How Do the Cyber Essentials and Cyber Essentials Plus Assessments Work?

Top tips to achieve Cyber Essentials certification from our cyber security assessor

How can you sail through your Cyber Essentials and Cyber Essentials Plus assessments?

How can you prepare? What support can you expect from an assessor? What does the ‘technical audit’ for Cyber Essentials Plus involve, exactly? And what are some common pitfalls?

We put these questions to cyber security advisor Ash Brett, who has carried out hundreds of Cyber Essentials Plus assessments.


In this interview


SAQ (self-assessment questionnaire)

Previously, you said that Cyber Essentials [Basic] involves completing an independently verified SAQ. Could you tell us a bit more about that?

Every applicant must complete an SAQ as part of their Cyber Essentials assessment. The questions are freely available on the IASME website.

For Get A Little Help and Get A Lot Of Help customers, we typically have a call where we go through their SAQ answers. We [assessors] then provide feedback.

What might that feedback look like?

I usually go over the SAQ by asking the customer to share their screen. I then advise on what changes they need to make to pass their assessment – for example, I might highlight out-of-date devices.

Ash might highlight this on an answer to questions like the above.
Screenshot taken from the Montpellier (v3.1) question set.

If the customer makes the changes there and then, they can submit the assessment and I can pass them.

Otherwise, we’ll schedule a follow-up call to go through the questionnaire again after they’ve made the changes.

When would this call take place? How long after the initial [pre-engagement] call?

That depends on how long it takes the customer to complete their SAQ. I typically tell customers during the pre-engagement call to let me know via email when they’re ready, so we can set up a call to go through their answers.

You can presumably spot an issue like an out-of-date device when the customer lists their devices [such as in response to the question in the screenshot above]. How do you verify their responses to questions around the five technical control areas?

We [assessors] have a marking guide, which outlines what we need to look for with the open questions.

As Cyber Essentials is ‘black and white’ in nature, we’re looking for certain specific responses to indicate compliance. This is different to frameworks such as ISO 27001, which are more risk-based – compliance depends on whether your controls are appropriate to the risks identified.

As to the yes–no questions, we look for any contradictions in the applicant’s answers. The responses will be marked as ‘compliant’ where ‘yes’ has been selected, and we don’t see contradictions.


Preparing for Cyber Essentials Plus

Following Cyber Essentials certification, applicants can progress to Cyber Essentials Plus certification. Do they have to resubmit the SAQ as part of that process?

The applicant doesn’t need to recomplete the SAQ, but we [assessors] do check if anything’s changed between the two assessments. Particularly in terms of scope – new servers or devices, for example, but it might also be a change like different antivirus software.

Are scope changes between the two assessments common?

Yes. Often, end-user devices, servers or mobiles have changed since the Basic assessment.

And changes are fine! We get that organisational assets are constantly changing. But for assessment purposes, those changes must be noted in the Cyber Essentials Plus report, which highlights differences in scope between the Cyber Essentials and Cyber Essentials Plus assessments.

That’s why we recommend that customers track these changes, and let their assessor know about them before [Cyber Essentials Plus] assessment day rolls around – ideally during the pre-engagement call.

This makes for a much smoother, less stressful experience for all parties. Especially for the customer.

Is this a pre-engagement call specific to Cyber Essentials Plus?

Yes, that’s when I go over the Cyber Essentials Plus scope with the customer, and we set up the internal vulnerability scans. [These are part of the technical audit specific to the ‘Plus’ tier.]

We run those scans daily, up until the day of the assessment, so customers can fix vulnerabilities before assessment day. A clean scan on the day just makes things less stressful for everyone.

We also ask the customer to fill in the asset list template before their pre-engagement call [we send this template in the pre-engagement call invitation]. From that asset list, I select a random sample for the assessment.

How quickly should organisations progress to Cyber Essentials Plus, following their Cyber Essentials pass?

Keep that window between Cyber Essentials and Cyber Essentials Plus as short as possible to minimise scope changes.

I’d get the ball rolling immediately after getting your Cyber Essentials certification, as it can take a few days to install Qualys [the vulnerability scanning software].

What other tips can you give to prepare for the assessment?

Make good use of your pre-engagement call. It’s your chance to speak to an experienced assessor before assessment day – use it to ask questions or raise concerns.

I’d also advise your staff before the assessment that someone will be accessing their device that day – user testing is another part of the assessment. You’ll slow down the assessment process if you’re not organised on the day.

Plus, make sure the correct people are available on the day:

  • A technical person, who can make any changes required if the scans uncover an issue.
  • Anyone who needs to demonstrate a critical control. There’s nothing worse than finding out the person who needs to show that MFA [multifactor authentication] has been implemented is on holiday that day!

[Further reading: Ash shares more practical tips for Cyber Essentials in this blog.]


Internal vulnerability scans

Can you take me through assessment day itself?

The first thing I’ll do is run through the internal scans [Qualys] to make sure they’re clean.

Again, these are run every day between the pre-engagement call to assessment day, and the customer gets a daily report, breaking down any vulnerabilities identified by device:

Redacted example of part of a vulnerability report for a client. It orders vulnerabilities by severity and groups them by device. The report also provides CVSS scores and recommended remediation.

