I'm about to go through a Cyber Essentials Plus (CE+) audit and I'd love to hear from anyone who has recently experienced it. What should I prepare for? I've helped a business with their Cyber Essentials certification before and now need to get ready for the next step with CE+. Specifically, what software will they ask me to install, and what does it actually do? Any helpful tips for making this process smoother?
4 Answers
A good strategy is to have a clear inventory of devices you'll include in the assessment and make sure they’re all up-to-date. Regularly applying patches to your operating systems and applications is key. Some overlooked things can be legacy applications or outdated BIOS that you might not consider often. Automating your updates can also help!
For the CE+ audit, you'll be asked to install a Qualys agent on your devices. This agent runs daily scans and sends reports about any vulnerabilities that have been discovered. Usually, you'll need to show the auditor that users don’t have local admin rights and that your antivirus is up and running. The auditor will also send test emails to check your email filters and provide files to test antivirus reactions. Make sure to keep everything updated to pass!
Don't forget about the importance of MFA! Ideally, you should gather those login screenshots beforehand to save time.
I'm currently in the middle of my CE+ assessment. From my experience, you'll likely have to install an agent like Tenable for scans. It's crucial to prepare your devices for checking, but I've found it can get chaotic if the assessor doesn't send the checklist ahead of time. We had very little time to prep, which made things stressful!
The CE+ process is essentially verifying the claims made in your CE certification, and it usually involves a detailed session with the assessor. They will send you a quote based on your infrastructure size and require a date to communicate through a platform like MS Teams. Expect them to check your antivirus, validate that no local admin rights exist, and verify that you're implementing 2FA/MFA across your applications. It’s also okay to keep busy with your work while they carry out the checks, but being available for communication is key!
This pretty much covers the essentials, but you should also be ready to log into all applications you listed on your form to show that Multi-Factor Authentication (MFA) is active. That's a big part of it!