The Cyber Essentials Plus Audit Guide

The Cyber Essentials Plus audit consists of 7 key area checks and this document is designed to help you best prepare for the audit.

Test 1: Remote vulnerability assessment

To test whether an Internet-based opportunist attacker can hack into the Applicant's system with typical low-skill methods.

Prerequisities

You will need the following:

- a vulnerability scanning tool that has been approved by IASME

- to have identified the IP addresses to be scanned. Where dynamic IP addresses are in use for an Internet connection, the scope may be defined in terms of appropriate DNS entries.

What devices are tested:

All end user devices within the sample set.

What we are testing for:

The following tests apply to all computing devices within the boundary of scope. This includes:

- end user devices (EUDs) that can connect to organisational data or services

- servers on which standard (that is, non-administrator) users can obtain an interactive desktop environment

- all types of cloud service (IaaS, Paas, or SaaS)

On all but the smallest networks it will be impractical to test every device that is within the agreed boundary of scope. Instead, we test a representative sample.

All cloud services must be tested using a representative sample of user accounts. This must consist of at least one normal user and one administrative user for every cloud service used. The same users can be used across multiple cloud services. We are testing to ensure that there are no vulnerabilities rated as High Risk or Critical Risk, or that have a CVSS v3 score of 7.0 or higher.

Test 2: Check patching, by authenticated vulnerability scan of devices

This test is performed on a sample set of EUD, servers and IaaS instances. The purpose of this test is to identify missing patches and security updates that leave vulnerabilities that threats within the scope of the scheme could easily exploit.

Prerequisities

In addition to the general prerequisites testing, you will need:

- a vulnerability scanning tool that has been approved by IASME

- Each device to be tested, scan with the approved vulnerability scanning tool

What devices are tested:

All end user devices within the sample set.

What we are testing for:

We are testing to ensure that there are no missing patches or service packs and that there are no vulnerabilities with a High Risk or Critical Risk rating and that there are no risks with a CVSS v3 score of 7.0 or higher.

Test 3: Check malware protection

This test is performed on sampled EUD, servers and IaaS instances to check that all the devices in scope benefit from at least a basic level of malware protection. We need to identify what type of malware protection each device in the sample set uses: antivirus software, application allow listing or application sandboxing.

What devices are tested:

All end user devices within the sample set.

What we are testing for:

We will be manually checking each machine within the sample set of machines to ensure that:

- all anti-malware definitions released within the 24 hours prior to testing have been installed

- all anti-malware engine updates released within the 30 days prior to testing have been installed

Test 4: Check effectiveness of defences against malware delivered by email

This test is performed on any sampled EUD, servers and cloud environments where email can be received by users (“user environments”).

What devices are tested:

All end user devices within the sample set.

What we are testing for:

We are manually testing to test the protection against malware that is delivered via email attachments. For each user environment in the sample set, we will need to:

1. Establish a baseline by sending a simple email from your remote test account, with no attachments.

2. Attempt to send each test email from your remote test account to the test destination and observe the user attempting to open each attached test file.

Test 5: Check defences against malware delivered through a website

This test is performed on any sampled EUD, servers and cloud environments where browsing can be performed by users (“user environments”). We will instruct the user to browse to a specific URL and download each of the files and attempt to open them.

What devices are tested:

All end user devices within the sample set.

What we are testing for:

This tests whether user environments have protection from malware delivered through a website. We are specifically looking to see if the download is blocked or if the user can download the files, can they execute them. A failure is issued if any of the files can be executed without a warning.

Test 6: Check Multi-factor authentication configuration

This test is performed test on all cloud services. to test cloud services declared in scope have been configured for multi factor authentication (MFA). Users of sampled devices to attempt to log into the organisations cloud services using their organisation issued accounts.

What devices are tested:

All cloud services listed in the CE questionnaire.

What we are testing for:

All cloud services are to be tested for User and Administrator Access. Where multiple cloud services share an authentication service this test only needs to be performed once for each authentication service. We are testing to observe that multi-factor authentication is in place for cloud environments.

Test 7: Check account separation

This test is performed on any of the sampled end user devices, servers and cloud environments where administrative processes can run. The purpose is to test user accounts don't have administrator privileges assigned.

What devices are tested:

All sampled devices need to be tested.

What we are testing for:

When logged in with a standard user account, they attempt to run a defined administrative process. A failure will be issued is a standard user profile is able to run an administrative process.


Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?