What is Cyber Essentials Plus?

If you are looking to achieve Cyber Essentials Plus there are a few things you should look at before going ahead with the Certification. This blog post hopefully helps to explain some of the areas that I’ve seen people fail their audits on.

First, you will need to achieve the Cyber Essentials Basic certification, this is a self-assessment certification that is carried out through a Certification Body, like InfoSec Governance and once you have successfully passed this, you can move on to work towards Cyber Essentials Plus.

Cyber Essentials Plus is an audited version of Cyber Essentials, it looks at the controls that you have in place, though performing a vulnerability scan against your external gateway IP address as well as a credentialed vulnerability scan internally. Lastly, there are tests to check to see how your email filters work as well as your endpoint configurations.

If you would like to know more about Cyber Essentials you can find more information here and here.


Before you go ahead with a Cyber Essentials Plus certification, you should check, check and check again that all your Operating Systems are supported, are fully patched and do not run any non-supported applications. Check to make sure that your router passwords are changed, that your firmware is up to date on routers, printers and devices.

You should also, where possible, run a vulnerability scan against your systems beforehand, this will help identify any problem areas and gives you time to fix these before the audit happens.

Check to make sure that people are not running as local administrators and ensure that your antivirus is working and is up to date, which will make life easier on the day of your audit.

Vulnerability scanning

If possible, download and run Nessus Professional, if you can’t justify the professional, look at getting the Essentials version, this is free up to 16 IP addresses.  Otherwise, look at something like OpenVAS.  Then perform a scan across everything that is on your network. Configure the scan to scan all ports – 0-65535 as well as UDP ports. This scan should also be configured to scan using administrator credentials, so the scan has full access to your systems.

When scanning, you should look at remediating anything that shows up as a CVSS 7.0 or above, for Cyber Essentials Plus, however, in reality, it is good to look at and resolve anything that is found which has a CVSS score of the low, medium, high or critical.


Patching is a big area and it’s surprising how many people don’t have all of their software up to date, it’s not just about keeping your Operating System up to date, but what about all your third-party applications? Are they configured to automatically update? Are you using third parties to patch for you? Do you check they are updated?

The “two-click” rule for downloading files

The two-click rule is used when the testing of files is performed when downloading files from a website (or opening from an email).  For example during the audit, if you can download a file and you can execute it straight away without any notifications, then this would be a failure. If this happens there are ways around this and you can put in place checks or measures to make sure it takes more than two clicks to run a file.  Whether this is blocking all files from downloading, putting prompts in place to ask the user or simply block files from running from the download location.


Once you have put these measures in place, you should be in a good place to go for your Cyber Essentials Plus certification. If you are looking to achieve this, please get in touch with us to see how we can help you.