Request a cyber security review
0330 043 0826 | [email protected]
InfoSec Governance Logo

Cyber Essentials: What do you need to ask your provider before certification?

Cyber Essentials: What do you need to ask your provider before certification?

Are you looking at achieving Cyber Essentials Basic and/or Cyber Essentials Plus soon? Do you use an external provider for managing your IT systems? If so, there maybe a few things you need to check before you get started.

In this article we will discuss some of the common questions that you will need to ask, as it will likely be brought up during the assessment or audit phases. A lot of these questions are also best practice, so if they are not being done, ideally they should be.

Asset management

Do we have an asset list/register?

Asset management plays a big part when it comes to Cyber Essentials, you need to know what devices you have, as well as their versions. Ideally you, as a business will have an up-to-date asset register which includes the following columns.

  • Asset ID
  • Device Name
  • Device Owner
  • Device Location
  • Operating System version/edition
  • Manufacturer

If you don’t have a list like this, or you are unsure of what devices you have, you will need to ensure that your external provider can provide all this information for you.

Day to day user accounts

Do user accounts run as a standard user, with no administrative access?

For Cyber Essentials, you must have account separation in place. Only using administrative accounts when you need to configure systems. By default, Windows and macOS have your account as an administrative account.

Anti-virus/Anti-malware software

Do we have up to date versions of anti-malware or anti-virus software installed and is it kept up to date? 

Cyber Essentials requires that you run some form of protection against viruses and malware, you can either use the default Operating System version of a third party.  As long as its kept up to date and stops threats.

Patch management

Do we patch and update machines within 14 days of a release?

To comply with Cyber Essentials you must ensure that all high and critical security updates are applied to all systems within 14 days of release.  Ideally by using automatic updates, or via RMM tools.  MSPs and external providers should ensure that they check updates are being applied and just don’t rely upon reports.

Updates also need to be applied to third-party applications and applications just as Zoom, Office, Adobe Reader.

Multi-factor authentication

Is multi-factor authentication in use everywhere for cloud systems?

Multi-factor authentication (MFA) is a requirement for Cyber Essentials when it is available for any cloud based product, even if you have to pay for the use of it.  All users, and administrative accounts, must have MFA configured for use on all cloud based systems.

Software removal

Do you remove all unused software and applications?

Ideally all software and applications which are not used or needed by the business, should be removed to reduce the changes of vulnerability and security threats. So all those trial and bloatware applications you get on Windows machines, should be removed, if not needed.

User accounts

What is the process for creating and disabling accounts?

Cyber Essentials requires that you have a documented process for creating and disabling user accounts. So when someone new comes into the company, what is the process? When someone leaves the business what happens.