Cyber Essentials Plus Certification Adds Value (Not Just Security) To Firms in London

“Last year, the average cost of breaches to large businesses that had them was 36,500. For small firms the average cost of breaches was £3,100. 65% of large organisations reported they had suffered an information security breach in the past year, and 25% of these experienced a breach at least once a month. Nearly seven out of ten attacks involved viruses, spyware or malware that might have been prevented using the Government’s Cyber Essentials scheme.” (Quoted from 2016 Government Cyber Health Check and Cyber Security Breaches Survey)

The recent cyber attacks have affected firms across the UK and globally. At Nittygritty, while we provide much of the security measures within your IT, having Cyber Essentials Plus (CE+) Certification reassures stakeholders within your value or supply chain that additional National Cyber Security Centre's mandated precautions have been taken Being listed on the NCSC 's directory of organisations awarded CE+ increases your audience and client potential. Many firms and the UK government will only work with CE certified firms. We're currently certifying clients who want certification ahead of the General Data Protection Regulation (GDPR) deadline in May. All the process and procedures that are recommended for GDPR receive an additional technology "checks and balances" with Cyber Essentials Plus. Its designed to button-up all the external internet facing infrastructure and user workstations, and an internal authenticated scan tests for robustness of security, patches, malware, etc. for each device type and build. So once your data is in compliance with GDPR, CE+ secures it. Its about a 4-6 week process, depending on the size of firm and well worth the effort.

By August Nazareth, Client Engagement

Cyber Essentials – How we do it

Cyber Essentials Plus certification by Nittygritty combines a thorough, objective audit, scoping and report on your IT security boundaries and controls regardless of whether you’re an existing client or have only engaged us to achieve CE+. To comply with the NCSC’s requirements, we work with a CREST-accredited partner to provide an onsite visit, internal vulnerability* and external scanning**. Upon successful passing of these tests, a CE+ certificate is issued. Depending on your firm, customers and future business acquisition efforts, there are two paths to take.

Cyber Essentials Plus

Cyber Essentials will permit you to work with the UK government and Cyber Essentials Plus will give you the opportunity to work with the MOD. You can find procurement details here. CE+ is also for companies who wish to illustrate for GDPR purposes that prescribed technical measures of security have been met.

Both cover all five security controls (secure configuration, boundary firewalls, access controls, patch management and malware protection) but CE+ includes an internal vulnerability scan and onsite visit. Nittygritty carries out an audit and scope of all IT systems resulting in a report that includes remedial action, upgrades, or new purchases (if any) to bring your infrastructure into compliance for Cyber Essentials Plus.

How the process works:

After we receive your purchase order, we schedule our NGneer® to visit and conduct an audit that is based on the CE self-assessment questionnaire.
We define the scope for testing.
Our NGneer® works through the audit, scope, provides a report and a discusses any remediation needed.
Our NGneer® completes the self-assessment questionnaire (SAQ). (Client is required to submit the SAQ)
Our partner informs us if the SAQ submitted meets the requirements of the Cyber Essentials scheme.
Our NGneer® reviews your systems for readiness, using our own scanning software. The next step is to schedule:

An on-site assessment
An internal vulnerability scan*
An external vulnerability scan**

Subject to a positive outcome, your CREST-accredited Cyber Essentials Plus certificate is issued and searchable on the National Cyber Security Centre’s directory.

Cyber Essentials

This service covers all the above steps but doesn’t include the onsite visit or internal vulnerability scan.

Other points of note:

Certification is valid for one year.
If a company wishes to upgrade from CE to CE+ within their certification period they will still have to go through the whole test process again. This is because the tests are only a snapshot in time.
All tests and the submission of the SAQ must be completed within a 14 day period. This includes any retests.
If a company has issues to remediate, then retests may show up new issues.
Additional support and IP packages can be bought to help companies through the certification process.
Customers will receive their certification within 10 days of passing

The Technical details:

* The tests are an authenticated internal scan, and a test of the security and anti-malware configuration of each device type/ build. The internal scan checks patch levels/system configuration, and the anti-malware/security test ensures the firm’s systems are resistant to web-downloadable binaries and malicious email attachments.

Tests are conducted on payloads, inbound email, inbound emails containing URLs linking to binaries and browser exploitation payloads. An authenticated vulnerability and patch verification scan is also conducted.

** Testing identifies vulnerabilities within a firm’s Internet-facing infrastructure/user workstations that are subject to cyber attackers with a low level of skill. An external full Transmission Control Protocol (TCP) port scan, top User Datagram Protocol (UDP) service scan and a vulnerability scan are conducted for the scoped IP range. A web application scan identifies common vulnerabilities.

prev back to news next

relevant