Cyber Essentials Plus

Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme. Cyber Essentials Plus is a more rigorous standards orientated technical audit of your organisation's Cyber Security systems where our Cyber Security experts carry out vulnerability tests to make sure that your organisation is protected against basic hacking and phishing attacks.

Cyber Essentials Plus is the second step in the UK Government's Cyber Essentials program and is a technical security audit of your environment. The Cyber Essentials Plus builds on the base level Cyber Essentials acceditation with a technical review of a sample set of your workstations and an internal vulnerability scan of those systems within the sample set. If you want to be best prepared for your audit, it is strongly recommended you follow our simple guide to running your own authenticated vulnerability scan using our guide here. You can find our more about the tests performed in the audit in our audit guide here.

Gaining Cyber Essentials Plus certification also enables organisations to showcase their credentials as trustworthy and secure when it comes to Cyber Security.

 

Get Cyber Essentials Plus Now
Pick a Plan.

  • AUDIT ONLY CYBER ESSENTIALS PLUS

    Technical Audit Only

    Guide Price

    £ 1500

    Up to 10  Users

    • You need to have CE already
    • Single external vulnerability scan
    • Technical assessment of your environment
    • One assessment only, pass or fail.
  • ASSISTED CYBER ESSENTIALS PLUS

    Assistanced Technical Audit

    Guide Price

    £ 2500

    Up to 10  Users

    • You need to have CE already
    • Technical assessment of your environment
    • Multiple external vulnerability scans
    • Multiple internal vulnerability scans
    • 4 hours of pre-audit assistance
    • Up to three retests
  • MANAGED CYBER ESSENTIALS + PLUS

    Guided by Peter, our CEO

    Guide Price

    £ 4000

    Up to 10  Users

    • CE and CE Plus
    • Includes at least 5 days of Peter
    • CE audit and Gap Analysis
    • Peter completes your questionnaire
    • Marked by the team within 1 hours
    • External Vulnerability Scans
    • Internal Vulnerability Scans
    • No need for retests


Frequently Asked Questions

  • Do I need Cyber Essentials to bid for a UK Government contract?

    Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.

  • My organisation is not based in the UK. Can I still obtain Cyber Essentials certification?

    Yes, organisations overseas are able to get certificates.

  • Who will conduct the assessments for Cyber Essentials and Cyber Essentials Plus?

    Only certification bodies that have been trained and are currently licensed by IASME to certify against the government's Cyber Essentials scheme can undertake assessments and issue certificates. Hedgehog Security assessors and auditors are IASME trained and Hedgehog Security is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.

  • Can we run the authenticated scan prior to the test to save time?

    Yes, this is possible. We have an article here, https://hedgehogsecurity.co.uk/cyber-essentials-plus/credentialed-scan-guide which tells you how to install Nessus on a system, and now to run the authenticated scan and share the results with us.

  • How are Cyber Essentials assessments verified?

    A board member from the organisation signs a declaration to confirm that the assessment answers are true. A qualified assessor who works for a Certification Body then evaluates the responses.

    In the event that you pass you receive a certificate. If you fail, you will receive feedback so you know which areas need to be addressed should you either want to re-apply for Cyber Essentials certification or take the opportunity to improve your Cyber Security.

  • How is the questionnaire assessed?

    Your questionnaire will be marked against the strict criteria set out by IASME Consortium via the online portal by one of our (ID Cyber Solutions) assessors.

  • What is a "Sample" of our network?

    When performing a Cyber Essentials Plus audit, the amount of machines that we test is dependant on the size of the organisation. We must a sample of each type of device on the network to ensure Cyber Essentials compliance. The goal is to test a number of devices that make up 90% of the organisation.

    A type of device is a grouping of systems running the same operating system. i.e. all devices running Windows 10 Pro running Version 1903 will be classed as one type, and all devices running Windows 10 Pro Version 2004 would be classed as another type.

    Of each type, a certain amount will be required to be tested.

    For example: If an organisation has 50 Microsoft Windows 10 1903 desktops, 30 Macbook Pro Catalina Laptops, and 10 Windows Server 2016, we would test 4 desktops, 4 macbooks, and 3 servers.

  • How do I renew?

    You can renew by clicking on the suitable plan above.. Please be aware that the scheme has changed considerably as of January 28th 2022

  • Do I need Cyber Essentials to bid for a Gibraltar Government contract?

    Some Government contracts may require you to be Cyber Essentials certified or to be able to demonstrate that the technical controls are in place. In the first instance please confirm with the Government department their expectations with regards to Cyber Essentials. Requirements and exemptions may vary between department, so it is important that you are able to seek clarification for each contract.

  • How long will it take between submitting our online SAQ and receiving our certificate?

    For Cyber Essentials, it is possible to get from application to certification within a day or two, depending on your current security setup and speed of action. However, most organisations take about a fortnight to complete the assessment. This will be longer for Cyber Essentials Plus clients, which also need to arrange the on-site visit for the internal security assessment and successfully complete the external scan.

  • What is required for certification to Cyber Essentials Plus?

    Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site assessment and an internal vulnerability scan (these can be performed remotely in certain instances), plus an external vulnerability scan conducted by the certification body.

  • Why should we get a Cyber Essentials certificate?

    The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives. Benefits of the Cyber Essentials scheme include reassuring customers that you take Cyber Security seriously as well as attracting new business with the assurance that you have Cyber Security measures in place.

    Cyber Essentials is designed to help organisations of any size demonstrate their commitment to Cyber Security – all while keeping the approach simple and the costs low. If you supply, or want to supply, larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain. If you want to apply for government contracts, you will need Cyber Essentials certification. The UK Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains. Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).

  • Can we still using Windows 7?

    No, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).

    In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.

  • What is the difference between Cyber Essentials and Cyber Essentials Plus?

    Cyber Essentials is a verified self-assessment questionnaire completed by your organisation that clearly demonstrates your organisations compliance to the Cyber Essentials scheme.

    Cyber Essentials Plus is an audit of your network, and is a validation that the information provided in the Cyber Essentials questionnaire is correct and accurate.

  • What is required for certification to Cyber Essentials?

    Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.

  • Can we still use Windows Server 2008?

    No, this would be regarded as an instant fail as the software is unsupported (both went End of Life 14/01/2020).

    In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissable as technically the software is supported.

  • What is the Scope?

    The scope section of the document helps us identify some additional information regarding the network that is to be certified. Whatever is involved in the scope, is the area of devices that are certified under the Cyber Essentials scheme. When filling out the scope section of the document consider the following:

    • What area of the organisation is to be covered by Cyber Essentials?
    • The whole company?
    • A specific location, for example if you have offices in the US and UK, is it only one site?
    • A specific office or department, for example, finance?
    • What devices are covered in the scope?
    • Additional Network devices such as routers, switches, servers etc.
    • Machines on the network such as laptops, desktops, mobiles.
    • Devices in scope must include their version numbers such as Windows 10 1909.
    • Are there any third-party IT management systems or providers used by the company?
    • Does the company use any cloud systems as part of their operation such as Dropbox, Gmail etc.

  • Do I have to obtain the first level of Cyber Essentials before going on to Cyber Essentials Plus?

    Yes, you need to have a Cyber Essentials certificate before you are able to be assessed for Cyber Essentials Plus. However, we can run both assessments side by side.

Certification

Hedgehog Security places great emphasis on the quality, reliability, and security of the services it offers. We are fully regulated by CREST, the Council for Regitered Ethical Security Testers and are authorised to deliver Cyber Security Consulting along with Penetration Testing, Vulnerability Scanning and IT Health Checks.

Cyber Security Consulting


Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?