Cyber Essentials Plus: The Gold Standard for UK Cyber Security [according to the Government at least]

Cyber threats are growing more sophisticated daily, making robust cyber security measures essential for organisations of all sizes. 

I wrote an article about ISO27001 and how it can protect organisations from threats. Several people gave their opinion on Cyber Essentials Plus, which, to be honest, I’ve never held in high regard as a security standard.   

It’s been a few years since I first looked at it, so I agreed to review it again to see if my opinion had changed. Whilst I did, I thought I’d write a brief guide and try to cover everything you may need to know about the Cyber Essentials / Cyber Essentials Plus scheme, including:

• What Cyber Essentials and Cyber Essentials Plus are
• Cyber Essentials Plus requirements
• Benefits of certification  
• Cost of implementation  
• Comparison to other cyber security standards

 Hopefully, you’ll understand how Cyber Essentials Plus helps protect your organisation against cyber-attacks and if it’s the right fit for your security strategy.

Cyber Essentials and Cyber Essentials Plus have emerged as the “definitive” UK government-backed cyber security certification schemes to help organisations guard against a wide range of common threats. 

What are Cyber Essentials? 

Cyber Essentials is a simple but effective government-backed scheme and certification process created by the UK’s National Cyber Security Centre (NCSC), a part of GCHQ. It clarifies the basic controls all organisations should have to guard against the most common cyber threats.

The controls cover five key areas:

1. Boundary firewalls and internet gateways
2. Secure configuration 
3. Access control 
4. Malware protection
5. Patch management 

There are two levels of certification:

• Cyber Essentials – Assess your compliance against the Cyber Essentials requirements via a self-assessment questionnaire.
• Cyber Essentials Plus – Adds external vulnerability scanning and more rigorous verification by an independent Certification Body to ensure you’ve met requirements. Cyber Essentials Plus is the highest standard recommended for organisations handling valuable data and intellectual property. 

Achieving Cyber Essentials or Cyber Essentials Plus is supposed to assure customers, investors, insurers, and stakeholders that your organisation takes cyber security seriously and has implemented baseline controls to prevent the most common internet-based threats.

Cyber Essentials Plus Requirements

Obtaining Cyber Essentials Plus certification involves meeting requirements across all five control themes, which comprise:

Firewall Devices:

• Must be configured to block all inbound and outbound connections except those explicitly required. Default firewall rules should deny all traffic.
• Stateful inspection enabled and Ingress/Egress filtering rules in place.
• Remote management only via VPN or another encryption.
• Firmware kept up to date.

Secure System Configuration:

• Unnecessary user accounts are disabled or removed. Guest accounts are disabled. 
• Unnecessary applications removed and services disabled.
• User privileges are limited according to role (least privilege principle).
• Administrator privileges are only provided when necessary.
• Use of multi-factor authentication for administrative access.
• Disk encryption is enabled where possible for data at rest.
• All systems are kept fully patched and up to date.

Managing User Privileges:  

• A role-based access model incorporating unique user accounts, enforceable password complexity, and privilege management based on roles.  
• Segregation of duties with access rights, read/write privileges, and permissions restricted according to job functions. 
• System for managing user joiners/movers/leavers process.
• Multi-factor authentication is used for remote login.

Malware Protection:

• Use best-of-breed anti-virus, anti-spyware, and host intrusion protection on all endpoints and servers.
• Core system files, executables, and configuration are monitored for unauthorised changes. 
• Up-to-date malware signatures and regular scanning schedules.
• Restrictions placed on the use of removable drives.

Patch Management:

• Inventory all hardware and software.
• Subscribe to vendor email alerts for notification of updates.
• Patch all systems, applications, and firmware promptly as per severity/CVSS vulnerability score. 
• Utilise automated patch deployment and reporting.
• Maintain change management records.

The critical addition with Cyber Essentials Plus is an external vulnerability scan by an independent Certification Body. This: 

• Identifies any vulnerabilities on internet-facing devices and systems.
• Confirms vulnerabilities have been remediated before certification is awarded. 
• Adds independent assurance that you meet Cyber Essentials best practices.

Achieving Cyber Essentials Plus Certification

Working towards Cyber Essentials Plus involves the following key stages:

Preliminary activities:

• Appoint a project lead or information security specialist.
• Thoroughly review the requirements and determine what policies, systems, controls, and processes may need to be changed in your organisation.
• Create an internal project plan and roadmap.

Internal preparation stage activities:

• Conduct information-gathering exercises; identify hardware/software, data, systems, and flows.
• Assess the existing state of compliance and gaps.
• Remediate any deficiencies by implementing new controls.
• Update policies and procedures.
• Provide awareness training to staff.

Contact an independent Certifying Body from the government-approved to:

• Verify your Cyber Essentials self-assessment submission.
• Confirm implementation of controls through validation testing. 
• Scan internet-facing systems and devices using specialist tools.
• Guide remediating vulnerabilities.
• Award Cyber Essentials Plus certification upon successful verification.

 Certification must be renewed annually via repeat testing to ensure controls remain robust, especially as the threat landscape evolves.

