The differences between CE standard and Plus

The Cyber Essentials scheme was developed to show organisations how to protect themselves against low-level “commodity threat.” It lists five technical controls (access control; boundary firewalls and Internet gateways; malware protection; patch management and secure configuration) that organisations should have in place.

The vast majority of cyber attacks use relatively simple methods which exploit basic vulnerabilities in software and computer systems. There are tools and techniques openly available on the Internet which enable even low-skill actors to exploit these vulnerabilities. Properly implementing the Cyber Essentials scheme will protect against the vast majority of common internet threats.

But Cyber Essentials is split into two levels, standard and plus, what are the respective merits of both?

Cyber Essentials Standard, is a self assessment certification process, the client is tasked with completing a questionnaire that covers the five control areas mentioned previously, this process is unverified by the certifying body, they will not attend your premises to confirm the validity of your responses. So as long as the portal is completed in a sensible manner then you should pass, even if the answers are not always completely acurate,. Many times these applications are completed on the clients behalf by the IT provider. It is only when something goes wrong the client realises that their antivirus software is not actually installed correctly or no default passwords have been changed leading to financial and reputational damage.

This is the BENEFIT of Cyber Essentials Plus, it is an onsite verified test, conducted by a trained cyber security expert. They will check to ensure your Anti Virus software is working, that default passwords have been amended, and that your computers are running the latest versions of your software, amongst other tests.

Cyber Essentials Standard is a great way to start thinking about how a company deals with cyber threats, but it is the start of the journey, its like buying a train ticket, you haven’t even got on the train yet ! Standard does not, nor should it give the client confidence of it’s cyber capabilities, as it is not tested and verified, this is where Cyber Essentials Plus helps.

The entire Cyber Essentials process is just the start, remember that, other steps include Awareness sessions (including phishing exercises) Penetration testing, Governance.