Cyber Essentials Plus Checklist for 2024 – Source: securityboulevard.com

Regardless of your industry, a baseline foundation of cybersecurity is imperative. We know it, you know it, and your competitors know it. However, it’s one thing to understand the importance of following a strong security standard and a whole other ball game to actually implement the right controls for your specific threat landscape. 

That’s where Cyber Essentials comes into play. Cyber Essentials Plus, in particular, is a more comprehensive and rigorous evaluation that provides a higher level of assurance for your organization’s security, involving external audits and more detailed technical checks.

What is Cyber Essentials Plus?

Cyber Essentials Plus is part of the larger ‘Cyber Essentials’ certification and is considered the advanced, more technical certification, as opposed to the basic self-assessment Cyber Essentials certification, which falls within the same category. The certification is overseen by the National Cyber Security Centre (NCSC) in the UK.

To clarify, Cyber Essentials has two different types of certifications. Here’s how they differ: 

• Cyber Essentials: 

Cyber Essentials refers to a series of self-assessments. These self-assessments require organizations to gauge their cybersecurity posture and implement the basic controls to cover the most common threats. Most organizations lean towards Cyber Essentials because it is simplistic and provides an excellent starting point for implementing security measures and additional security controls. 

• Cyber Essentials Plus: 

Cyber Essentials Plus, on the other hand, provides a more comprehensive and rigorous evaluation of an organization’s security posture. Instead of participating in self-assessments, organizations will have to undergo on-site audits by external parties that will do an in-depth assessment of your technical controls. This certification process goes beyond the entry-level Cyber Essentials certification, focusing on fundamental security controls and principles, providing a higher level of assurance for your organization’s security.

Cyber Essentials Plus Requirements

Fortunately, you’re in luck if you’ve gotten the hang of the Cyber Essentials requirements. The Cyber Essentials and Cyber Essentials Plus requirements are exactly the same in terms of the core security controls they address – both focusing on five core information security controls, namely:

• Firewall & Internet Gateway
• Secure Configuration
• Patching & Updates
• Access Control
• Malware Protection

However, things get a bit more complicated when it comes to obtaining the certification. 

Key Components of the Cyber Essentials Plus Checklist

To get Cyber Essentials Plus certified, we must look at the Essentials Scheme as a whole. This means that we must recognize the Cyber Essentials questionnaire. Why? Well, to get ‘Plus’ certified, companies must first obtain the Cyber Essentials certification. After that, organizations will undergo a technical audit performed by the Certification body, which includes hands-on verification of system configurations, firewall setups, and access controls.

After the audit has been performed, organizations will be notified whether or not there were any gaps found in the assessment.  It’s crucial to have a remediation plan in place to address these gaps efficiently within the given timeframe. If you do not pass this time, you must take a new application and pay for it again. Here’s how to make sure the first time’s the charm.

Let’s Get Technical: Cyber Essentials Plus Checklist

The Cyber Essentials Plus Certification focuses on the technical aspects of the five fundamental security controls of the Cyber Essentials Plus accreditation. But what are they exactly? Here’s a checklist to make sure you’re on the right track. 

Check Your Firewalls

The F-word – Firewalls! If your business infrastructure operates on the cloud, you must secure all networks that connect to your systems and devices. Think of it as ensuring the inside of your house by limiting access to those who enter the front door. Essentially, the purpose of a firewall is to create a defense between your IT network or device and any other external networks. When it comes to meeting the scheme’s requirements, it’s essential to:

• Change all default administrative passwords to stronger, unique alternatives or restrict remote administrative access altogether
• Set up a default block for any unauthenticated inbound connections
• Ensure continuous monitoring and logging of firewall activities to detect and respond to unauthorized access attempts.
• Remove or turn off permissive firewall rules as soon as they become irrelevant
• Prioritize leading firewall software on devices that are often used on untrusted public networks

Configure Your Network Settings

If your networks and devices are poorly configured, it exposes your entire IT infrastructure to cyber threats. But what is configuration, exactly? In brief, network configuration assigns network settings, policies, flows, and controls. For the Cyber Essentials Plus certification, this means organizations should: 

• Ensure that account deactivation is part of the employee offboarding process to maintain security;
• Change default or guessable account passwords to something non-obvious;
• Remove or turn off unnecessary software;
• Turn off any auto-run feature that allows file execution without user authorization;
• Authenticate users using robust methods, such as multi-factor authentication, before enabling Internet-based access to commercially or personally sensitive data.

Control User Access

Access control regulates the way in which users can access specific systems, data, and files. Naturally, you wouldn’t want just anyone to have access to sensitive information and data – both internally and externally. This is where user access control becomes imperative. Some guidelines for this requirement include: 

• Implementing special credentials like Multi-Factor Authentication to grant access. 
• Using password-based authentication wherever applicable
• Limiting the number of unsuccessful attempts before the device or system is locked

Protect Against Malware

Malware protection keeps untrusted software from executing on your systems. Practically speaking, this means installing (and regularly updating) anti-malware or anti-virus software and scanning for threats. To meet the Cyber Essentials Plus requirements, be sure to: 

• Update your software as per vendor recommendations
• Prevent malware from running and executing malicious codes
• Prevent connecting to malware-infected websites
• Maintain an inventory of authorized applications
• Block users from installing and running applications with an unknown or invalid signature

Update, Update, Update

Often, organizations take a ‘set and forget’ approach to cybersecurity. However, with a changing threat landscape, security systems must also keep pace. Be sure to keep devices and software up to date – for example, by installing patches. This will ensure they are not vulnerable to any known security issues, including newly discovered ones. All software on in-scope devices must be:

• Licensed and supported
• Removed from devices when no longer supported
• Enabled for automatic updates where possible
• Security patch within 14 days of an update being released

Essentially Yours! Get Cyber Essentials Plus Certified with Scytale

We’ve got your back! Achieve compliance in a fraction of the time with automation that streamlines your entire audit-readiness process toward the Cyber Essentials Plus Certification. The best part?  Our compliance experts become an extension of your team, guiding you from strength to strength.

The post Cyber Essentials Plus Checklist for 2024 appeared first on Scytale.

*** This is a Security Bloggers Network syndicated blog from Blog | Scytale authored by Ronan Grobler, Compliance Success Manager, Scytale. Read the original post at: https://scytale.ai/resources/cyber-essentials-plus-checklist/