Cyber Essentials Plus: Vulnerabilities that cause a failure

If you are looking to achieve the Cyber Essentials Plus certification for your business, you may be wondering are there any vulnerabilities that could cause a failure.  This blog post is the latest in a series about Cyber Essentials and discusses what happens when a vulnerability is found as part of the authenticated vulnerability scan.

If you didn’t already know, as part of the Cyber Essentials Plus audit we, the Certification Body, need to undertake a credentialed vulnerability (meaning that we require local administrative account or access) to scan across all devices which are in scope (or a sample set if working in a home environment). When the scan is run, we often find that there are several vulnerabilities that could cause a failure, which can cause a failure of the audit.  This happens when vulnerabilities are CVSS 7.0 or above, however, this can depend upon a few metrics which are mentioned here in this article.

During 2022 the Cyber Essentials Plus testing will be split between two types of testing metrics. If you have achieved your Cyber Essentials self-assessment under the Beacon certification set, the following CVSS metrics will also be taken into account. Otherwise anything CVSS 7.0 or above will be a failure if a update has been out for longer than 14 days on the day of the test.

Once we see a score of 7.0 or above (and are under the Beacon certification set), we need to look at the vulnerability metrics, these are defined as below:

  • attack vector: network only
  • attack complexity: low only
  • privileges required: none only
  • user interaction: none only
  • exploit code maturity: functional or high
  • report confidence: confirmed or high

Although there are many more metrics defined within the CVSS scoring system, these are the ones that are used by the Cyber Essentials scheme and are used to give an overview of the type of vulnerability and how it can be manipulated.

If the vulnerability is found to be 7.0 or above and matches the above metrics then the vulnerability is marked as a failure.  Depending upon the type and number of vulnerabilities found, InfoSec Governance may decide to inform you that based upon the results you should remediate the vulnerability, even though it’s a pass. This can help ensure that your business is protected against threats from vulnerabilities that cause a failure and is best practice.

To ensure that you don’t get any surprises at this part of the audit, InfoSec Governance offers a pre-audit analysis of your business to help check to make sure things are in place. For this, we’ll run a scan and take a quick look around your processes which are defined as part of the audit and highlight any issues before you undergo the certification.

If you would like to undergo Cyber Essentials, please contact us to discuss your requirements.