# Cyber Essentials Plus Readiness Pack A practical readiness pack for the UK government-backed **Cyber Essentials Plus** certification (NCSC scheme). Walks you through the five technical control areas, the evidence assessors actually want to see, and the most common reasons organisations fail their first attempt. MIT licensed. Authored by VantagePoint Networks. **Audience:** IT Managers, Heads of IT, Information Security Leads, MSP Account Managers **Use this when:** preparing for first certification, renewing, helping a customer through it, or self-assessing maturity ahead of a Cyber Essentials (basic) submission. --- ## 1. What Cyber Essentials Plus is (and isn't) - **Is:** UK government-backed certification, audited by an external Certification Body, valid for 12 months. Required for many UK public-sector contracts and increasingly for supply chain in regulated sectors. - **Is:** Five technical control areas. The "Plus" tier means an external assessor verifies the controls via an audit, not just a self-assessment questionnaire. - **Is NOT:** A substitute for ISO 27001 / SOC 2 / NIS2. It's a baseline. - **Is NOT:** Permanent. Re-certification annually. ## 2. The five control areas 1. **Firewalls** — boundary firewalls and personal/host firewalls 2. **Secure configuration** — devices and software configured to reduce vulnerabilities 3. **User access control** — access on a need-to-know basis 4. **Malware protection** — anti-malware on all devices 5. **Security update management** — patching within 14 days of release The Plus assessment validates each through evidence + on-system tests on a sample of devices. ## 3. Scope decision (the most overlooked step) Define your boundary first. Get this wrong and the audit gets ugly. **Include:** - All end-user devices (laptops, desktops, mobiles, tablets) used to access organisational data - All servers in scope (cloud or on-prem) hosting the in-scope services - All routers and firewalls between in-scope devices and the internet - All cloud services where organisational data is processed (M365, Google Workspace, Azure, AWS, etc.) - BYOD if used to access organisational data (very common pitfall) - Home workers' machines if used for work **Exclude (only if validly out of scope):** - Sub-set scope: a clearly segmented business unit can be scoped separately, but document the boundary. - Devices that genuinely cannot access organisational data (e.g. air-gapped lab kit). **Common mistakes:** - Forgetting BYOD phones with Outlook installed. - Forgetting MSP-managed devices (you're responsible). - Forgetting third-party contractor laptops accessing your SaaS. ## 4. Control area 1 - Firewalls ### Requirements - All in-scope devices have a correctly configured firewall (perimeter or software). - Default password changed on the firewall. - Inbound services from the internet blocked unless documented and required. - Where inbound is required: the rule is restricted by source and authenticated. - Default deny on inbound. ### Evidence to collect - [ ] Firewall device inventory (model, location, role, config date) - [ ] Configuration export (current running config) for boundary firewalls - [ ] Screenshot or export of inbound rule list with business justifications - [ ] Evidence of changed default admin password (e.g. password complexity policy + last-changed date) - [ ] For software firewalls: GPO / MDM policy showing firewall enabled and configured ### Common findings - Default admin password on a router unchanged. - Inbound RDP / SSH exposed to the internet (a hard fail). - Software firewall disabled on a sample device. - A rule allowing "any → any" left in for "testing". ### Remediation tips - Enforce host firewall via MDM / GPO; report on compliance. - Replace any inbound services exposed to the open internet with a VPN / ZTNA. - For routers / firewalls: implement TACACS+ or RADIUS for admin, document. ## 5. Control area 2 - Secure configuration ### Requirements - Unnecessary user accounts removed or disabled. - Default accounts (where unavoidable) renamed and password changed. - Default passwords on all software changed. - Auto-run / auto-play disabled on all devices that can mount removable media. - Unnecessary software removed (or disabled). - Lock screen after idle period. - Devices encrypted (BitLocker / FileVault / equivalent). ### Evidence to collect - [ ] MDM / GPO policy documents showing screen lock timeout, encryption status - [ ] Sample device configuration report (e.g. Intune compliance report, Jamf inventory) - [ ] Default account inventory: which exist, which are disabled / renamed - [ ] Software inventory per device class (laptop / server / mobile) ### Common findings - BitLocker not enabled on all laptops (or recovery keys not escrowed). - Auto-play not disabled. - Old admin accounts (e.g. former IT staff) not removed. - Default `admin` accounts on appliances unchanged. ### Remediation tips - Push BitLocker via Intune; gate device sign-in on encryption being on. - Auto-play disable: GPO `Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies`. - Quarterly access review purges dormant accounts (see `/access-review` skill). ## 6. Control area 3 - User access control ### Requirements - User accounts subject to formal authorisation before being granted. - Special accounts (admin) only used when admin access is required. - Users / accounts removed or disabled when no longer needed. - Unique credentials per user (no shared accounts). - MFA on cloud / internet-facing services. - Strong passwords / passphrase policy. ### Evidence to collect - [ ] Joiner / mover / leaver