Achieving Cyber Essentials Accreditation

• Review Cyber Essentials Requirements: Before starting the audit, we need to familiarise ourselves with the Cyber Essentials controls: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management.
• Collect Documentation: The auditor must gather documentation that outlines your current security practices, policies, and whatever technologies are in place.

For the Cyber Essentials certification, the audit starts with a self-assessment questionnaire, which we will complete for you. This is submitted through an online portal provided by the accreditation body. The questions typically focus on the five key areas of cybersecurity, such as:

• Are your firewalls configured properly to protect against unauthorised access? Can they still receive regular firmware updates?
• Are your devices securely configured to minimise vulnerabilities?
• Do you manage user access to ensure that only authorised users can access sensitive systems and data?
• Do you have up-to-date antivirus and malware protection software installed?
• Are software patches applied regularly to prevent known vulnerabilities from being exploited?

• Complete the Questionnaire: The self-assessment questionnaire asks for information about your organisation’s practices and systems in the five core areas.
• Assessment of Responses: A certified Cyber Essentials assessor or automated system reviews the answers to ensure compliance with the minimum requirements. If responses are satisfactory, the business will be granted certification.

For Cyber Essentials Plus, the audit process involves an additional level of scrutiny, which includes external testing. This typically includes:

• On-Site Testing or Remote Verification: A qualified external assessor will perform a technical assessment to verify that the cybersecurity measures described in the self-assessment are correctly implemented. This may involve:
  – Scanning systems to check for vulnerabilities.
  – Verifying that antivirus and anti-malware software are properly configured and active.
  – Ensuring that the patch management process is functioning as expected.
  – Testing user access control to confirm that the least privilege principle is being applied.
  – Checking network configuration to ensure it is secure.
• Final Report: After completing the audit, the assessor provides a report detailing any issues or areas of improvement. If the systems pass the verification, Cyber Essentials Plus certification is granted.

• If the audit uncovers any issues or gaps in the organisation’s security posture, the business will need to address them. This might involve patching software, configuring firewalls properly / replacing obsolete equipment, updating antivirus software, or modifying user access controls.
• Once the issues are resolved, a re-assessment or re-test may be required before final certification is granted.

• Once the self-assessment (or verification for Cyber Essentials Plus) is successfully completed, and all necessary measures are confirmed, the business will receive the Cyber Essentials certification.
• The certification is typically valid for one year, after which the organisation will need to undergo the audit process again to maintain compliance.

Although certification is granted for a year, businesses must continue to maintain their cybersecurity practices throughout the year. This includes keeping systems updated, monitoring for vulnerabilities, and applying patches as needed to ensure they remain secure.