Compliance Assessments: Cyber Essentials

Owned by Ryan Seymour
Apr 07, 2023
7 min read

Overview

Our wizard-driven assessment tool is based on the ‘Requirement for IT Infrastructure v3.1’ document.

We use a series of questions, user responses, and data from CCNS to create an action plan for helping you towards meeting Cyber Essentials compliance requirements.

The assessment is divided into 8 main sections, which include:

Some of the answers to the questions will be auto-populated by successful CyberCNS scanning data

Getting Started: Default Template

Navigate to Company > Compliance > Assessments > Cyber Essentials

Click on the Default Template to create your standardized template that can be used when creating new assessments. Once the default template is created, we will use that to create our first assessment.

Section 1 - YOUR COMPANY

  • 10 questions

  • In this section we need to know a little about how your organization is set up so we can ask you the most appropriate questions.

Once you have completed all required question fields, proceed to the bottom and click SAVE and NEXT to proceed to the next section.

You will repeat the two-step process above after each section has been completed with your answers by clicking on the Save and Next buttons at the bottom of the questionnaire.

Section 2 - SCOPE OF ASSESSMENT

  • 10 questions

  • In this section, we need you to describe the elements of your organization which you want to certify to this accreditation. The scope should be either the whole organization or an organizational sub-unit (for example, the UK operation of a multinational company). All computers, laptops, servers, mobile phones, tablets, and firewalls/routers that can access the internet and are used by this organization or sub-unit to access organizational data or services should be considered "in-scope". All locations that are owned or operated by this organization or sub-unit, whether in the UK or internationally should be considered “in-scope”. A scope that does not include user devices is not acceptable.

Section 3 - INSURANCE

  • 3 questions

  • All organizations with a head office domiciled in the UK or Crown Dependencies and a turnover of less than £20 million get automatic cyber insurance if they achieve Cyber Essentials certification. The insurance is free of charge, but you can opt out of the insurance element if you choose. This will not change the price of the assessment package. If you want the insurance, then we do need to ask some additional questions and these answers will be forwarded to the broker. The answers to these questions will not affect the result of your Cyber Essentials assessment. It is important that the insurance information provided is as accurate as possible and that the assessment declaration is signed by a senior person at Board level or equivalent, to avoid any delays to the insurance policy being issued.

Section 4 - BOUNDARY FIREWALLS AND INTERNET GATEWAYS

  • 12 questions

  • Firewall is the generic name for a software(host-based) or hardware device which provides technical protection between your networks and devices and the Internet, referred to in the question set as boundary firewalls. Your organization will have a physical, virtual or software firewall at the internet boundary. Software firewalls are also included within all major operating system for Laptops, Desktops and Servers. Firewalls are powerful physical, virtual or software devices, which need to be configured correctly to provide effective security.

Section 5 - SECURE CONFIGURATION

  • 10 questions

  • Computers and Cloud Services are often not secure upon default installation or setup. An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed but unnecessary applications or services. All of these present security risks.

Section 6 - SECURITY UPDATE MANAGEMENT

  • 15 questions

  • To protect your organization you should ensure that all your software is always up-to-date with the latest security updates. If, on any of your in-scope devices, you are using an operating system which is no longer supported (For example Microsoft Windows XP/Vista/2003/Windows 7/Server 2008, MacOS High Sierra, Ubuntu 17.10), and you are not being provided with updates from the vendor, then you will not be awarded certification. Mobile phones and tablets are in- scope and must also use an operating system that is still supported by the manufacturer.

Section 7 - USER ACCESS CONTROL

  • 16 questions

  • It is important to only give users access to the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with e-mail whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.

Section 8 - MALWARE PROTECTION

  • 1 question

  • Malware (such as computer viruses) is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organization. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages.

Once you have completed all required sections and questions click on the Complete button at the bottom of the final section page.

Upon clicking Complete you will be returned to the Cyber Essentials assessment screen and you have created your ‘Default Template’ which can be used moving forward when creating a new assessment using the +Add button.

Getting Started: New Assessment

Navigate to Company > Compliance > Assessments > Cyber Essentials and choose the +Add button.

Complete the ‘Assessment Name’ required field which becomes the records saved name once saved.

Complete the remaining 8 sections as outlined above.

You can click the Save button at the bottom of any section of the questionnaire to save a Draft version of the assessment in case you can not fully complete when you start.

You can return back to the Assessments view at any time by clicking on the X at the top right of any section within the questionnaire.

Assessment Status

Assessment Actions

Edit: continue with updates/edits to an open assessment

Delete: permanently deletes the assessment

View/Download: starts the ZIP file download containing three files (DOCX, XLSX, and Evidence folder containing individual XLSX files with the answer/evidence collected during the assessment).

Example of the three file outputs as mentioned above:

Example of the individual evidence output inside the ‘evidence’ folder

Visit our YouTube Channel for the full video library: ConnectSecure

Click the video below for Compliance Assessments: Cyber Essentials overview: