Cyber Essentials and Cyber Essentials Plus Consultancy
Protection against a wide variety of the most common cyber-attacks
CCS is dedicated to providing businesses with the best possible support for achieving Cyber Essentials certification. Our range of Fixed Price Cyber Essentials and Cyber Essentials Plus consultancy support packages cater to companies who want to do it themselves, those who require some assistance, and those who need extensive guidance.
The Cyber Essentials scheme, developed by the UK government, provides a simple and affordable approach to cyber security. It outlines five basic security controls that protect organisations from around 80% of common cyber attacks. The certification process is designed to help organisations of any size demonstrate their commitment to cyber security. With CCS's support, companies can achieve certification with ease, and show their customers and partners that they take the security of their data seriously.
At CCS, we understand that cyber security can be a complex and daunting task for many businesses. That's why we offer a range of services to help simplify the process and make it accessible to everyone. Our experienced consultants are dedicated to ensuring that companies achieve the Cyber Essentials certification, so they can protect their data, reputation, and bottom line.
How Does Cyber Essentials Work?
Cyber Essentials sets out five controls which you can implement immediately to strengthen your cyber defences:
- Boundary firewalls and internet gateways:
- Devices are configured to prevent unauthorised access from inside or outside your private network, to your data and systems, while allowing secure access to those people who you do wish to allow access.
- Secure configuration:
- Device and software settings are as secure as possible.
- Access control:
- Allow only authorised personnel to have access to accounts, with permissions that reflect their roles in the organisation.
- Malware protection:
- Virus and malware protection is installed and up-to date as a necessary step to prevent Malware from penetrating your systems.
- Patch management:
- All software and applications are licensed, supported, and up-to-date with necessary patches. Also remove all software from devices that are no longer supported.
Note: All cloud services are included in the scope of the assessment.
Why Cyber Essentials Plus?
Cyber Essentials Plus (CE+) includes an external vulnerability assessment, an internal scan and an on-site assessment. It offers more in-depth testing and therefore stronger assurances of security. CE+ carries across all elements of Cyber Essentials, including a technical audit of your systems to verify the Cyber Essentials recommended controls are in place.
This higher level of assurance involves completing the SAQ followed by a technical audit of the systems that are in scope for Cyber Essentials. This includes a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users and virtual desktop environments.
Your assessor will test a suitable random sample of these systems (typically around 10 per cent) and then make a decision whether further testing is required. You will need to complete your CE+ audit within 3 months of your last Cyber Essentials basic certification. If you want to gain CE+ straight away, you can complete the CE SAQ as the initial part of the CE+ certification process.
The assessor will often have to visit your head office and a representative sample of your other offices in order to carry out the tests. The cost of a Cyber Essentials PLUS assessment will depend on the size and complexity of your network and devices.
CCS Cyber Essentials Consultancy Service Options
CCS provide a range of Fixed Price Cyber Essentials and Cyber Essentials Plus consultancy support for companies that want to do it themselves, require some support, or need lots of help and guidance. The following outlines how we can support you:
Notes about Cyber Essentials Plus Service Options
- The cost of a Cyber Essentials PLUS assessment will depend on the size and complexity of your network and devices.
- Re-testing timescales are based on the NCSC guidelines.
- You will need to complete your Cyber Essentials PLUS audit within 3 months of your last Cyber Essentials basic certification
Legacy Operating Systems and Applications
Unsupported operating systems will not meet Cyber Essentials or Cyber Essential Plus certification and organisations often feel pressured to upgrade their systems, which could mean significantly increased costs and having to re-engineer applications to run on new platforms.
If you are developing, or have developed your own applications, you need to be able to deploy safely and securely and meet the requirements of Cyber Essentials and Cyber Essentials Plus, this is where our
Legacy Application Security solution from Droplet will enable you to meet the requirements without the additional burden and overhead of re-platforming your legacy applications and operating systems.
What Are the Benefits of Cyber Essentials?
Most companies rely on digital offerings and services as part of their day to day business, but where there is information technology there is an element of information security risk. These organisations will at some time come under some form of threat from cyber criminals. This self-assessment and audited Cyber Essentials option will give you protection against a wide variety of the most common cyber-attacks.
Your Cyber Essentials certification will:
- Reassure customers that you are working to secure your IT against cyber attack.
- Attract new business with the assurance you have cyber security measures in place.
- Give you a clear picture of your organisation's cyber security level.
- Present more business opportunities since some Government contracts require Cyber Essentials certification.
- Reduce the risk of your organisation becoming a victim of a cyberattack.
- Show your customers that you care about the security of their information and help you win their trust
Cyber Essentials technical requirements updated for April 2023
In April 2023, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for Cyber Essentials. This update is part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.
After a major update last year – the biggest update to the scheme since it was first set up in 2014 – the 2023 update will be lighter touch, providing a number of clarifications, alongside some important new guidance. This includes:
User devices.
With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.
Clarification on firmware.
All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.
Third party devices.
More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated in your application.
Device unlocking.
They have made a change there to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it's now acceptable for applicants to use those default settings.
Malware protection.
Anti-malware software will no longer need to be signature based and they have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.
Zero Trust
New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
Style and language.
Several language and format changes have been made to make the document easier to read.
Structure updated.
The technical controls have been reordered to align with the updated self-assessment question set.
Cyber Essentials and Cyber Essentials Plus Testing.
The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change there is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.
All these changes are based on feedback from assessors and applicants, and have been made in consultation with technical experts from the NCSC. As well as the updated requirements and new question set, IASME are also providing more guidance documents to help applicants during the certification process. This includes articles to help applicants understand the questions, as well as access to a dedicated knowledge base.
This latest update (version 3.1) will take effect from 24 April 2023. This means all applications started on or after this date will use the new requirements and question set.
CCS, helping you achieve Cyber Essentials and Cyber Essentials Plus
Request Information
CE and CE+ Datasheet