Description
This service will give you a good chance of achieving a CREST-accredited Cyber Essentials Plus certification at the first attempt. It is also designed for organisations with little or no knowledge of the five controls (secure configuration, boundary firewalls, access controls, patch management and malware protection) and testing conditions, as well as those that do not know their scope or the IP range that should be tested.
We also recommend this solution for large organisations with complex organisational structures.
How the application process works
- We send you details of how to log on to our Cyber Essentials online portal.
- We book your full day of on-site consultancy.
- You define your scope for testing using guidance in the portal.
- You complete and submit your SAQ (self-assessment questionnaire).
- We inform you if the SAQ meets the requirements of the Cyber Essentials scheme.
- You schedule your on-site assessment, which will include the internal vulnerability scan.
- You schedule your external vulnerability scan through the portal.
- We will conduct the on-site assessment and perform the necessary internal scan on a sample of your Internet-facing devices.
- We will provide you with the results of the internal scan and on-site assessment. If there are nonconformities, we will provide detailed feedback to help you understand how to close these gaps and achieve certification.
- Subject to a positive outcome, we issue your Cyber Essentials Plus certificate.
Benefits of the Cyber Essentials scheme:
Protect your organisation
According to the UK government, when implemented correctly, the five Cyber Essentials controls will help protect your organisation from approximately 80% of cyber attacks.
Work with the UK government and the MOD
Cyber Essentials certification will permit your organisation to work with the UK government, Cyber Essentials Plus will allow you the opportunity to with the Ministry of Defence (MOD).
Reduce cyber insurance premiums
Cyber insurance agencies look more favourably on organisations that have achieved Cyber Essentials certification.
Testing conditions
The package price is based on on-site testing at one location, of one type of user account, on up to eight workstation builds and up to five mobile devices (smartphones and tablets*). The duration and the number of locations that must be included in the internal testing depend on the number of user device builds, including BYOD, that are within the scope of the certification. *Microsoft Surface Pro Tablet is treated as a workstation.
The number of locations to be tested depends on whether all the different builds can be tested in one location. A build can be delivered to a particular site for testing purposes even if it is not normally deployed there, providing it accesses the Internet in its usual manner.
The number of builds is defined by the number of configurations of operating system and software suites installed. If more than one browser or Office suite is used, each variant will need to be tested. If they are installed on the same build, this is acceptable. Examples of relevant software are listed below:
- Oracle Java
- Adobe Acrobat
- Microsoft Office
- Adobe Flash
- Mozilla Firefox
- Google Chrome
- Opera
- Microsoft Internet Explorer
- Antivirus solution
Pre-test requirements
- All user device builds to be tested, including mobile and BYOD (bring your own device), must be available for testing.
- A local user account with username and password must be available for each user group in scope.
- Devices must have Internet access, allow emails from our test domain and be accessible by our test web server (https://ces.itgovernance.co.uk).
- You must provide details of a user email account per user group being assessed.
- Workstation builds must be configured to allow an authenticated vulnerability scan that will determine patch and version numbers of installed software, and details of the account to be used.
- Remote registry must be enabled on the workstation builds, and no global policies that block the authenticated vulnerability scan are permitted.
Additional conditions and expenses
The on-site assessment is subject to additional travel expenses, which will be charged in arrears.
The package includes a free vulnerability scan for up to 16 IP addresses. If you have more than 16 IP addresses, you will need to purchase additional IP packages in packs of 16. If you fail your external scan, a rescan will need to be purchased, plus any additional IP packages that you need.
You will receive the documentation toolkit within 48 hours of your purchase and we’ll contact you at the same time to schedule your Live Online consultancy. Your Live Online consultancy can be split over multiple sessions but any unused time will not be credited back.
Extra information
SE
