Control 2 : Malware Protection

Prevent malware injection through bad email links, websites, or removable hardware. Effective malware protection reduces risk of data loss and ransomware.

• Use anti-malware software and keep it up to date. You should update signature files at least daily either through automated updates or with a centrally managed deployment.
• Use application white-listing to only allow approved applications to run, blocking all others by default. An authorised individual must actively approve such applications before deploying them to devices and the organisation must maintain a current list of approved applications.
• Implement sandboxing to run applications and code of unknown origin in isolated environments to prevent it accessing other resources.
• Restrict user permissions / ensure users have appropriate access rights based on their roles to prevent unauthorised software installation and to limit lateral movement in the event of a breach.

Control 3 : User Access Control

Administrative accounts are used to make considerable changes to IT systems. If a malicious party can compromise an administrative account, an attack can be accelerated significantly, making it harder to contain.

• Assign user accounts individually by having a defined user account creation and approval process. Ensure every employee has a unique, identifiable user account. Avoid shared accounts.
• Use the principle of least privilege and give users only the access rights they need for their jobs. Make sure to authenticate them before allowing access to applications or devices.
• Control administrator accounts by having separate accounts for administrative tasks and standard work. Activities such as emailing and web browsing can expose administrative privileges.
• Review user access and check user accounts regularly, especially after role changes or when employees leave, and remove or adjust access as needed.
• Use strong authentication to protect all accounts with strong, unique passwords. Where possible, implement multi-factor authentication (MFA), especially for admin accounts and remote access.

Control 4 : Firewalls

Protect every device that is connected to the Internet with a physical or software firewall. Ensure network traffic is monitored, while unauthenticated or unknown traffic is blocked by default.

• Use boundary firewalls at the networks edge to filter traffic between your network and the Internet, preventing attackers from gaining unauthorised access to systems.
• Configure firewalls to only allow traffic necessary for business needs. The firewall should block all other inbound and unnecessary outbound connections.
• Change default passwords associated with the firewall with strong, unique ones.
• Restrict access to the firewalls administrative interface and protect it with either a second authentication factor, such as a one-time token, or an IP whitelist that limits access to a small range of trusted addresses, ideally from inside the network.
• Enable personal firewall are active on all devices, especially mobile or remote ones that connect from outside an office or are used on untrusted networks.
• An authorised individual should document firewall rules and keep records of its configuration and changes made.

Control 5 : Security Update Management

Your licenced software will almost certainly include regular updates (know as patches) to address security issues and bug fixes. Addressing these before a malicious party can exploit them is essential.

• Keep all software up to date by making sure it is licensed and the latest security updates for all operating systems, applications, and firmware are installed as soon as they are released.
• Enable automatic updates where possible to install these updates automatically, reducing delays and the chances of missing crucial patches.
• Patch quickly – apply critical security patches within 14 days of their release. This is especially true for patches that fix remote vulnerabilities. Enabling automatic updates will assist you here.
• Remove unsupported software or operating systems that a vendor no longer supports. They will no longer receive security updates.

8 steps to achieve Cyber Essentials

Step 1: Download the Cyber Essentials self-assessment questionnaire (SAQ)

The SAQ is the cornerstone of your Cyber Essentials application. It outlines the programs requirements, and the information and evidence you will need to provide. It can be downloaded from the IASME website.

Step 2: Confirm your scope 

While you can partially scope a Cyber Essentials assessment to cover a subset of the organisation, such as a location or business unit, or even selected elements of your IT infrastructure such as your cloud services, we strongly recommend you include your whole organisation.

This is because if you are taking the time to complete this exercise, it makes sense to cover as much as you can. Cyber insurers for example are unlikely to consider an assessment that has left large parts of an estate untouched when they review your premium.

This doesn’t mean every element or device needs to be included. Devices that cannot connect to the Internet or are owned by third parties (such as contractors)‍ are considered out of scope.

Once you confirm your scope, you need to outline it in the SAQ. You should also create a detailed asset inventory that shows your IT infrastructure. Again, Aegis can help save huge amounts of time here by creating this list with minimal manual input.

Step 3: Review your Capabilities and collect evidence 

While Cyber Essentials is a self-assed certification, evidence demonstrating the effectiveness of your controls, and that they are aligned with the framework’s requirements still needs to be collected and documented.

‍The most important aspect of evidence collection is centralisation. If evidence consisting of screen shots, policy documents, and logs are scattered across email chains, documents, shared folders, searching through them will be time-consuming, and invariably crucial documents will get missed.

Aegis clients benefit from AI driven automation that not only collects the required evidence automatically from multiple sources, saving security teams up to 50% of their time in the process, but also stores it centrally on one shared platform for simple internal or external review.

Step 4: Submit Your Application

You can submit your completed questionnaire to an accredited Certification Body or directly to the Cyber Essentials portal.

At this point you will need to pay the certification fee (which varies depending on organisations size, and scheme level). You can find pricing details on the iasme website.

Step 5: Undergo an external assessment (Cyber Essentials Plus only)

The accredited certification body you have submitted your SAQ to will conduct vulnerability scans and internal testing on your systems and they will advise on their findings, usually after a few weeks.

Step 6: Address Any Issues Found (if applicable)

If the external audit identifies any vulnerabilities or gaps you will need to fix these promptly. In some cases you may also need to resubmit your evidence or undergo a follow-up assessment.

Step 7: Receive your certification

Once approved, you will receive your official Cyber Essentials certificate.

Don’t forget to include the Cyber Essential logo on your website, bid documents, presentations, and other client facing materials.

Step 8: Maintain and renew certification

A Cyber Essentials certification is valid for 12 months from the date on the certificate. It can be renewed by updating your assessment and submitting any required supporting documentation.

During the year, make sure you regularly review and maintain your security controls as this will make your renewal much easier. For Aegis clients, this will be automated for you and any urgent tasks will be flagged automatically.