This gives organisations a chance to remediate vulnerabilities before the assessment. Again, we run these daily – ideally for a full week before the assessment date.

If the scan still shows any remaining vulnerabilities on assessment day, I’ll go through them with the client, and advise on how to remediate them if they’re struggling.

Again, the ideal is for the scan to be clean by this point – and many clients have fixed all higher-risk vulnerabilities by assessment day – but it can happen that the customer isn’t sure how to fix something.

That’s where we can provide guidance, but we don’t apply the fix ourselves. So, make sure you have someone technical available for your assessment.

What are common vulnerabilities left open at that late stage?

A lot of them are things like adding registry key fixes.

These prevent vulnerabilities like Sweet32 from being exploited. That’s a vulnerability where, in Windows, unless you restrict certain ciphers, a threat actor can recover some plaintext if encrypted with a weak cipher.

Adding a registry key prevents that insecure encryption method or protocol – 3DES [Triple Data Encryption Standard] – from being used.

Any other common vulnerabilities?

Another common one is around Microsoft Teams updates.

Teams installs into AppData [a hidden folder that contains information applications like Teams need] for every active user profile. This can cause problems for rarely used admin accounts, which often have older Teams clients in their AppData folders.

I usually point out the installation path to the customer, showing them which account is using the out-of-date version. The customer can then remove or update Teams on that account.


External vulnerability scan

That’s the internal scan part of the assessment. What about the external scan?

I run the external vulnerability scan only on the day of the assessment.

I get the customer’s permission to run this scan of external [public-facing/Internet-facing] IP addresses from the permissions form we send out in advance.

Like with the internal scans, the external scan will also generate a report.

What do you recommend in terms of remediation order? Should customers address vulnerabilities by device or by severity?

Well, all vulnerabilities need to be remediated to get that Cyber Essentials pass, but I’d address the highest-risk ones first. So, I’d go through them by CVSS [Common Vulnerability Scoring System] score.


Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.


Device and MFA testing

Apart from the internal and external scans, what other tests or checks are involved with the technical audit in Cyber Essentials Plus?

Three elements:

  1. Device testing via screenshare
  2. Mobile device checks via screenshots
  3. MFA testing [for Cloud services holding organisational data]

Take me through them. What does device testing involve?

A lot of it is verifying the five overarching technical controls from the SAQ.

We have specific tests for each. We check, for example:

  • The firewalls on the machine – are these enabled and up to date?
  • The antivirus [or anti-malware] software – is it up to date?
  • That account separation is in place for access control.

We do these tests via a screenshare.

Who selects the devices to test? I assume you only check a sample of devices, not all the devices within scope.

Yes, we select a sample of devices for each operating system in scope.

We randomly select devices from the customer’s asset list. While random sampling can be more time consuming, we believe it makes the assessment fairer. The assessment will also be a more accurate reflection of whether the controls are working properly.

What percentage of in-scope devices do you test?

The assessment isn’t percentage-based, but based on the number of devices – what range you fall into.

Assessors work from a standard table. So, if a customer only has five devices in scope, you’d test two of them. But an organisation with hundreds of devices would have just five of those devices tested.

Does the same apply for mobile devices checks?

Yes, those are done via sampling too.

But we check them via screenshots. Customers need to provide three different screenshots of each mobile device type they use. These must show:

  1. That apps are up to date;
  2. That user certifications are up to date; and
  3. That the mobile operating system – Android or iOS – is up to date.

Finally, how does MFA testing work?

Those tests are for the Cloud services.

All Cloud services holding organisational data need to have MFA enabled to pass the Cyber Essentials assessment, so your assessor will need to check this for each Cloud service listed on the SAQ.

You can speed up this process by implementing SSO [single sign-on] where possible. That enables users to securely authenticate with multiple applications. Microsoft Entra SSO [with Office 365] is compatible with most popular Cloud services.

As the assessor, I’d then only need to see the Office 365 admin account and search for the services under Enterprise Apps to get the information I need. This massively speeds up the process.


Looking to get Cyber Essentials certified?

Trust a company that has issued more than 7,000 certificates and has received a ‘world class’ NPS (Net Promoter Score) of +100.

IT Governance is one of the founding Cyber Essentials certification bodies and remains one of the largest in the UK. We can offer practical advice on your Cyber Essentials implementation and/or certification project, as well as more in-depth discussion and additional support.

Our range of packages cater to a wide variety of needs.


About Ashley Brett

Ashley ‘Ash’ Brett is an experienced cyber security advisor who has carried out hundreds of Cyber Essentials Plus assessments.

He also provides Cyber Essentials consultancy, helping customers become compliant.

On top of that, Ash is a product evangelist for IT Governance, creating and sharing interesting content related to Cyber Essentials on social media.

Previously, we interviewed Ash about key differences between Cyber Essentials and ISO 27001, and our Cyber Essentials solutions. He’s also shared his insights into access control, and its importance for both Cyber Essentials and ISO 27001.


We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.

Alternatively, explore our full index of interviews here.

Leave a comment

Your email address will not be published. Required fields are marked *