Cyber Essentials and Cyber Essentials Plus: How do they differ?

01 Jul 23


Cyber Essentials is the UK’s National Cyber Secure Centre’s backed scheme to protect all organisations no matter their size against the most common internet-based attacks. Cyber Essentials is a verified self-assessment certification scheme. The certification is renewable annually.

The NCSC has set out the background to the scheme in its Cyber Essentials: Requirements for IT Infrastructure v3.1. The scheme looks at five key areas: Firewalls, secure configuration, Security Update management, User Access control and Malware Protection. These control will reduce the impact of commodity cyber attacks from the internet.

Cyber Essentials Plus must be carried out within 3 months of completing the Cyber Essentials certification. The audit can be carried out on-site or remotely.

The assessment includes vulnerability scans of the organisation’s scoped infrastructure, where a sample of devices that represents the organisation’s infrastructure is tested. This will include servers, desktop computers, laptops, thin clients, tablets, and mobile phones, with each type of Operating System being tested. Auditors will observe users carrying out everyday tasks on a set of sampled devices.

Each sampled device will have the following checks carried out:

  • A full vulnerability scan or manual check to confirm that all installed software is supported and has had all high and critical vulnerability patches applied within 14 days.
  • A check of malware protection for each device. This will include manual configuration checks or benign test files and observing what happens when the user clicks on the files.
  • A check for account separation, ensuring a user cannot carry out administrator functions on their standard user accounts.
  • A check against all cloud services to confirm that the users are presented with a multi-factor authentication challenge when trying to log on to all cloud services that they use.

Forti5 Technologies is able to aid organisations to become certified. Many organisations need advice and support to complete the assessment process. The level of support will vary depending on the level of IT expertise in the company. The cost of the Cyber Essentials certification is set by NCSC, however, the cost of Cyber Essentials Plus will depend on the size and complexity of the network. We will supply quotes for both the support and certification.