process documentation - [ ] HR / IAM linkage evidence (e.g. SCIM provisioning logs) - [ ] List of admin accounts with named owners - [ ] MFA enrolment report from Entra ID / Okta - [ ] Conditional Access policy exports (or equivalent) - [ ] Last access review date + outcome ### Common findings - Admin used for everyday browsing. - MFA not enforced on a legacy service. - Service accounts with interactive sign-in. - Shared credentials in a notes app. ### Remediation tips - Separate admin accounts (`-adm` suffix), no email assigned. - MFA on every cloud service, no exceptions for "test" accounts. - Vault all service-account credentials, password rotation, no human use. - Use the `/access-review` skill quarterly. ## 7. Control area 4 - Malware protection ### Requirements - One of: anti-malware software, application allow-listing, sandboxed execution, on every in-scope device. - Anti-malware software updated daily (or signatures auto-update). - Software updated to scan files automatically on access and on download. - Web protection: blocks known-malicious sites. ### Evidence to collect - [ ] AV / EDR deployment report showing 100% in-scope coverage - [ ] Sample device showing AV running and signature date current - [ ] Web filtering / DNS protection configuration (if used in lieu of AV web filtering) - [ ] Allow-listing configuration (if used) — e.g. AppLocker / Windows Defender Application Control ### Common findings - A handful of devices missing AV (often "VIP" exemptions). - Signature definitions stale on devices that don't connect for weeks. - Mobile devices not covered (no Defender for Endpoint / Mobile Threat Defence). ### Remediation tips - Defender for Endpoint covers Windows / macOS / Linux / iOS / Android centrally. - For mobile: enrol via MDM, deploy MTD agent, gate access on device compliance. - Web filtering: DNS-layer filter (e.g. DNS-based protection) covers off-VPN scenarios too. ## 8. Control area 5 - Security update management ### Requirements - All software in scope is licensed and supported. - Updates installed within **14 days** of release for high-severity / critical vulnerabilities. - Auto-update enabled where available. - Software no longer supported is removed. ### Evidence to collect - [ ] Patch management tool report (Intune, ConfigMgr, WSUS, Jamf, BigFix) - [ ] Sample compliance report showing patch level age vs latest CVE timeline - [ ] List of unsupported software currently in environment + remediation plan - [ ] Vulnerability scan output (Defender for Endpoint TVM, Qualys, Tenable) ### Common findings - 14-day SLA missed on browser / Java / Adobe updates. - Unsupported Windows builds (e.g. Windows 8.1, Windows Server 2012) still in production. - BYOD not covered by patch management. - Firmware patching ignored (firewalls, switches, printers). ### Remediation tips - Patch within 14 days is non-negotiable. Build a quarterly attestation. - Remove or replace any unsupported OS / application. - For BYOD: gate access via Conditional Access compliance (must be on a current OS). - Track firmware vulnerabilities in your firmware inventory (see `network-inventory-tracker.csv`). ## 9. The Plus assessment — what to expect The external assessor will: 1. Review your scope and self-assessment. 2. Run an external port scan against your perimeter. 3. Run an internal vulnerability scan from a representative device sample. 4. Inspect a sample of devices (typically 5-15 depending on size) for evidence of all 5 control areas. 5. Issue a pass / fail report. ### Pre-assessment dry run Two weeks before: - [ ] Run your own external port scan (e.g. nmap, Shodan check) - [ ] Run an internal vulnerability scan (Defender for Endpoint TVM or external tool) - [ ] Pick 10 random devices, do a manual check against all 5 control areas - [ ] Check patch SLA compliance on a sample (any device > 14 days behind = fix it) - [ ] Confirm no sample admin accounts have email or MFA gaps ### What an assessor often finds - Vulnerable browser plugin not patched on a developer's machine - One forgotten public-facing RDP - A "test" cloud admin account without MFA - An unsupported application (e.g. legacy Java plugin) - A leaver still active in a SaaS tool ## 10. Annual cycle | Month | Activity | |---|---| | -3 (pre-assessment) | Define scope, self-assessment, gap remediation | | -1 | Internal mock assessment, fix all P1 findings | | 0 | Cyber Essentials Plus assessment | | +6 | Mid-year health check, validate controls still in place | | +9 | Pre-renewal scope review, plan re-certification | | +12 | Renew | ## 11. Useful related VantagePoint material - **For configuration evidence:** the hardened config templates in `configs/` (Cisco, Fortinet, etc.) help meet Control Area 1. - **For audit evidence collection:** the `/access-review` and `/config-auditor` skills accelerate sections 6 and 8. - **For policy evidence:** the `/security-policy-drafter` skill produces the documented policies assessors look for under each control area. - **For change evidence:** the `/change-request-writer` and `/cab-minute-taker` skills create the change history under "secure configuration". - **Network Security Audit Checklist** (`runbooks/network-security-audit-checklist.md`) — overlaps significantly with Control Areas 1, 2, 5. ## 12. References - NCSC Cyber Essentials scheme: https://www.ncsc.gov.uk/cyberessentials - IASME (the scheme operator): https://iasme.co.uk/cyber-essentials/ - NCSC Requirements for IT Infrastructure (current scheme version) --- **Authored by:** VantagePoint Networks (Hak, Senior Engineer & Author) **Licence:** MIT — adapt freely.