Complying with Cyber Essentials and Cyber Essentials Plus

Scoping

What is in scope of Cyber Essentials?

Typically, devices owned by the certifying organisation will always be in scope for CE, as is most ‘bring your own device’ (BYOD) with the exceptions of BYOD used by students, managed service provider (MSP) administrators, customers, and third-party contractors.  BYOD presents its own set of unique challenges; users may not want you to administer their devices, so you may need to reach an agreement with them that will allow you to do so.

How do you define an effective Cyber Essentials certification scope?

Ideally, you will be certifying your entire organisation against CE, as this will help to ensure your whole organisation is secure and compliant. However, IASME understands that this is not always feasible.  For example, you may have an area of your organisation (usually a development network or a research area) that cannot comply with CE, which you would need to descope.  To do so, you can answer ‘no’ to the scoping question (question A2.1) in the SAQ and then specifically state which areas are being excluded in the following question.  This will be included in the description on your certificate.

The primary focus of CE is networks and the devices and services on those networks, and this should form the basis for your descoping and your certificate description, e.g. ‘Whole Organisation excluding development network’.  If you descope an area of your organisation which uses unsupported software, it is important to make sure it is compliant with the terms and conditions put forward by your cyber insurer, or you may invalidate your insurance policy.  

Do multinationals need to certify locations in other countries to receive a ‘Whole Organisation’ Cyber Essentials certificate?  

There are various ways you can approach this.  If you are a multinational registered in the UK, technically you are a UK legal entity and can, therefore, go for a ‘Whole Ogranisation’ certificate and add ‘everything included in the UK’.  If you’re using networks outside of the UK, you can answer ‘no’ to the scoping question and exclude those networks from your scope.

If you have a website hosted by a third party that does not hold any private data, do you have to include it in your Cyber Essentials scope?

No, as there is no company data you wish to keep private and the service is provided by a third party, it can be automatically excluded.

Can you use your local software firewall to create a subset to exclude something from the scope of your Cyber Essentials certification?

No, local firewalls cannot be used for this purpose.

If all of your servers are on their own network, and none have internet access, do you have to declare these in your Cyber Essentials SAQ?

There is no requirement to declare them.

Are load balancers considered a switch, and therefore not in scope of Cyber Essentials?

Most load balancers would be out of scope of CE.  If a load balancer was part of a boundary device, for example if it was built into a multi-homed router, it may be in scope, however even in this scenario it would be the router itself that is in scope.

End of Life Equipment and Software

Would switches which are no longer receiving firmware updates from the vendor be noncompliant with the Cyber Essentials requirements on end of life (EOL) equipment?

Generally, switches are out of scope for CE, however from a general security perspective there is a high risk that vulnerabilities will be present and could be exploited (particularly for managed switches).  A compromised switch could potentially allow traffic to be intercepted and/or manipulated.

Can you achieve Cyber Essentials while using EOL devices if the vendor has said they will continue to support them?

This depends – if the vendor will provide updates for all vulnerabilities classed as high or critical then yes, if they will only provide critical fixes then no.  If you are relying on any cyber insurance, you should confirm with them if this is acceptable.

If your router is EOL but the vendor is still releasing updates, does this mean it’s compliant with Cyber Essentials?

In most situations this would not be compliant as many vendors may release a patch after the EOL date, but this may not be guaranteed and in some instances even where a vendor states they will continue to provide patches they usually only do so for critical vulnerabilities, the requirement for Cyber Essentials is that both Critical and High vulnerabilities should be patched.  If the vendor confirms they will cover all critical and high rated vulnerabilities, then that would be acceptable.

If you have unsupported software, can you isolate it as a virtual machine (VM) and achieve Cyber Essentials certification?

This would only be compliant if the Host was also segregated.  For CE, isolating via only the VM is not compliant.

Bring Your Own Device (BYOD)

How do you ensure the use of BYOD is compliant with Cyber Essentials?

Depending on the device, as long as the BYOD is meeting the requirements of CE there shouldn’t be any issues that would prevent you from achieving certification (i.e. shouldn’t be logged in with an admin account for day-to-day work, everything running on the device should be supported including the OS, it should comply with malware requirements, etc.).  Ideally, BYOD should be managed by a mobile device management (MDM) solution, however this is not compulsory and you can use an agreed policy with the owner/user of the BYOD that they will follow any guidelines you have in place.

Are BYOD mobile phones in scope for Cyber Essentials?

BYOD does include phones, however if the phone is not used to access company data or company networks, it can be excluded from scope.

If you only use mobile phones to access emails can they be excluded from your Cyber Essentials scope?

No, emails and instant messaging are considered company data and mobile phones that access them would, therefore, be in scope.  Mobile phones can only be excluded is if they are just used to make phone calls, regular SMS or as an authenticating device for multi-factor authentication (MFA).  It’s important to note that if the phones rely on Wi-Fi, then this should be a guest type segregated from the rest of the network.  If the Wi-Fi is not a ‘guest’ type the mobile phones must be listed as accessing the network which would place them in scope.

Remote Working

How do you ensure remote workers using company provided devices on their home networks are compliant with Cyber Essentials?

For Cyber Essentials compliance, nothing additional is required for a home user over an on-premise user, but from a general security perspective it can be useful to provide these users with training to prevent and/or combat issues.  Ideally, they should use a segregated network, usually via virtual local area networks (VLANS) or possibly using double network address translation (NAT), however if using a standard internet service provider (ISP) provided router this is unlikely to be an option.  For most home users, we would recommend they use the guest network on the router to segregate from all other devices in the home, however this again is a suggestion and not a CE requirement.

If you don’t have a physical office and all staff work from home, what do you declare as network equipment in your Cyber Essentials SAQ?

Assuming that all routers in use are ISP provided by the end users own ISP, you can simply state in your SAQ that there is no office and all routers provided by employees ISP.  If you choose to certify against CE+, a vulnerability scan will need to be run on one of the directors’ routers.

General

Does Cyber Essentials Plus assessment include an onsite physical audit?

There is no requirement for an onsite visit, all necessary tests can be run remotely.

Can organisations with only one team member certify to Cyber Essentials?

Absolutely – we regularly certify one person organisations.

Are privileged access management (PAM) tools compliant with the Cyber Essentials non-admin user privilege requirement?

PAM solutions are acceptable, however the elevation of privilege should not be on the user’s standard account but done on an additional account that is only used when required for admin tasks.

If you only have one user in the organisation, can you use a single account for Microsoft 365?

No, there must be clear separation of accounts, and you should be using a separate account for admin tasks.

Would the use of generic user account names, such as ‘reception’, constitute an instant Cyber Essentials fail?

Depending on the specifics, this could be anywhere from a single major noncompliance to multiple, which would result in a fail.

Can you only achieve Cyber Essentials Plus certification if you don’t have any vulnerabilities?

Cyber Essentials Plus certification requires you to have no patchable vulnerabilities, and none which have a common vulnerability scoring system (CVSS) of 7 or higher.  If a vulnerability currently has no patch available, or if it can be fixed by a configuration change, it will be marked as compliant.

Are 8 character passwords compliant with Cyber Essentials?

Only if you confirm the use of MFA and/or automated deny lists.  If you cannot confirm this then the minimum password length must be at least 12 characters to be compliant, and this is applicable to any type of account used within the organisation. For cloud accounts, MFA is compulsory.

How does asset management assist with effective risk assessment?

There are multiple ways in which asset management can benefit risk and security management. The most fundamental of these is that if you don’t know what you have, how can you know that what you have is compliant.