Security breaches cost companies an average of £4,050, with the potential for this figure to rise significantly. There are many reasons that cyber security is top of the agenda for many organisations, with financial risks, data loss, and employee experience being the top contributing factors.
Cyber Essentials Plus is a UK-government-created compliance measure which allows businesses of all sizes to improve their cyber security toolkit with robust measures. Undoubtedly, achieving this certification will benefit companies in many ways, but how can you ensure that you have the measures in place to pass?
As experts in the Cyber Essentials Plus Award and broader security measures, we have collated all the information in this blog so that you can understand what is required to obtain this compliance status.
Keep reading to learn more.
- What Is Cyber Essentials Plus?
- The Cyber Essentials Plus Requirements
- Can I Pass Cyber Essentials Plus Without Passing All Modules?
- What are the Benefits of Cyber Essentials Plus?
- How Do I Prepare for Cyber Essentials Plus?
What Is Cyber Essentials Plus?
Before diving deep into Cyber Essentials Plus, it is important to understand exactly what the certification covers. This is because the requirements are all a result of the award’s purpose, and knowing why they are relevant makes it easier for businesses to comply with the standards authentically.
Cyber Essentials Plus is the follow-on award from the popular Cyber Essentials programme, which promotes safe online business operations. The trademarked certificate helps to ensure that the control markers set out on the Cyber Essentials audit are fully operational. You can learn more about the differences between Cyber Essentials and Cyber Essentials Plus by clicking here.
This compliance measure was created with support and input from the National Cyber Security Centre. Whilst it was created in the UK, the award is internationally recognised and has been adopted by companies worldwide. One of the reasons that this is the case is because the measures are suitable for businesses of all sizes and from various sectors.
Cyber Essentials Plus is seen as a more hands-on approach to managing security systems as it requires external testing and audit, unlike the self-assessed Essentials certificate. This is because it follows up on the controls put in place to ensure they are working correctly. Having the controls is enough to be Essentials certified, but a deeper alignment to the procedures is required for the Cyber Essentials Plus award.
The Cyber Essentials Plus Requirements
As with any form of compliance certification, the measures needed to achieve Cyber Essentials Plus are strict and for a good reason. The requirements have all been specifically highlighted as the main ways to create robust security systems that are dynamic and powerful against all threats.
Security Measures Outlined in Cyber Essentials
A company must have achieved Cyber Essentials before applying for this Plus award. These elements create the basis for Cyber Essentials Plus so without them being actively in place and proven to be successful, a company will not pass the audit and further testing.
These security requirements are as follows:
Firewalls – All organisations must have fully efficient firewalls that protect networks from malicious breaches. Firewalls work by filtering traffic and blocking any access attempts that are deemed not to be safe. Aspects such as functionality, accesses process, resolution processes, and staff awareness are all considered within Cyber Essentials Plus.
Security Network – Cyber Essentials Plus also requires that wider IT infrastructures encompass security needs. There also needs to be a demonstration to auditors that safe processes are followed each time personnel are accessing information to ensure consistency.
Malware – In protecting systems from attacks, malware is essential for testing files when downloads are needed. This is included within the compliance as systems not set up properly to be protected against these risks can be accessed much more easily.
Patch management – This protects against any access that may be made via third-party programmes, which we know are essential for all business forms. Whether you use generic software or industry-specific programmes, Cyber Essentials Plus requires that all are protected via effective patch management.
Access control – Hybrid teams are a modern occurrence. Access can be a risk, with people needing to access company data from multiple locations. The Plus certificate ensures that only authorised individuals can access data and provide admittance to areas of the digital networks.
Click here to find out what is included in Cyber Essentials in more detail.
Internal Scan of Systems and Patches
As an extension to the Cyber Essentials requirements, which are outlined above, there are several more developed internal tests that the Plus certification requires.
Internal testing of all the pillars is needed to show efficiency. This deeper look at the technical side of things doesn’t just focus on having the right processes in place but ensures they work successfully.
External Vulnerability Testing
Perhaps the main difference is the external testing element required by Cyber Essentials Plus. Unlike the Essentials certificate, which is self-assessed, this award requires an audit of external vulnerabilities.
This provides a clear answer as to whether the measures are useful when protecting vital company information. The external scan acts in the same way that malicious attacks would by testing various routes of access, which can sometimes go under the radar.
Each aspect of the security toolkit is verified by testing patches and system resilience. Some ways this is tested include inbound emails, MFA checks, file downloads, and administration testing.
Can I Pass Cyber Essentials Plus Without Passing All Modules?
To pass Cyber Essentials Plus, a company must fully comply with the requirements we have outlined above.
This makes the award so successful, as it doesn’t just test individual areas but entire security networks. If just one of the elements is not up to standard, it could represent a security issue that spreads across a whole company.
The standard is also externally audited for this reason, as it emphasises the efficiency of the implemented systems. If you fail the Plus award, you may also find that your Cyber Essentials certificate status is put at risk, so we strongly recommend ensuring you are robust and ready before applying.
What are the Benefits of Cyber Essentials Plus?
- Improved competitiveness and company image as all businesses that achieve this accreditation are seen to take their cyber security seriously. The award is also recognised worldwide, meaning winning international business can be achieved. Although not mandatory in the UK, Cyber Essentials Plus is included within many public sector contracts meaning that most companies choose to achieve the status to open more business opportunities.
- The pillars included ensuring that robust security networks are achieved. By being compliant with the certification, companies are protected against all threats.
- The IT infrastructure and procedures required by the scheme ensure that the company can implement the controls needed in a viable way that can be used daily. The Cyber Essentials Plus also adds more legitimacy to operations as it involves making sure that the structures put in place are being used.
- Cyber Essentials Plus costs much less to achieve than ISO-27001, meaning that it is often the more robust choice for small to medium-sized companies. When considering if ISO-27001 is better than Cyber Essentials Plus, examining how teams are affected is important. Whilst ISO looks at people and processes, Cyber Essentials works to give employees the daily tools needed to work more confidently. For this reason, achieving the award can make for stronger company cultures and more knowledgeable teams.
How Do I Prepare for Cyber Essentials Plus?
Understanding the Cyber Essentials Plus requirement is one thing, but achieving the professional work needed to pass is another.
The best way to prepare for your audit is to work with a professional IT agency with experience in achieving the certification. The Creative Networks Cyber Essentials Plus service includes all areas of planning and implementation to ensure you are ready to pass the first time. We can also help ensure the long running of these processes so that your certification is never compromised.
Contact us today to learn more.