Cyber Essentials Audit Guide

Our Cyber Essentials Audit Guide. A pragmatic guide to the cyber essentials audit that removed the uncertainty and replaces it with clarity.

Cyber Essentials

Cyber Essentials Audit Guide

This is our concise guide to the Cyber Essentials Audit and the Cyber Essentials Plus audit guide, as delivered by our NCSC approved team.

One of the important things to note here, this is a UK Government audit. The instructions on how we perform the audit are set in stone by the NCSC via IASME. We are not permitted to deviate from these in any way. We are very aware there are a number of certifying bodies that are taking short cuts and will give you a certificate regardless. We are NOT one of those bodies. Our audits are strict and fair, and follow the governments instructions.

The information we need

When you place an order for Cyber Essentials or for Cyber Essentials Plus, there are some key information that we will ask you for. You may have provided this before, but our internal process requires us to ask it every time to ensure that our information remains fully up to date and avoids any errors.

  1. Company name;
  2. Name of person completing the online questions;
  3. Their job title;
  4. Their email address; and
  5. Their mobile phone number to send the portal password to;
If this is a Cyber Essentials Plus assessment, we will also need the following:
  1. Your Cyber Essentials Certificate Number (must have been in the last 3 months);
  2. Your external IP addresses;
  3. Your internal IP addresses;
  4. A fully completed Device workbook (download from here);
  5. VPN details to connect to your network to run the vulnerability scans internally; and
  6. Teamviewer client installed on the devices identified as part of the workstation audit group. Teamviewer can be downloaded here.

About the VPN connection

A VPN connection into your environment is only needed for the Cyber Essentials Plus audit.

It is now very common for companies to not know how to provide a VPN connection. We have a very simple work around for this issue. If you are able to provide local admin rights to a user account for each of the machines in the sample set, we can install and run openVPN which will connect to our scanning service. Our engineers are able to do this on all the machine needed, and remove it once the audit is complete.

If you wish to install the OpenVPN on the sample machines prior to the engagement, they you are very welcome to and we do appreciate it. The downloads for Windows and Mac OS can be found below.

The Online Questionnaire

The questionnaire is supplied in an online format through the IASME assessment portal. The portal can be accessed using the button below or by browsing to

During the initial process, you main point of contact will have been sent the access username and password. The username is typically sent to the main users email address and the password is sent from the system via a SMS message to their mobile phone.

The single biggest piece of advise that can be given is to not over think the questions and where you are unsure, use the comments box to put in as much detail as possible. This will greatly help the auditor provide you with good solid advise on what to do next.

Common CE Failure Points

It is really easy to fail the initial Cyber Essentials audit. This section has been written to help you avoid the most common pitfalls.

The best single piece of advise is to read the question twice, do not over think the answer and if you are unsure, write comments in “Application Notes” field.

Lets have a run through of the most problematic areas, along with some excellent examples from previous clients.

A2.6 - Devices

Please provide a summary of all laptops, computers and servers that are used for accessing business data and have access to the internet (for example, “We have 25 laptops running Windows 10 Professional version 1709 and 10 MacBook Air laptops running macOS Mojave”).

This is one area where we issue automatic fails. You MUST detail the operating system versions. Here is an excellent example of a passing response:

We have 983 laptops running Windows Enterprise 10 version 2004 19041.572. All servers are mix of Windows Server standard and datacenter core version 2004 build 19041.264.200508-2205.

and here is a typical one we fail for:

We have 22 laptops running Windows 10 and 3 macs.

A2.7 - Mobile Devices

Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system version for all devices.

This is another area where we fail a lot of audits. Again, you MUST detail the operating system versions. Here is an excellent example of a passing response:

171 iPhone 11 Pro running 13.6.1 and 52 Samsung A2 running Android 11

and here is the failing version:

171 iPhones and 52 Android devices

A5.5 - Sensitive or Critical Information

Do you run software that provides sensitive or critical information (that shouldn’t be made public) to external users across the internet?

We see a lot of businesses mark this question as Yes without any applicant notes, because they simply did not read the question correctly. It is 100% fine to expose sensitive or critical information to external users across the internet, if you meant to and that information is secured.

What this question is asking is that you have secured that information. That it is not simply on an FTP server or on an unencrypted webpage without a password.

How you protect your information should be documented in the Applicant Notes. For example, here is the Applicant Notes from our own submission:

We provide access to the clients reports through a reporting portal. The reporting portal requires a user email address that is registered to that company and a complex 16 character pass-phrase. The transport mechanism for the portal is TLSv1.3 with no option to degrade to lower than TLSv1.2. All information within the portal is AES256 encrypted.

A6.1 - Operating System Supported


Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems? 

All of your operating systems MUST be in support. If they are not, you fail. Stating that you have an upgrade project is simply not good enough. We will check all of the versions listing in A2.6 and A2.7 and if they are out of date, it is an automatic fail. You can check operating system versions:

The Workstation Assessment

The workstation assessment is one of the most feared parts of the Cyber Essentials Plus audit, but it shouldnt be. Here we will break it down into the logical components, but first, here is the high level of what we are looking for.

