The prerequisites for testing
All our Cyber Essentials Plus packages are based on on-site testing at one location, of one type of user account, on up to ten sample devices. Additional workstations, mobile devices and build types may need to be tested to meet sampling requirements of the scheme. For further information, please see our FAQ.
The duration and number of locations that must be included in the internal testing depend on the number of builds of user devices (including BYOD) that are within the scope of the certification.
The number of locations to be tested depends on whether all the different builds can be tested in one location. It is permissible to arrange a build to be delivered at a particular site for testing purposes, even if it is not normally deployed there, providing it accesses the Internet in its usual manner.
The number of builds is defined by the number of configurations of operating system and the suite of software installed. Examples of relevant software are listed below.
- Oracle Java
- Adobe Acrobat
- Microsoft Office
- Adobe Flash
- Mozilla Firefox
- Google Chrome
- Opera
- Microsoft Internet Explorer
- Antivirus solution
If more than one browser is used then each variant will be in scope for testing.
Test requirements
- All user devices are subject to testing and will be agreed upon before the testing date, including mobile and BYOD (bring your own device), and must be available for testing.
- All devices within the scope of testing must be user devices and cannot be built specifically for testing.
- A local user account with username and password must be available for each user group in scope.
- Devices must have Internet access, allow emails from our test domain and be accessible by our test web server (https://ces.itgovernance.co.uk/).
- You must provide details of a user email account per user group being assessed.
- Workstation builds must be configured to allow an authenticated vulnerability scan that will determine patch and version numbers of installed software, and you must provide details of the user account to be used.
- Remote registry must be enabled on the workstation builds, and no global policies that block the authenticated vulnerability scan are permitted.
Conditions
- This product is supplementary to the Cyber Essentials Plus certification service provided by IT Governance.
- This product cannot be purchased unless the Cyber Essentials Plus certification service is being provided by IT Governance.
- Each retest package includes on-site testing at one location, of one type of user account, on up to ten sample devices. Additional workstations, mobile devices and build types may need to be tested to meet the sampling requirements of the scheme. If you require more than ten end-user workstations to be tested, you will need to purchase Cyber Essentials Plus Additional Device Testing. This testing can be conducted remotely in some instances.
- If your business is located outside mainland UK, additional expenses will be charged to accommodate our consultant’s travel time and costs for the on-site assessment. These will be billed separately.