Cyber Essentials ChecklistCyber Essentials and Cyber Essentials Plus certification is becoming table stakes for UK businesses. Learn what it takes to certify your cybersecurity systems.
by Ari Mojiri
Small and mid-sized businesses often struggle to defend against the constant threat of cyber attack. That’s why the UK government created Cyber Essentials for addressing common sources of cyber risk. Although not as comprehensive as larger security frameworks, Cyber Essentials can help businesses begin the journey to security compliance.
This Cyber Essentials Checklist will help you understand the certification process and prepare your business for achieving Cyber Essentials certification.
What is Cyber Essentials?
The state of small business security is akin to someone leaving valuable items in the back seat of an unlocked car. Anyone can walk by, try the door, and take what they want. Applying basic situational awareness, removing valuables from the car, and locking the doors go a long way to preventing crimes of opportunity.
Smaller organizations often lack the basic security hygiene to defend themselves against unsophisticated “commodity” cyber attacks. Simply addressing the low-hanging fruit in their digital defenses would improve their security dramatically.
Cyber Essentials is a government-backed certification program that helps small and mid-sized enterprises in the UK implement cybersecurity fundamentals. After implementing the five technical controls that address 80% of common cyber threats, businesses submit a self-assessment questionnaire for review and certification by the IASME Consortium.
Since its inception in 2014, the Cyber Essentials program has certified more than 100,000 firms in the UK. Data shows these certified enterprises are 60% less likely to file insurance claims due to cyber attacks.
What is Cyber Essentials Plus?
Rather than relying on a self-assessment documenting the technical controls, Cyber Essentials Plus adds an independent audit to confirm the controls are in place and working effectively.
After a company completes the initial Cyber Essentials certification, IASME auditors will perform vulnerability scans of the company’s internal and external defenses.
Benefits of Cyber Essentials Plus Certification
Earning a Cyber Essentials Plus certification inspires confidence in a company’s ability to defend itself against cyber attacks. This security confidence yields four core benefits:
Small organizations can follow checklists and fill out forms documenting their security systems, but few have the expertise or resources to judge the quality of their security measures.
IASME’s auditors provide the external perspective of security experts who can evaluate the effectiveness of a company’s defenses.
Once certified, companies know they can protect themselves against the most common cybersecurity threats. They can also treat their certified systems as a foundation for building more robust defenses.
Improve Supply Chain Security
A common cybersecurity myth is that small businesses aren’t valuable enough for hackers to spend time cracking their defenses. Within a limited scope, that’s true. However, many small businesses provide services to large enterprises, often with access to their big customer’s systems.
Hackers conduct supply chain attacks by penetrating the defenses of a small business and using that foothold as a bridge into systems of the company’s large customers.
Implementing Cyber Essentials security controls raises the cost of supply chain attacks and contributes to a more secure business environment.
Assure Partners and Customers of Security Capabilities
Managing third-party risk is fundamental to the security frameworks large enterprises adopt, including ISO 27001 and SOC 2. However, small businesses do not have the resources to complete these comprehensive security programs. Cyber Essentials Plus certification is more affordable and provides the independent assessment large companies need to document security compliance amongst their small suppliers.
Win New Business
In addition to documenting the security compliance of their existing suppliers, large businesses are increasingly making cybersecurity a prerequisite for any new vendors. Cyber Essentials Plus certification can give small businesses a competitive advantage in the British market.
Certification is often the only way to do business with the UK government’s ministries and agencies. With a few exceptions, all government contracts must specify whether they require Cyber Essentials or Cyber Essentials Plus certification.
Cyber Essentials Plus Requirements
Cyber Essentials Plus certification requires a two-stage process. First, a company must earn the basic Cyber Essentials certification by implementing the program’s five technical controls.
Once a company documents its security controls and submits a self-assessment questionnaire to IASME, it will receive confirmation of Cyber Essential certification within a few business days.
At that point, the company has three months to complete an IASME audit. Assessors will visit the company’s main office and several other facilities to evaluate systems within the certification’s scope. They will test every internet gateway and server, plus a random sampling of the company’s user devices.
How to Prepare
Britain’s National Cyber Security Centre provides many resources to help businesses through the certification process:
Cyber Essentials: Requirements for IT Infrastructure v3.1
This document describes how to define the scope of a company’s certification as well as the requirements for each security control.
Cyber Essentials Plus: Illustrative Test Specification v3.1
This document provides example specifications for testing security controls to demonstrate compliance.
Cyber Essentials Readiness Tool
This online resource asks a series of questions to help define an action plan for achieving Cyber Essentials certification.
Cyber Essentials Checklist
The following checklist will help your company prepare for the Cyber Essentials certification process.
Firewalls help prevent unauthorized access from external networks like the internet and limit unauthorized movement within a private network. Basic security measures to ensure their firewalls operate effectively include:
Do you block unauthenticated inbound connections by default?
Do you have a formal process for justifying, approving, and documenting changes to inbound firewall rules?
Have you replaced default admin passwords with strong passwords?
Have you removed unneeded or overly-permissive firewall rules?
Do you block internet access to the firewall’s administrative interface without additional authentication factors or a limited allow list of trusted IP addresses?
Have you deployed host-based firewalls on devices that access untrusted networks like the internet?
These controls minimize device vulnerabilities and prevent weak passwords.
Have you deleted extraneous software from all systems?
Do you prevent automatic file execution?
Have you removed old, redundant, or unneeded user accounts?
Have you replaced simple and default passwords with strong passwords?
Do you prevent by default access to systems or data without user authentication?
Access control requires verifying user identities and authorizing limited access to systems and resources.
Do you formally approve the creation of user accounts?
Do you promptly delete unneeded accounts?
Do you apply stricter standards to privileged accounts?
Do you limit the use of privileged administrative accounts for administrative tasks?
Do you require privileged users to use separate accounts for email and other non-privileged activities?
Do you require unique credentials to authenticate users before granting access?
Do you use multi-factor authentication wherever possible — especially with cloud services?
Companies have three options for protecting systems from malicious software that hackers use to steal, corrupt, or encrypt data as well as launch supply chain attacks.
Do you update anti-malware software daily, configure it to scan files and web pages automatically, and set it up to block connections to malicious websites?
Are application allow lists reviewed and updated frequently? And do you prevent users from installing unsigned or unapproved applications?
Besides isolating unknown code from protected resources, do sandboxes prevent code from accessing other sandboxed apps, data sources, local networks, or computer peripherals like webcams?
Security Update Management
Since hardware and software vulnerabilities can appear anytime, update management is crucial to cybersecurity.
Do you only allow licensed and supported software to run on company systems?
Do you remove obsolete and unsupported software immediately?
Have you enabled automatic updates for applications, operating systems, and hardware?
Can you apply critical or high risk patches (or those with a CVSS score of 7 or higher) within two weeks of issuance?
Cyber Essentials Is a First Step to Security Compliance
Cyber Essentials provides an affordable path to security compliance for the United Kingdom’s small and medium-sized businesses. The program has been so successful that the United States Cybersecurity and Infrastructure Security Agency launched a similar effort to improve America’s small enterprise cybersecurity.
By design, Cyber Essentials addresses the modern threat landscape’s low-hanging fruit. More comprehensive security frameworks will improve a company’s security posture even further.
Drata’s automated compliance monitoring platform provides a flexible, scalable solution for startups and mid-sized companies that need to maintain compliance with Cyber Essentials, ISO 27001, and other security frameworks.
Book a demo to see how Drata’s security framework support can adapt and scale with your company’s requirements.