Vulnerability testing for Cyber Essentials
Once the organization has determined the scope, the next step in certification to Cyber Essentials is to complete a self-assessment questionnaire (SAQ).
Once the SAQ is completed, the certification body will assess whether the controls have been implemented effectively.
Non-CREST-accredited certification bodies will often only review the SAQ. CREST-accredited certification bodies, however, will review the questionnaire and conduct an external vulnerability scan of the Internet-facing networks and applications to verify that there are no obvious vulnerabilities present. This provides an added level of independent assurance.
Vulnerability testing for Cyber Essentials and Cyber Essentials Plus
Cyber Essentials scans can only be purchased from a certification body and must have been developed specifically for Cyber Essentials certification purposes.
This level of testing aims to identify vulnerabilities that could be exploited by low-skilled attackers or unsophisticated, automated attacks.
It is unsuitable for organizations that may be the target of advanced persistent threats (APTs).
External tests required for Cyber Essentials:
External full TCP port and top UDP service scan for stated IP range
Vulnerability scan for stated IP range
Basic web application scanning for common vulnerabilities
Cyber Essentials Plus: independently verified
Organizations seeking certification to Cyber Essentials Plus are required to undergo the verified self-assessment tests described above, as well as a series of internal vulnerability tests.
These tests comprise an authenticated internal scan and a test of the security and anti-malware configuration of each device type/build. The internal scan checks patch levels and system configuration, while the security and anti-malware test ensures that the organization’s systems are resistant to malicious email attachments and web-downloadable binaries. Because these tests are internal, they must carried out on-site by the certification body. IT Governance’s Cyber Essentials Plus tests combine vulnerability scans with a series of other tools, and are conducted by qualified and experienced CREST-accredited penetration testers.
Internal tests are required for Cyber Essentials Plus:
Inbound email binaries and payloads
Inbound emails containing URLs linking to binaries and browser exploitation payloads
Authenticated vulnerability and patch verification scan
Upon completion of the tests, a report will be issued that states the outcomes of the tests and explaining what actions, if any, should be taken in order to eliminate any risks or vulnerabilities. The report is intended to provide customers with meaningful information about practical risks to their organization and its activities.
Organizations that fail either the external or internal tests will be given a list of actions that must be carried out before a certificate can be awarded.
Once the remedial activities have been completed, the organization will be able to contact the certification body to repeat the relevant tests and, subject to a successful outcome, receive the relevant certificate/badge
Source: CREST and the Cyber Essentials scheme
IT Governance offers a number of unique solutions to certification that will enable you to achieve certification to Cyber Essentials or Cyber Essentials Plus cost-effectively and easily.
View the IT Governance solutions to certification >>