January 3, 2024

Reading Time: 4 minute(s)

Cyber Essentials Plus: What is It and How Can It Help My Business?

January 3, 2024

Table of Contents

Last Updated on January 17, 2024

Originally created by the UK government and later rebranded by the US Critical Infrastructure Security Agency (CISA), Cyber Essentials is a foundational cybersecurity framework for SMBs and other businesses across verticals. It establishes “the starting point to cyber readiness” designed to protect organizations from about 80% of the most prevalent cyberattacks, including phishing, ransomware, and other malware.

Cyber Essentials requires organizations to complete a self-assessment questionnaire that demonstrates they have put the basic cybersecurity controls in place. Cyber Essentials Plus gives businesses the option to provide a third-party attestation that they have met the Cyber Essentials requirements.

This article explains how Cyber Essentials Plus and Cyber Essentials work so you can decide if either choice could help your business.

What is Cyber Essentials Plus?

Both Cyber Essentials and Cyber Essentials Plus describe the same five best-practice cybersecurity controls. When implemented correctly, these five controls provide foundational security capable of blocking or reducing the impact of about 80% of today’s common cyberattacks. The program has been highly successful in the UK and is now available in the US through CISA.

The only difference between Cyber Essentials and Cyber Essentials Plus is the certification/attestation method. While Cyber Essentials relies on a self-assessment questionnaire, Cyber Essentials Plus requires a third-party audit.

This gives Cyber Essentials Plus a higher level of assurance and peace of mind for clients, regulators, business partners, management, investors, and other stakeholders.

Which Cyber Essentials certification level is right for my business?

To obtain a Cyber Essentials certification, a business that has the required controls in place just needs to complete a self-assessment questionnaire. This choice is best for companies that need a basic security certification to show stakeholders that they have the most essential cybersecurity capabilities in place.

For organizations that want a stronger level of security attestation, Cyber Essentials Plus requires an audit from an accredited third party to confirm that essential cybersecurity controls are in place and operating effectively.

Cyber Essentials Plus may be a good choice for organizations:

In regulated or critical infrastructure industries
That need to address special risks like a remote workforce or third-party access to critical IT systems
Whose customers are asking for stronger security attestation

What are the five Cyber Essentials controls?

The five basic security controls that Cyber Essentials and Cyber Essentials Plus require include:

A firewall to secure your internet connection
Access controls to prevent unauthorized access, privilege escalations, etc.
Malware protection for endpoints
Defining and implementing secure configurations for software and devices
Timely patch management to eliminate vulnerabilities

These essential controls allow organizations to develop a proactive risk management approach by ensuring you know:

What devices are connected to your network
What applications are running in your environment
Who has access to those applications
What cybersecurity controls are operating

By applying and maintaining these controls, organizations can safeguard sensitive data from many common cyberattacks, including phishing, ransomware, and other malware.

What are the key elements of a Cyber Essentials Plus external audit?

When your organization undergoes a Cyber Essentials Plus external audit, you can expect the following:

An auditor will select a representative sample of systems in your organization and will audit those to ensure that devices are configured as per your policy.
The auditing organization will perform a vulnerability scan on the sample computers to confirm that patching is up to date and basic configurations are at an acceptable level.
The auditing organization will conduct an external port scan of your internet-facing IP addresses to search for obvious misconfigurations or other known vulnerabilities.
The auditing organization will conduct a test on your default email/web browser to confirm they are properly configured to block the execution of malicious files.
An auditor will take screen shots as evidence that your environment is Cyber Essentials compliant.

How can a Cyber Essentials Plus audit help my business?

Cyber Essentials and Cyber Essentials Plus are quickly becoming a de facto US standard for essential best-practice cybersecurity as they have in the UK. A certification may increasingly be required or helpful for many public sector contracts. Many private sector organizations are also requiring their suppliers to comply with Cyber Essentials or Cyber Essentials Plus.

Reasons to consider attaining a Cyber Essentials Plus certification include:

Stronger cybersecurity with the ability to prevent common attacks.
Improved supply chain security.
Improved ability to reassure customers and other stakeholders that you are actively working to secure your IT against attacks.
Competitive differentiation and greater ability to attract new business.
Clarity and insight into the performance of your cybersecurity measures.
Some US government contracts require Cyber Essentials or Cyber Essentials Plus certification.

How do we get Cyber Essentials certified?

US companies seeking Cyber Essentials readiness can start with CISA’s Cyber Essentials Starter Kit, which provides “the basics for building a culture of cyber readiness.”

Working with the starter kit can help you create an action plan to move your organization toward the Cyber Essentials requirements. The action plan includes links to specific guidance on how to meet the requirements.

Other recommendations from CISA on how to begin developing a culture of cyber readiness include:

Put a backup solution in place that automatically backs up sensitive data and system configurations.
Require multifactor authentication (MFA) whenever possible to access your systems, starting with privileged, administrative, and remote access users.
Enable automatic updates to software where possible. Replace unsupported hardware, applications, and systems. Minimize the lead time to test and deploy patches.

What’s next?

Cyber Essentials Plus is an effective way to ensure that your organization is protected against the most common cyber threats. It not only provides peace of mind but also helps in attracting new business and fulfilling government contract requirements.

To connect with an expert about Cyber Essentials Plus and what it will take for your business to get certified, contact CBIZ Pivot Point Security.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Cyber Essentials Plus: What is It and How Can It Help My Business?

What is Cyber Essentials Plus?

Which Cyber Essentials certification level is right for my business?

What are the five Cyber Essentials controls?

What are the key elements of a Cyber Essentials Plus external audit?

How can a Cyber Essentials Plus audit help my business?

How do we get Cyber Essentials certified?

What’s next?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

How can we help you?

Services

Compliance

Insights

Pivot Point Security