How to Pass Cyber Essentials – Part 1

How to Pass Cyber Essentials – Part 1

We see a lot of Cyber Essentials applications through the year and over time it has become clear that some businesses are, quite understandably, not really understanding the questions.


How to Pass Cyber Essentials – Part 1

We see a lot of Cyber Essentials applications through the year and over time it has become clear that some businesses are, quite understandably, not really understanding the questions. This series blog post will be in a number of parts. In each post I will focus on one section of the standard and give you both the “assessors” view on the question and the “pentesters” view. With these combined, you should be able to answer the questions easily and put in place changes in your IT systems to pass the standard.

Once all of the series is completed, we will create a PDF of the guide, along with a little discount code for your assessment. So, on with section 1.

Remote Vulnerability Scan

This section MUST be completed. We received a number of returned questionnaires with nothing entered. Unless your organisation has no internet connection and you do not use email or have a website, then this will result in an automatic fail. So what needs to go in this section?

Your office IP address

This might sound a little obvious, but it is very often missed. The easiest way to get your office IP address is to browse to The heading will say “Your IP Address is” and following this will be a series of numbers. This is you IP address. So that goes into the first column. You skip the second column. The third column enter “Our Office IP”. In the fourth column enter “Internally Hosted – In Scope” and leave the last column blank.

The table should look a little like this:

IP Address Fully Qualified Domain Name Name & Description System Ownership If out of scope, explain Our Office IP Internally hosted – in scope Our website Internally hosted – in scope

What are looking for in the Vulnerability Scan?

The vulnerability scan should be very easy to pass yet many companies that end up failing this first time around. So what is it we are looking for? In short, no Critical or High risk vulnerabilities. But lets look at the top vulnerabilities raised over our last 100 assessments:

SSL Issues

This is the number one reason for failing. If you have not configured your SSL services to only use TLSv1.1 and higher with a strong cipher suite then you will FAIL! We posted a remediation guide to this and it is the single most visited page on our website. You can find the guide to fixing SSL here.

Patch Your Systems

This is the second most common reason for failing. You would be astounded how many companies fail because they do not patch their systems. If you do not patch your externally facing systems, then you are highly likely to have a Critical or High-risk vulnerability present.

Replace those Out of Support Systems

The third most common reason for failing. Still using Windows 2003 or Windows XP systems. Even 2008 is pretty much out of support now. But the problem is not just confined to Windows. We see a lot of old out of date Linux systems in use. You need to retire these and replace them with modern alternatives.

Cloud / Shared Services Assessment

This part of the assessment is really only looking at your cloud-delivered applications such as Office365, Gmail suite, Salesforce, etc. You should list all SAAS (Software as a service) products that you use within the business.

Description of the service

This is usually the name of the service which you use. For example:

  • Microsoft Office 365

  • GSuite

  • Salesforce

  • Tresorit

  • Dropbox


This is simply the name of the supplier.

Independent audit standards to which the suppliers have been previously assessed.

This can take some digging but it is usually on the supplier’s website somewhere. In some cases you may need to ask the supplier directly. Common answers include:

  • ISO27001


  • SSAE 16

  • Safe Harbour

Evidence of certification provided to the certifying body

This is the most import column for us as the assessor. You need to provide links to, or attach to your return, evidence that the supplier has completed any independent audits.

  • Recent Articles
Author Details
Founder & CEO at Hedgehog Security

Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.

We would like to keep you informed about our services. Please tick the options below to receive occasional updates via

  • penetration testing steps
    Peter talks to FindMyUkCasino
  • Malware
    SB Tech Breach

    Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

  • Privacy
    Howto VPn

    In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.

  • WhatsApp
    How To Whatsapp Safely

    WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.

  • Morrisons Breach Update

    The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

  • Remote Working Considerations

    With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets

  • Securing Zoom
    How To: Securing Zoom

    In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.

  • Software Security
    Dell EMC iDRAC memory corruption Vulnerability

    A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

  • Hiscox Sues for Failing to Disclose Data Breach

    On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

  • Software Security
    Privilege escalation on Nginx Controller up to 3.1.x Controller API

    A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Scroll to Top