of approval from a cyber security expert.

This not only provides the organisation with the reassurance of knowing they have carried out the government-recommended measures to secure their information systems against cyber attack, but also shows their customers that they are a reliable partner.

As the Institute of Risk Management Puts It:

“Cyber risk can either continue to be seen as negative, as another potential set of costs, complicate (sic) procedures and incoming legislative demands, or firms can use good cyber risk management as a differentiator from competitors as a selling point to clients, and as a measure of reassurance to stakeholders.”

7 Key Steps Towards Cyber Essentials PLUS

Cyber Essentials PLUS is not a walk in the park. It wouldn’t be effective if it were. It’s a challenging process that requires thorough preparation and assessment. But once completed, you have taken a very positive first step towards improving your critical security controls.

We’ve created a step-by-step guide to help you implement the five critical security controls needed to achieve Cyber Essentials PLUS certification.

1. Baseline Assessment

The process begins by assessing your organisation’s current state regarding the five technical security controls. But what are the five technical controls? We have written more extensively about the standards you need to meet to achieve Cyber Essentials PLUS certification, but below is a brief overview:

• Use a Firewall to Secure Your Internet Connection.

  A firewall is like a safety barrier that protects your network and/or device from unwanted incoming traffic, such as spam emails. You likely already have a firewall in place, but this initial assessment will test to see how effective it is.

• Choose the Most Secure Settings for Your Software and Devices.

  New software and devices are usually designed to be very open and easy to use. It’s up to you to implement secure settings. This assessment will determine whether you are using passwords to protect your devices and files, and if you’ve cleared out unnecessary apps that could pose a risk.

• Control Who Has Access to Your Data and Services.

  This security measure aims to limit attackers’ access if they breach your system. Think of your organisation a bit like MI5—access to data and services should be on a ‘needs to know’ basis to minimise the potential harm an attacker could do.

• Protect Yourself From Viruses and Other Malware.

  Cyber Essentials PLUS requires that you take anti-malware measures, such as installing Windows Defender and/or sandboxing and/or whitelisting. Not sure what these things are? Look at our Cyber Security Glossary of Terms.

• Keep Your Devices and Software up to Date.

  The regular updates to your device don’t just fix bugs; they increase security. Keeping all devices and software up to date is a requirement of Cyber Essentials PLUS.

Once your Cyber Essentials PLUS partner has established your current level of proficiency with these five technical controls, it’s time to proceed to step 2.

2. Vulnerability Scans

A vulnerability scan does exactly what it says on the tin—it scans your information system to find vulnerabilities. It looks for weaknesses in your cyber security that a hacker could exploit to launch an attack on your system.

Learn: What Is a Vulnerability Scan and Does My Company Need One?

Vulnerability scans are typically automated, using software to highlight areas of concern.

They seek out known flaws – missing software patches or weaknesses that have already been identified in the industry – and suggest remediation.

However, vulnerability scans cannot find flaws that are not already widely known in the cyber security world, so they shouldn’t be considered foolproof.

It’s possible to purchase this software and carry out the scan yourself. Of course, the benefit of Cyber Essentials PLUS – apart from having someone else do the heavy lifting – is that you put all this in the hands of experts who know exactly what they are looking for and what to do with what they find.

Download: Sample Vulnerability Scan Report

3. Analyse The Gap

At this stage, the job is to detail the gap between your system’s current state, as identified by steps 1 and 2, and its future state. Having identified the weaknesses, what work must be done to close the gap and secure your system?

The vulnerability scan may suggest remediation measures, but don’t forget you may also be failing to meet the five technical controls in other ways—limiting user access or adding password protection, for example—that will not show up in the vulnerability scan results. The gap analysis will indicate all the physical and virtual gaps.

4. Statement of Works

Based on the gap analysis’s findings, it’s time to create a Statement of Works (SOW).

This will detail exactly what action should be taken to close the gaps discovered in step 3. A SOW should include the required remediation and the resources needed to carry out the work.

This may include everything from time out for staff meetings to run through cyber security best practices, creating an allowlist, software and device upgrades, and everything in between. It’s in your interest to have as comprehensive a plan as possible to ensure no surprises once the work begins.

5. Implement The Required Actions

Having created your SOW, it’s time to carry it out.

Though Cyber Essentials PLUS might seem like an ‘IT thing’, it impacts the whole organisation and requires buy-in across the board to make it work. Cyber Essentials PLUS isn’t just about software and data. It’s about understanding best practice and achieving it in action.

Your Cyber Essentials PLUS partner should be able to help you with every aspect of certification, including any necessary training. Be prepared to take the essential time to complete this step. Failure to complete the work will undo the hard work you’ve put in up to now.

6. The Reassessment

The reassessment tests the success of your remediation efforts by performing another vulnerability scan. The initial assessment from step 1 will also be repeated to ensure that you now meet all aspects of the five technical controls, including limiting user access and securing with passwords, etc.

7. Cyber Essentials PLUS Certification

Provided the reassreassessmentuccessful, congratulations are in order! You have achieved Cyber Essentials PLUS certification. Well done.

Cyber Essentials certification requires patches to be implemented within two weeks of being available. This principle extends to the certification, which must be completed within 14 days.

The government recommends that Cyber Essentials certification be renewed annually. But the first certificate is undoubtedly the most complicated, and once best practices are implemented, it is much easier to prove compliance going forward.

Free Cyber Essentials PLUS guide

Download our FREE Cyber Essentials PLUS Readiness Guide - a step-by-step programme to get your organisation Cyber Essentials PLUS certified. Or read the Cyber Essentials Questionnaire Guidelines to see the questions you must answer.

Further Reading

• Getting ready for Cyber Essentials PLUS certification
• 5 steps to get your business prepared for Cyber Essentials certification
• What is a Vulnerability Scan, and does my company need one?
• The 5 critical security controls of Cyber Essentials PLUS
• INFOGRAPHIC: The 8 most common types of cyber attacks
• INFOGRAPHIC: How to create strong passwords (you can remember!)

About CyberOne

CyberOne is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24x7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high-security, controlled-access Tier 3 data centre, CyberOne’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts, and disrupts hacker behaviour as part of a multi-layered security defence to help secure some of the UK’s leading organisations.