Certifying to Cyber Essentials Plus
Although many organisations pursue Cyber Essentials Plus (CE+) certification in order to meet public sector contract requirements, there are other numerous benefits of Cyber Essentials Plus. These are self-evident to most information security professionals, but in case you’re struggling for words here they are.
Reassure customers that you are working to secure your IT against cyber attacks
The Cyber Essentials standard is a set of baseline technical and process controls designed to strengthen a company’s defences against most common Internet-borne threats. CE+ is the audited version of the CE standard, which demonstrates to customers and other third parties that the required controls are indeed in place and working. Although CE+ does not provide the level of assurance an ISO 27001 audit or a penetration test would —it does cover the basics such as patching, network boundary and malware protection.
Besides being able to display the self-explanatory Cyber Essentials Plus logo on your website, you’ll be on the publicly available online NCSC list of CE+ certified companies.
You have a better picture of your organisation’s cyber security status
Whilst customer requirement is often the reason for companies to obtain the CE+ certification, don’t discount its utility in gauging your company’s information security posture. Is your device and software inventory up-to-date? Are you confident no end-of-life (EOL) systems are in use? What about endpoint and perimeter protection for home workers? Have you updated your policies and processes to reflect the new reality of the increased proportion of staff moving to remote work? Is your Software Restriction Policy in place? Are your BYODs protected? The simple, often no more than one day, CE+ assessment will help you to answer all the above questions.
Government contracts require Cyber Essentials certification
Government procurement requirements remain the most common reason for panicked customers scrambling to obtain CE and CE+ certification. Whether you’re planning to supply the NHS, deliver for the Justice Department or bid for a Commonwealth Games project, CE+ is very likely to be a requirement. While 100% of our customers have eventually passed the assessment, some have failed on 1st attempt and ended up scrambling to remediate to meet the procurement deadline. Be prepared and put your company in the best possible position to bid for government work when the opportunity comes by getting the CE+ sooner, rather than later.
Use as leverage with management to sign off on much-needed infosec hardening
Struggling to convince your management/finance department to approve funds for a VPN or Windows version upgrade? Is no one helping while you’re trying to manage the network, respond to incidents AND update policies and procedures for remote workers and BYOD use? Leverage CE+ the benefits to approve the long-needed expenditure. Plenty of our clients’ IT managers were able to harden User Policies, introduce regular external and internal vulnerability scanning into their infrastructure and finally retire those Windows 7 and Server 2008 systems as part of prep or remediation for CE+.
CE+ is not perfect, even inadequate according to some. However, it is an independently verified standard that is a great starting point and will guarantee to help you if your team sees it as an opportunity to harden your organisation’s cyber defences. Please remember, in order to achieve CE+ you must first complete CE certification.
Ready to take the next step towards certification?
Whether you need a bit or a lot of assistance to reach certification, Risk Crew provides several service options to help you achieve this goal. We have the experience of being a CE body since the inception of the scheme and we can certify organisations to both CE and CE+.