Benefits of Cyber Essentials Plus Certification

Gaining Cyber Essentials Plus certification provides a wealth of benefits, including:

• Demonstrable confidence in your cyber security posture – Certification offers peace of mind and is a hallmark of good security hygiene. Customers know their data is safer in your hands.
• Protection against 80% of common cyber-attacks – The UK Government estimates full compliance prevents four out of five cyber-attacks.
• Competitive edge for procurement – More trade bodies and significant corporations now mandate Cyber Essentials for their supply chains. Certification puts you ahead of the curve.
• Assurance for insurance processes – Insurers may require Cyber Essentials or offer more preferential policy pricing for policyholders with certification.  
• Reassurance for investors and shareholders - Implementing robust, government-backed standards reassures boards and stakeholders that cyber risks are appropriately managed.
• Improved understanding of threats – The certification process provides greater visibility of risks and vulnerabilities.

Achieving Cyber Essentials Plus is an investment in robust defences that delivers excellent ROI regarding risk reduction. It puts your organisation on the cyber security map as an industry leader.

Cost of Cyber Essentials Plus Implementation  

Cyber Essentials Plus combines internal systems changes and external oversight, requiring reasonable investment to implement. Costs are proportionate to the size of your organisation and the complexity of your digital infrastructure. Smaller businesses can expect to invest around £1,000-£2,000, while larger enterprises with extensive, complex networks are likely to invest upwards of £10,000-£20,000.  This is very reasonable compared to ISO27001, SOC2 Type II, etc., which can cost many times more but are much more than baseline controls.

Major cost components include:

• Project management: Dedicated personnel collating documentation, implementing changes, liaising with assessors, etc. 
• Control implementation: Potential system upgrades, hardware/software purchases, and policy changes to satisfy requirements.
• Certification Body fees: Charges for verification assessments, vulnerability scanning, certification, etc. Some government grants are available to offset these.
• Annual renewal: Repeating the Certification Body assessment yearly to retain certified status.

Ongoing costs will be reduced after the first year as your security foundations will be in place. Some vendors also offer combined solutions to address multiple Cyber Essentials areas, which can enhance efficiency.

Ultimately, investment compares very favourably against a damaging cyber breach’s financial and reputational consequences, which can quickly run into millions. Certification also boosts your security posture over the long term, saving effort downstream. When weighing cost vs risk, Cyber Essentials Plus delivers tremendous value.

How Does It Compare to Other Standards?  

Cyber Essentials Plus is an entry-level certification organisation that can be further built upon as an organisation matures. The problem is that many organisations don’t develop further because they think they’re fully covered when my research highlights that these are base controls and should be treated as the bare minimum to address the primary security threats. It should be considered the first step of the security journey if anything.

Several other complementary standards are worth considering for managing cyber risk.

ISO 27001: ISO 27001 provides an overarching information security management system (ISMS) structure. It enables organisations to define comprehensive suites of information security policies, procedures, and controls tailored to managing risks to any organisational data. Certified organisations must continually monitor and improve their ISMS to embed security practices. In contrast, Cyber Essentials Plus verifies baseline technical measures at a point in time. The two approaches work exceptionally well together - ISO 27001 provides ongoing risk management while adopting Cyber Essentials Plus controls, which offer pre-defined starting points to incorporate within a broader ISMS. Together, they combine assurance of baseline controls with continuous organisational security improvements to counter a changing threat landscape.

 NIST Cybersecurity Framework (CSF): While Cyber Essentials Plus provides a clear baseline of technical controls for organisations to implement, the NIST Cybersecurity Framework focuses more on cyber risk management processes. The CSF offers a comprehensive structure to assess your current risk posture across identity, data, devices, infrastructure, and applications. It then guides you through reducing threats proactively to reach your target risk profile through ongoing monitoring and improvement. The two approaches complement each other well - Cyber Essentials Plus ensures foundational protections are in place. At the same time, NIST CSF enables you to build a mature risk management system tailored to your situation. Using both together provides both assurance and adaptability.

CIS Critical Security Controls: CIS Critical Security Controls provide a more extensive set of safeguards to implement based on cyber threat intelligence. The CIS Controls encompass 20 specific areas, from inventorying hardware to penetration testing and data recovery capabilities. A key benefit is the ability to prioritise which controls offer the most significant risk reduction within your infrastructure. Together, they offer both validation and prioritisation for maximising defences against threats.

Final thoughts 

Cyber Essentials Plus neatly complements such advanced frameworks, effectively plugging security gaps while you work towards broader certifications. Gaining Cyber Essentials Plus protection provides a solid platform for introducing more advanced assurance over time.

I recommend Cyber Essentials Plus certification for any UK-focused organisation wanting to demonstrate that a credible first step in cyber security basics has taken place. The government backing and independent assessment process are useful accolades that reassure customers and stakeholders that your defences are up to scratch against most attack vectors.

For a modest investment, you can implement some fundamental best practices, achieve ongoing monitoring of vulnerabilities, and benefit from an external audit of your cyber hygiene every year.  

Cyber Essentials Plus delivers high ROI compared to the rising costs of data breaches, reputational damage, and disrupted operations from cyber incidents. The controls it mandates will thwart opportunistic hackers, most malware, and automated attacks prevalent online.

As threats increase, certification also creates a foundation to introduce more advanced protections over time, avoiding complexity overwhelm. Consider viewing it as the first rung on your cyber security ladder.

While no single certification offers total protection, Cyber Essentials Plus gives you and your customers confidence that your organisation is on the right path and has taken steps to show they understand the importance of cyber security seriously.