Cyber Essentials Plus Checklist & Requirements
Cyber Essentials Plus
Cyber Essentials Plus offers everything in the standard Cyber Essentials certification – but with one key difference: a hands-on technical audit of your systems.
This independent verification gives you a much higher level of assurance that your security controls are working as intended.
With IT Governance, certification is simple, remote and fully supported.
Cyber Essentials checklist: What’s covered in the plus audit?
To achieve Cyber Essentials Plus, you must already hold a valid Cyber Essentials certificate. You’ll then undergo a technical assessment of the five key control areas below.
Each control is tested during the audit to confirm it has been implemented correctly.
Firewalls
Create a secure boundary between your systems and external threats.
Requirements:
Change default admin passwords or disable remote admin access
Block unauthenticated inbound connections by default
Prevent remote admin access from the internet unless protected by MFA or an IP whitelist
Document and approve all inbound rules, with business justification
Remove permissive rules when no longer needed
Use host-based firewalls on devices used on public or untrusted networks
Secure configuration
Reduce risk by limiting access and disabling unnecessary features.
Requirements:
Remove/disable unnecessary user accounts and software
Change default or guessable passwords
Disable auto-run features that execute files without permission
Authenticate all users before granting access to data or systems
Use device locking controls for physically present users
In addition, physically present users must use appropriate device locking controls.
Access control
Ensure only authorised users can access your systems – with the right level of privilege.
Requirements:
Have a clear account creation and approval process
Authenticate users with unique credentials
Remove accounts that are no longer needed
Implement MFA where available (mandatory for Cloud services)
Restrict administrative accounts to admin activities only
Remove special access privileges when not needed
Malware protection
Stop malicious software from executing or compromising your systems.
- Anti-malware software
- Application whitelisting
- Sandboxing
If using anti-malware software:
- Keep definitions updated daily
- Auto-scan files on access (including downloads and network files)
- Scan web pages in browsers
- Block malicious websites unless you have documented, approved exceptions
If using application whitelisting:
- Maintain an approved application list
- Block installation of unsigned or invalid software
If using sandboxing:
- Isolate code of unknown origin
- Restrict access to sensitive resources (e.g. cameras, microphones, data stores, networks) unless explicitly allowed
Security update management
Keep all systems and software up to date to close known vulnerabilities.
Requirements:
Use only licensed and supported software
Remove unsupported software
Enable automatic updates wherever possible
Apply patches within 14 days for:
Critical or high-risk vulnerabilities
CVSS v3 score of 7.0+
Any vulnerability with unknown severity
Fixed-price packages
Fast turnaround