1. That the build we are examining matches what you have documented in your Cyber Essentials questionnaire. For example, if you say you use application whitelisting over using antivirus, we will expect to see that.

2. That the build is up to date and fully patches. That there are no missing operating system or application patches that are older then 14 days.

3. That the system does not have any High or Critical risk vulnerabilities.

4. The the endpoint protection is running and is up to date.

5. That the system is correctly secured in line with the Cyber Essentials Plus guidelines published by the National Cyber Security Center.


For the internal tests, we need to test a sample of all end-user devices which includes tablets and smartphones. We also must sample all servers that allow users to access an interactive desktop environment.

An “interactive desktop environment” means a graphical interface such as an X server, Windows remote desktops or macOS similar. It does not include a text-based environment such as an SSH or telnet session or a bash / DOS / PowerShell command line.

For the audit to be valid we must test devices that represent 90% of the common devices in use at the organisation. This means that if you have one to two obscure devices then these would not need to be tested.

The audit standards states that: “For the common devices that you decide are in scope for testing, you must select a random sample of a certain quantity of each.” This means that we must randomly select the appropriate number of machines to meet the sampling requirement from the list of all devices that you completed in the Device Workbook.

XXX firm said we can just prepare x number of of machines for them.

Peter says: We hear this a lot. If a CE audit firms says this to you, they are not auditing to the NCSC standard and if audited you will have to do the whole thing again, costing you more money.

For common device in scope, we must select a random sample. The sample size is defined in the audit guide provided by IASME and the NCSC to every auditor. The audit guide states:

Number of devices of each build/type Sample size


You have 100 Windows 10 2004 desktops, 150 Windows 10 1903 laptops and one Ubuntu 20.04 laptop.

In this example, we would test 5 of the Windows 10 2004 desktops and 5 of the Windows 10 1903 laptop.

Vulnerability Scanning and Patch Checking

IMPORTANT: Vulnerability Scanning and Patch Checking is performed over a VPN. This can be done by one of our appliances being sent to your site or by providing us with a network level VPN.

We will scan each of the systems listed in the scope using one of our Vulnerability Scanners. Depending on the engineer assigned to your test, it will either be Nessus or OpenVAS being used. Both products are the fully license commercial versions.

The scans will be performed using the credentials that you supplied and we are looking for any of the following:

  1. Vulnerabilities with a CVSS v3 score of 7.0 or higher; and
  2. Any missing patches that were released more than 14 days ago.


If we identify either of these, that constitutes a fail for that system.

Malware Protection Tests

For each device in the scope, we will log into the device using team viewer and test the malware protection. This is done to ensure that the malware protection on the device is in use and functional. We will check:

  1. That it is installed, and up to date. When checking that the product is up to date, we will check that the core binaries have been updated to the latest version in the last 30 days and that the signature pack is no older than 23 hours and 59 minutes.
  2. We will check that any mobile device is not jail-broken and that any installed certificates for application signing etc are correct and valid, and
  3. Where sandboxing is used, we will test to ensure that it is functional and effective.

Testing Web and Email Delivered Malware

For this test, we will attempt to download and execute simulated malware files through a web browser and we will also test by attempting to deliver these files via email. Each of these is performed using a standard, non-administrative user account, using TeamViewer to access the device.

Web Browser Test

For this test, we will connect to a randomly generated URL within our domain. However, if we think a client has blacklisted our domain, we has 95 other domains to use from a variety of IP addresses.

If we are unable to connect to that domain to download the files, that is an automatic fail. The files will be downloaded once in each of the web browsers on the device. So if there is say Firefox, Chrome and IE, then the test will run three times, in each web browser.

Email Test

Each device must be in a state where it can both send and receive emails. The first test is to send an email from the device to the engineer, and then to respond to the test to ensure that two way email delivery is working. The engineer will then send all of the simulated malware files via email, one at a time, to that account. There are around 14 emails containing the simulated malware, and one test email that should not trigger any protection mechanisms. If the test email does not arrive, then deeper investigation may be warranted.

What we are looking for

All of the simulated virus files must be blocked. All of the executable test files must show a warning and not be run without user input.

The Files

There are 14 files in the collection that are used, and they compromise of the following extensions:

  • .7z
  • .gz
  • .rar
  • .tar
  • .zip
  • .dmg
  • .bat
  • .exe
  • .pif
  • .py
  • .sh
  • .tar.gz
  • .docx
  • .xlsx

The files will be delivered by email or via a web download and we will attempt to execute them from where they arrive. We will not be moving the files to another location prior.

Retests after Failure

If you do fail on any of the points in the CE or CE Plus, then you need to remediate the issues identified within 30 days or a failure report will be generated.

Once a failure report is generated, you will need to rebook your assessment and pay again.

Cyber Essentials News