What is Cyber Essentials Plus?
Cyber Essentials Plus is the level above the base Cyber Essentials certification and provides a more rigorous test of your organisation’s cyber security systems through detailed on-site vulnerability assessments carried out by our cyber security experts.
In addition to the initial self-assessment, which alone makes up the base Cyber Essentials certification, Cyber Essentials Plus requires a series of vulnerability tests which are carried out by our cyber security experts. They make sure that your IT security systems can withstand basic hacking and phishing attacks and will then prepare a final report summarising their findings and whether you have passed and can be Cyber Essentials Plus certified.
Cyber Essentials Plus oﬀers a higher level of assurance through the external testing of the organisation’s cyber security approach.
Cyber Risk Profiles
A Cyber Risk Profile sets out the cyber protection measures required at each level of cyber risk.
If a contract is assessed as carrying a cyber risk of ‘Low’, then the applicant will need to comply with the measures set out in the ‘Low’ profile. These requirements are progressive as one moves up the risk profiles.
The new Cyber Security Model mandates the following for all MOD suppliers and subcontractors:
- For Contracts at ‘Very Low’ risk – Cyber Essentials is required
- For Contracts at ‘Low’, ‘Moderate’ or ‘High’” risk – Cyber Essentials Plus is required
If you are looking to bid on MOD contracts with a risk level above “very low”, you will need Cyber Essentials Plus in place. You can read more about Cyber Risk Profiles here.
What’s the Difference between Cyber Essentials Plus and Cyber Essentials?
The level of testing required for Cyber Essentials Plus is more stringent than the testing carried out through the Cyber Essentials self-certification. Whilst the base Cyber Essentials certification involves just the completion of the self-assessment questionnaire, the Cyber Essentials Plus assessment includes this as well as two additional key elements:
- An On-Site Assessment
The on-site assessment is a requirement for all companies wishing to achieve Cyber Essentials Plus. Our team will visit your office(s) and thoroughly check whether the solutions you have put in place comply with the control requirements. You can find out the control requirements here.
- Internal Vulnerability Scan
An internal vulnerability scan is a requirement for all companies wishing to achieve Cyber Essentials Plus. It involves a scan of your internal networks within the scope of your application, with a focus on workstations and mobile devices. It aims to find out whether the Cyber Essentials controls have been properly implemented and to check that known vulnerabilities have been addressed.
Cyber Essentials Plus Extra
Cyber Essentials Plus Extra includes a remote pre-test of your network before the audit, a report explaining what needs to be fixed and the Cyber Essentials Plus test itself, which includes travel for our team on the UK mainland.
Get Started with Cyber Essentials
Certification to the Government’s Cyber Essentials Scheme is a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks, regardless of the sector you operate in.