Cyber Essentials Plus Checklist: What to Ask Your MSP or IT Provider Before CE Certification
Getting ready for Cyber Essentials (CE) or Cyber Essentials Plus (CE+) certification is almost always a fact-finding mission. Inevitably you discover blind spots in coverage or uncover gaps in coverage you thought you had. Whether you’re working with an internal IT team or a Managed Service Provider (MSP), asking questions to get a clear picture of your readiness upfront is the best way to plan and execute a certification journey.
The National Cyber Security Centre (NCSC) designed these frameworks to help organisations protect themselves against common cyber threats, but preparation is key. In our experience as an IASME Certification Body providing CE, and CE+, we discover all too often that teams don’t have the necessary controls or preparations in place, and have to scramble to fix this mid-engagement.
Here’s what you should be asking your IT team or third party IT provider ahead of Cyber Essentials certification or Cyber Essentials Plus assessment.
Our number one piece of advice…
First and foremost, I’d suggest that everyone who is interested takes a read of the core requirements of the standard itself, as this is the easiest way to compare your organisation with the requirements: Cyber Essentials Requirements, and get a gauge – without any reliance on a third party of what the expectations and requirements are.
I also heartily recommend a read of the Test Specification, which outlines the exact tests carried out at Cyber Essentials Plus level: Cyber Essentials Plus Test Specification.
Simple Organisational Questions
Let’s start with the basics. These are questions anyone in your organisation should be able to help answer:
Is our asset register up to date and available, and do we have the make and model of each of our devices?
A comprehensive asset register isn’t just good practice for cybersecurity; it’s a requirement for certification. This includes laptops, desktops, servers, mobile devices, and any other devices that connect to your network.
Do we have a full and ready list of all our cloud providers, and have we got MFA set up with them?
Multi-factor authentication (MFA) is non-negotiable for Cyber Essentials. If you’re using cloud services without MFA, you’ll need to address this before your assessment. Can’t enable MFA on a particular service? Consider bolt-on solutions like Duo MFA. Remember, CE doesn’t shift on this requirement: all cloud services need MFA.
Are mobile phones properly enrolled in MDM or another solution?
Mobile Device Management (MDM) helps ensure that phones accessing organisational data are secure and configurable from a central point. Cyber Essentials requires that mobile phones that can access organisational data are kept up to date and have company approved profiles on them, as well as using an allow-list based approach to the installation of software. This is always a point of frustration if an organisation is using Bring Your Own Device (BYOD) and doesn’t have any control over devices that are accessing organisational data like emails.
MSP Specific Questions / IT Specific Questions
Now for some questions to put to the provider of your IT and security function…
Do we patch all vulnerabilities and misconfiguration issues ranked over CVSS 7 within 14 days of a fix being made available?
This is where things get specific. Vulnerability management is a core component of both CE and CE+, and the requirements are strict. You absolutely have to patch issues where a fix is made available and the vulnerability in question is considered high or critical risk.
You should be able to identify whether this is in place based on a Service Level Agreement or other contractual document that identifies exactly what you’re paying for. SLA’s or contracts should include timelines on patching and the level of support and remediation coverage you have. We’ve seen all sorts of dodgy behaviour here, with ‘Service Level Definitions’ offered instead of contractual agreements that can be practicably measured or pointed to when in breach. Don’t fall into this trap – ambiguity is the enemy of control based standards like Cyber Essentials. It’s vital you know exactly what type of coverage you have, and exactly what you’re paying for in a way that’s comparable with other providers.
When we patch Windows devices, do we do that within the 14 days?
For Cyber Essentials Plus, you need to be applying updates that contain fixes for vulnerabilities within 14 days. This is sometimes at odds with organisational approaches that do a patch cycle once a month. Make sure your IT team or MSP can meet this requirement.
Does our coverage include support for keeping the specific applications on each device up to date?
Here’s a common pitfall: many support agreements cover Windows updates but not application updates. Check your agreement carefully. IASME and NCSC requirements for CE+ include operating system and application patches; both need to be managed effectively.
Does our level of support include hands-on remediation of misconfigurations? Or will you be charged a day rate for this sort of support when it’s needed? Understanding what’s included in your support agreement versus what costs extra is crucial for budgeting your Cyber Essentials journey.
Getting the Right Support
With any ambiguities, it’s helpful to get in touch with a specialist. We liaise directly with MSPs or IT teams and like to get these questions answered. We also have a great roster of MSPs we’ve enjoyed working with and can recommend in this space who are ‘Cyber Essentials Friendly’.
The key to affordable Cyber Essentials certification isn’t cutting corners or going for the cheapest list price; it’s being prepared and having the difficult conversations ahead of time. By asking these questions upfront, you’ll have a clear picture of where you stand and what needs to be done. This approach not only makes the certification process smoother but also ensures you’re building genuine cybersecurity resilience, not just ticking boxes.
Remember, Cyber Essentials and Cyber Essentials Plus aren’t just about getting a certificate. They’re about protecting your organisation from the most common cyber threats. The questions above will help you identify gaps in your current setup and work with your IT team or MSP to address them effectively. If you find blockers when asking these questions – good! You’ve uncovered a blind spot or missing area of focus that was sitting unattended in your system. As always, resilience is a journey not a destination, so keeping it zen and taking a ‘fact-finder’ mentality is going to be a must.
ADAS are the IASME Cyber Essentials subject matter experts. Providing certification for organisations of all shapes and sizes for CE and CE+, you should reach out if you’re thinking about Cyber Essentials for your organisation. Best of all, your first point of contact is always a Cyber Essentials Lead Assessor, so you can get to these important conversations with a single email.
Happy Wednesday.