Cyber Essentials (CE) certification assists UK companies in improving their cyber security posture. Using advanced National Cyber Security Centre (NCSC) approved methodologies, businesses can protect themselves from common cyber threats.
Cyber Essentials and Cyber Essentials Plus (CE Plus) are part of the certification process. Conducting vulnerability scans and reviewing security controls are required for Cyber Essentials.
For security-oriented organisations, Cyber Essentials allows companies to learn how to lock down their IT systems. This includes configuring firewalls, access control, secure configuration, security patches, and malware scanning. As part of CE, an external scan is performed. The CE Plus certification goes further with an internal penetration scan and a detailed review of a typical workstation and mobile device.
To become CE or CE Plus certified, you must pass all requirements successfully. The Information Assurance for Small and Medium Enterprises (IASME) Consortium licenses certification bodies. As a certified provider, Microbyte performs security audits and vulnerability scans for clients. Becoming certified in Cyber Essentials or Cyber Essentials Plus is a testament to your commitment to security and data privacy.
1. What is Vulnerability Testing?
Effective IT security requires regular vulnerability testing. Without it, it is impossible to be certain whether basic security controls are effective against cyber threats.
Vulnerability testing for Cyber Essentials aims to locate, classify, and resolve security weaknesses. Scans identify security gaps. It is then possible to implement measures to secure the IT infrastructure better.
There are two types of vulnerability testing:
Internal vulnerability testing – an authenticated scan of the IT network looks at network set-up, standard workstation configurations, security patch management, web and email scanning, and more.
External vulnerability testing – an internet-facing scan of the network, web servers, and other assets identifies risk areas or exploitable entry points.
It is important to note that while a business may receive a Cyber Essentials certificate issued in the last few years, vulnerability testing should be ongoing. It helps protect against the vast majority of digital threats to the organisation.
2. Key Differences Between Cyber Essentials and Cyber Essentials Plus
There is a basic Cyber Essentials certification and a Cyber Essentials Plus certification. Below, we cover some differences between them.
Cyber Essentials
Cyber Essentials is a good starting point for warding off cyber criminals. It includes a web-based CE self-assessment questionnaire and an external vulnerability scan.
Within this certification, five technical controls are most relevant. These cover the following subjects:
- Firewalls
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
Learning about and attending to these security areas allows a business to create a protected fortress. Once correctly addressed within your IT infrastructure, the self-assessment questionnaire and external vulnerability scan are conducted. These validate the current security level and identify any potential risks to be resolved.
Once passing the review and testing phase, the Cyber Essentials certificate is issued.
Cyber Essentials Plus
Cyber Essentials Plus is a more comprehensive certification. It offers increased protection against cyber threats by looking closely at internal IT infrastructure and system configuration risk factors. This certification level is highly recommended for larger organisations managing sensitive information, working with third parties, or employing remote workers.
Completing the CE certification before proceeding to the Plus version is necessary.
Besides the CE validation and testing, CE Plus includes a technical audit at your premises. Auditing current security controls provides firewall type and configuration, network configuration, user access management, malware protection, email and web usage protection, and patch management.
An internal vulnerability scan is a part of the audit. It confirms whether there are existing areas of risk that require re-configuration, application of a new patch, or another delivered solution.
Our Cyber Essentials Checklist is worth a look to understand the two certification types.
3. Components of Vulnerability Testing for Cyber Essentials Plus
Vulnerability testing for Cyber Essentials Plus is wide-ranging. It involves the following:
Internal vulnerability scans – on-site internal scans examine the IT network and look for improper system configurations, unpatched software/hardware, and open backdoors. These highlight ineffective IT configurations, outdated software, and improper protection systems. Firewalls, user access controls, and anti-virus protection are all considered.
External vulnerability scans – current security issues affecting internet-facing systems are identified using external scans. These include publicly accessible applications (e.g. software as a service (SaaS), web servers, and more. External scans verify the effectiveness of existing firewalls, malware and anti-virus, and network configurations.
Certified assessors complete both internal and external scans. Both are required for Cyber Essentials plus certification.
4. Why Vulnerability Testing is Critical for Cyber Essentials Certification
Vulnerability testing minimises the risk of a cyber attack. Whether worried about potential phishing, ransomware, or malware, thorough testing avoids over 80 per cent of potential threats.
Testing confirms that security controls are correctly established. Compliance with Cyber Essentials or Cyber Essentials Plus is assured through testing. Certification is a prerequisite when bidding for UK government contracts and certain industry regulations.
Reputationally, taking a proactive approach to digital security is best practice. It establishes greater trust with clients, third parties, and interested stakeholders.
To help our clients, we also have an article discussing the business benefits of getting certified for Cyber Essentials.
5. Benefits of Achieving Cyber Essentials Certification
A Cyber Essentials certification ensures compliance with UK security requirements for contract bidding. This applies to different government entities and departments. For example, the UK Ministry of Defence requires a valid Cyber Essentials Plus certification to bid on open contracts.
Working with third parties is also an issue. Managing supply chains demands higher security to protect connected entities. Otherwise, the weakest link in the security chain potentially affects all relevant parties.
Millions of UK businesses have now qualified for at least one of the CE certifications. Displaying the relevant CE logo on your website and marketing materials confirms that your business takes cyber security seriously. It can make the difference between winning the next contract or missing out.
6. How to Prepare for Vulnerability Testing
It is best to prepare before testing for internal or external security vulnerabilities. This allows many companies to sail through the CE testing without issue.
First, IT systems and software are patched.
Second, an internal audit highlights incorrect IT system settings, improper user access levels, and user permissions. Oversights are easy to rectify at this point.
In some cases, pre-assessment tools are utilised to examine IT systems for common misconfigurations and security gaps. This approach often reduces the number of formal audits necessary for the CE Plus certification.
Conclusion and Next Steps
Testing for security vulnerabilities is essential to the Cyber Essentials certification requirements. Both external and in-depth internal testing scans are appropriate, with the latter supported by a technical audit for Cyber Essentials Plus.
Companies benefit from treating vulnerability testing as a high priority. It is required to become certified for Cyber Essentials, but it also offers valuable assurances to customers.
Engaging with a security consulting firm allows for early testing in preparation for the certification approval process. Microbyte offers a complete package to support clients wishing to improve their security and pass Cyber Essentials certification.
