Home / Blog / General / Cyber Essentials PLUS: A step-by-step guide to implementation

March 5, 2019

As you might expect, cyber security keeps hitting the headlines. 2018 saw data breaches affecting over 100 million people – and that was just Facebook. Many more organisations were affected, exposing the personal information of millions of people.

Of course, it’s not just the majors. Businesses of all sizes under attack, which is why the government introduced the Cyber Essentials scheme.

Cyber Essentials PLUS: A step-by-step guide to implementation

The scheme aims to help organisations shore up their cyber security, to defend against attacks and minimise the damage when breaches occur. It consists of five technical controls – standards that organisations must prove they meet in order to achieve Cyber Essentials certification.


What is Cyber Essentials PLUS?

Cyber Essentials is a self-assessment scheme. Applicants must undertake the necessary steps to achieve the five technical controls before certification is awarded by a certification body.

More: Cyber Essentials vs. Cyber Essentials PLUS – What’s the difference?

Cyber Essentials PLUS follows the same standards but it is independently assessed, giving applicants the additional boost of a stamp of approval from a cyber security expert.

This not only provides the organisation with the reassurance of knowing they have carried out the government-recommended measures to secure their information systems against cyber attack, but also shows their customers that they are a reliable partner.

> As the Institute of Risk Management puts it:

“Cyber risk can either continue to be seen as negative – as another potential set of costs, complicate (sic) procedures and incoming legislative demands – or firms can use good cyber risk management as a differentiator from competitors as a selling point to clients, and as a measure of reassurance to stakeholders.”

7 key steps towards Cyber Essentials PLUS

Cyber Essentials PLUS is not a walk in the park. It wouldn’t be effective if it was. It’s a challenging process that requires thorough preparation and assessment. But once completed, you have taken a very positive first step towards improving your critical security controls.

Cyber Essentials Plus- THE 7 KEY STEPS v4

To ease you into it, we’ve created a step-by-step guide to implementation of the five critical security controls you need to achieve Cyber Essentials PLUS certification.

1. Baseline assessment

The whole process begins by assessing where your organisation is currently at in terms of the five technical security controls. But what are the five technical controls? We have written more extensively about the standards you need to meet to achieve Cyber Essentials PLUS certification, but below is a brief overview:

  • Use a firewall to secure your internet connection.
    A firewall is like a safety barrier that protects your network and/or device from unwanted incoming traffic, such as spam emails. It’s more than likely you already have a firewall in place, but this initial assessment will test to see how effective it is.
  • Choose the most secure settings for your software and devices.
    New software and devices are usually designed to be very open and easy to use. It’s up to you to implement secure settings. This assessment will look to see whether you are using passwords to protect your devices and files, and if you’ve cleared out unnecessary apps that could pose a risk.
  • Control who has access to your data and services.
    This security measure aims to limit the access attackers have if they breach your system. Think of your organisation a bit like MI5 – access to data and services should be on a ‘needs to know’ basis to minimise the potential harm an attacker could do.
  • Protect yourself from viruses and other malware.
    Cyber Essentials PLUS requires that you are taking anti-malware measures, such as installing Windows Defender, and/or sandboxing and/or white listing. Not sure what these things are? Look at our Cyber Security Glossary of Terms.
  • Keep your devices and software up to date.
    The regular updates that are fed through to your device don’t just fix bugs; they increase security. Keeping all devices and software up to date is a requirement of Cyber Essentials PLUS.

Once your Cyber Essentials PLUS partner has established where you’re currently up to with these five technical controls, it’s time to move on to step 2.

2. Vulnerability scans

A vulnerability scan does exactly what it says on the tin – it scans your information system to find vulnerabilities. It is looking for weaknesses in your cyber security that a hacker could exploit in order to launch an attack on your system.

Learn: What is a vulnerability scan and does my company need one?

Vulnerability scans are typically automated, using software to highlight areas of concern.

They seek out known flaws – missing software patches or weaknesses that have already been identified in the industry – and suggest remediation.

However, vulnerability scans cannot find flaws that are not already widely known in the cyber security world. They shouldn’t be thought of as foolproof.

It’s possible to purchase this software and carry out the scan yourself. Of course, the benefit of Cyber Essentials PLUS – apart from having someone else do the heavy lifting – is that you put all this in the hands of experts who know exactly what they are looking for and what to do with what they find.

Download: Sample vulnerability scan report

3. Analyse the gap

At this stage, the job is to detail the gap between where your system currently is – as identified by steps 1 and 2 – and where it needs to be. Having identified what the weaknesses are, what work needs to be done to close the gap and secure your system?

The vulnerability scan may suggest remediation measures, but don’t forget you may also be falling short on the five technical controls in other ways – limiting user access, adding password protection, for examples – that will not show up in the vulnerability scan results. The gap analysis will indicate all of the gaps, both physical and virtual.

4. Statement of works

Based on the findings of the gap analysis, it’s time to create a Statement of Works (SOW).

This will detail exactly what action is to be taken to close up the gaps discovered in step 3. A SOW should include not only the required remediation, but also the resources needed to carry out the work.

This may include everything from time out for staff meetings to run through cyber security best practice, to the creation of a white list, to software and device upgrades and everything in between. It’s in your interest to have as comprehensive a plan as possible to ensure there are no surprises once the work begins.

5. Implement the required actions

Having created your SOW, it’s time to carry it out.

Though Cyber Essentials PLUS might seem like an ‘IT thing’, it impacts the whole organisation and requires buy-in across the board to make it work. Cyber Essentials PLUS isn’t just about software and data. It’s about understanding best practice and achieving it in action.

Your Cyber Essentials PLUS partner should be able to help you with every aspect of certification, including any necessary training. Be prepared to give this step the necessary time. Failure to carry out the works in full will undo the hard work you’ve put in up to now.

6. Re-assessment

This step tests how successful your remediation works have been by performing another vulnerability scan. The initial assessment from step 1 will also be repeated to ensure that you now meet all aspects of the five technical controls, including limiting user access, securing with passwords, etc.

7. Cyber Essentials PLUS certification

Provided the re-assessment is successful, congratulations are in order! You have achieved Cyber Essentials PLUS certification. Well done.

Cyber Essentials certification require patches to be implemented within two weeks of being available. This principle extends to the certification itself, which must be completed within 14 days.

The government recommends that Cyber Essentials certification is renewed annually. But there’s no doubt that the first certificate is the most complicated and once best practice is implemented it is much easier to prove compliance going forward.


Free Cyber Essentials PLUS guide

Download our FREE Cyber Essentials PLUS readiness guide – a step-by-step programme to get your organisation Cyber Essentials PLUS certified. Or read the Cyber Essentials questionnaire guidelines to see the questions you will need to answer.

Further reading

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.