Our Journey to Cyber Essentials Plus
Over the past few months, we have been hard at work on becoming Cyber Essentials Plus certified. As we are now Cyber Essentials assessors, we wanted to share our journey so you can gain an insight into the process of the Cyber Essentials and Cyber Essentials Plus assessment. While each organisation's process may vary slightly based on the scope of their coverage, here’s a glimpse into our experience at Titan.
We began by downloading the Level 1 Cyber Essentials self-assessment question set from www.iasme.com, and the Cyber Essentials Requirements for IT Infrastructure from www.ncsc.gov.uk. Reading through the questions and requirements documents allowed us to create a plan to take on Cyber Essentials, including a list of checks to complete to make sure we were ready. Some of the actions we took included making sure all our kit was registered in an asset management tool to update apps, and monitor our operating system versions. For us, this meant cleaning up devices by removing unwanted software and ensuring that all of our systems, both physical and virtual, were up-to-date. This was crucial to meet the Cyber Essentials guidelines before moving on to the next stage of certification.
Next, we tackled the Level 1 Cyber Essentials, which is a self-assessment questionnaire. This covers areas such as the scope of the assessment, an overview of the team members managing our IT systems, and our current security protocols and tools that we use for protecting our digital assets. Lucky for us we’ve been Level 1 Cyber Essentials certified for several years, so renewing our certification was relatively simple and we passed first try! However, if you’re taking on Level 1 Cyber Essentials for the first time, receiving extra support can make the process much smoother and help you avoid having to retake.
Over the moon about passing our Level 1 Cyber Essentials, we went straight to work and engaged a Cyber Essentials Plus certification body to conduct our Level 2 assessment.
However, like many things in life, things didn’t go exactly as planned...
A significant part of the Cyber Essentials Plus assessment involves a vulnerability scan of a sample of the in-scope devices. Any discovered vulnerabilities are ranked using the Common Vulnerability Scoring System (CVSS), which rates information security vulnerabilities on a scale from 1 to 10. This scan identified a few minor vulnerabilities within our systems. Fortunately, these weren't significant enough to cause us to fail the assessment, and our assessors were fantastic in helping us understand the vulnerabilities and how to address them.
Now for the moment of truth, drum roll please…
🥁 🥁 🥁
We passed!
After the thrill and relief of passing the Cyber Essentials Plus assessment, we received a detailed report of all the findings. This report was incredibly useful in identifying areas for improvement and highlighting where we are already doing well.
Now that we are Cyber Essentials Plus accredited, we can proudly demonstrate to other businesses and partners our serious commitment to protecting digital assets, with a certification backed by the NCSC. The process was a great reminder that all organisations (even cyber security companies!) can benefit from having their processes, procedures and technology put to the test.
Not only did we pass the Cyber Essentials Plus assessment, but we are now qualified Cyber Essentials assessors and can support other businesses in achieving their Cyber Essentials or Cyber Essentials Plus certification. We've really enjoyed our journey to becoming Cyber Essentials Plus certified and look forward to supporting other businesses through the process.
If you are interested in starting your Cyber Essentials journey with us, please visit our website or reach out to one of our Cyber Security Titans at the links below:
