Cyber Essentials Plus

Services clients purchase before

Information Security Policies

Services clients purchase after

Network (External) Security Vulnerability Assessment

Factory Fact

243 days is the average amount of time a hacker is in a network before being discovered

Need some help?

Speak to the Risk Factory Foreman, and he'll tell you everything you need to know.

Call us on 0800 978 8139

Quote details

What is it?

Cyber Essentials is a scheme that has been developed by the Government and industry to help protect organisations against common online attacks. Cyber Essentials is mandatory for central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services. It defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes and through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.  There are two types of certification available, Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials Plus offers a higher level of assurance to customers, partners and other stakeholders that the organisation has implemented controls that meets the governments recommended base level of cyber hygiene. The assessment comprises of manual review and verification of your company’s submitted responses and associated evidenced. A vulnerability assessment would be conducted on your system to support the responses and evidences provided in your self-assessment. The rigorous nature of this assessment is due to your organisation using ICT services as a core deliverable rather than a business enabler. In the event that your organisation fails the assessment, it has 30 days to remediate the identified vulnerabilities and resubmit without charge.

 Cyber Essentials concentrates on five key controls. These are:

  • Boundary firewalls and internet gateways - these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
  • Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation
  • Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.
  • Malware protection – ensuring that virus and malware protection is installed and is it up to date
  • Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.

How often should I do this?

The assessment process is a ‘snap shot’ in time and it can only be sure to be effective on the day of assessment as new vulnerabilities are continuously being identified. Organisations must maintain the principles of the scheme on an on-going basis (for example, ensuring that patching always occurs in a timely fashion and that malware protection is kept up to date) and not just prepared for assessment. As a minimum, to retain the certification, organisations must recertify annually.

What will Risk Factory do?

  • Conduct a verification of the self-assessment questionnaire
  • Assess whether an appropriate standard has been achieved and issue a pass or fail determination
  • Conduct a vulnerability assessment scan of the systems in scope of the certification  

What will I receive?

Once Risk Factory have completed an on-site assessment of your responses against the criteria and your organisation passes, we will then issue you a Cyber Essentials Plus Certificate of Compliance good for one year from date of issue. 

Is there anything I need to do in advance?

After placing the order with us you will be contacted by our Factory Foreman who will send you the application for you to complete and request the IP addresses associated with the systems and/or websites in scope of the certification. The questionnaire form must be completed and submitted with evidence for each response (screenshots).