3 Top Tips When Approaching CE Certification

1. Read the latest version of the official Cyber Essentials documents from the NCSC website.

This may sound somewhat uninspiring, but it’s also a requirement for certification and an area where we often find organisations fall short.  You’ll need to confirm that you’ve read the ‘Cyber Essentials Requirements for Infrastructure’ (v3.1, released in April 2023, is the most up-to-date version at the time of writing this blog) when answering the SAQ.  While there is a temptation to skim through it and answer ‘yes’ to this question, we suggest you think twice.  If you’re looking to obtain the CE certification without any issues, it is important to read the ‘Requirements for Infrastructure’ very carefully, particularly if you are attempting to certify without seeking any external advice.

The latest documentation from the NCSC can be found here: https://www.ncsc.gov.uk/cyberessentials/resources

Reading the ‘Requirements for Infrastructure’ once may even be not enough in order to fully understand the contents, and you may find yourself referring to it multiple times throughout your certification journey.  It is, in our opinion, probably the single most important document you will refer to in your CE certification process.

The document clearly defines the scope of the certification, outlines the concept of a subset and how to certify only a subset of your organisation.  It also defines the types of assets that should and should not be included in the scope (including ‘bring your own device’ or ‘BYOD’ devices, devices used for home working, wireless devices, cloud services, accounts used by third-parties, managed infrastructure, devices used by third parties, web applications, etc.).  Whenever you are unsure about how to answer a CE question, referring back to this document will, in most cases, resolve any uncertainty.  Are BYODs in scope?  Should you include your wireless access point?  Is a minimum password length of 8 characters in line with CE requirements?  Does this requirement apply to your infrastructure as a service (IaaS) and mobile devices too?  You will find the document answers all of these questions and more.

For each technical control, the ‘Requirements for Infrastructure’ document indicates which assets it applies to (e.g., firewalls apply to boundary firewalls, desktop computers, laptops, routers, servers, IaaS, platform as a service or ‘PaaS’, and selling as a service ‘SaaS’).  It also outlines any specific technical requirements (e.g., what brute force protection mechanisms are acceptable: multi-factor authentication or ‘MFA', login throttling or locking accounts after no more than 10 failed attempts).

The CE requirements do change from time to time, so it is important to know what is required at the time of certification to avoid any surprises.

For CE+, the reference document is called “Cyber Essentials PLUS Illustrative Test Specification” (as with the CE reference document, v3.1, released in April 2023, is the current version at the time of writing this blog).

This is mostly aimed at assessors, but it can be useful to understand what constitutes a pass or a fail when you’re looking to certify against CE+.

2. Implement asset management

Although performing asset management is not an explicit CE requirement, it is incredibly useful in helping you meet the 5 technical controls of the CE scheme, creating a solid base for not only security but also other functions such as IT operations, financial accounting, procurement, etc.  It also helps enable other, more sophisticated disciplines such as vulnerability management, attack surface management, risk assessment, business continuity, and any other activity where its effectiveness relies on knowing that you have an asset (to protect, manage, dismiss, etc.).  Should your organisation be seeking to conform or certify to ISO 27001, you will find that asset management is a key requirement in the risk assessment process.  Simply put, you can’t protect what you don’t know you have.

‍

‍

An important aspect of the asset management process is the creation and maintenance of an up-to-date asset inventory, which includes the hardware and the software in use throughout your organisation (with varying degrees of details from operating systems to libraries installed as other software dependencies).  Effective asset management allows your organisation to understand what technology and information it has, identify out of date and unsupported software, identify any unnecessary systems to dismiss or plan future technology cycles in advance.

This tip is not always easy to implement if you don’t already have something in place, as asset management requires diligence and constant maintenance to provide accurate and up-to-date information.

However, while asset management alone is not sufficient for meeting the requirements of the CE technical controls, not conducting it makes the effective implementation of the NCSC-recommended security controls (and completion of the CE questionnaire) much more difficult.

3. Centralise and standardise management of IT assets

This may not apply to micro-organisations with less than 10 employees, but as the IT estate grows it becomes increasingly difficult to consistently manage all the servers, network devices, workstations, and mobile devices singularly.

Having systems that allow you to manage all your IT assets from one or few central locations in an easy and consistent way is a significant help in meeting the Cyber Essentials technical control requirements, as well as in reducing overall management complexity, the enemy of security.

Example of these systems include but are not limited to:

• Servers, endpoint and mobile device management tools that allow IT administrators to deploy updates to servers and end user devices, including third-party software installed on them;
• Configuration management and automation tools or standard/golden builds when deploying new devices which allow IT administrators to define an acceptable base operating system build that meets all security and business requirements of your organisation;
• Identity management solutions that allow IT administrators to centrally manage corporate user accounts.

One of the CE requirements that most organisations struggle to comply with is patching of all critical and high-risk vulnerabilities within 14 days from the patch release date.  This includes operating systems, but also applications installed on devices (e.g., Java, PDF readers, .NET Framework, browsers, Zoom, Dell Support Assist, Printer drivers, SQL servers, VPN clients, etc.).  Server and endpoint management tools can greatly assist in meeting this requirement.

The use of configuration management and automation tools or standard/golden builds help in meeting other CE requirements such as configuring local firewalls, removing unnecessary software and users, and configuring device locking.

The use of identity management solutions can help you meet other important CE requirements such as the use of MFA, setting password requirements, managing the user account lifecycle and defining user access permissions.

What about CE+?

In our experience, organisations that follow the above 3 tips are more likely to pass a CE+ assessment than organisations that don’t.  This is because the CE+ assessment includes a technical audit which verifies that what’s been declared in the SAQ is reflected in the devices used by the organisation.  In practice, the actual security of the devices is more in line with what the management expect.

A very common example relates to the patching of critical/high risk vulnerabilities.  It is not unusual for organisations to think they are meeting the CE patching requirements, and then discover during a CE+ assessment that multiple users have out of date software downloaded on their workstations.  In many cases, organisations are not fully aware that software has been installed, which is affected by critical or high risk vulnerabilities and which could be protected by patches that were released months ago.  It’s difficult to patch software that you don’t know you have, or that require individual users to perform the updates themselves.

This is not to say that this will never happen to organisations that have a working asset management process, a centralised patch management system that covers third-party software, and standard OS builds.  However, we definitely see a huge difference in the overall security posture when these systems, processes and policies are implemented, which is the primary objective of the Cyber Essentials scheme.

Extra tip: Seek professional advice

For different reasons, organisations may not have the time, knowledge, or resources to go through the certification process by themselves.

For example, smaller organisations without a specialised IT expert may struggle to understand the ‘Cyber Essentials Requirements for Infrastructure’ document from the NCSC.  If it’s the organisation’s first time going through the certification process, or if the organisation is more complex and there are edge cases not covered by the official documentation (should my K8s cluster be included in the scope?), it may be difficult to understand what needs to be included in the certification scope, what can be excluded, and to answer all the SAQ questions correctly.

In these cases, seeking professional advice from organisations with CE and CE+ expertise can result in a better outcome than trying to do everything without help.