What to expect during your Cyber Essentials Audit with our auditors CyberSmart
To demystify the Cyber Essentials Plus audit process, we’ve put together this guide.
The Cyber Essentials Plus audit aims to secure your business from known vulnerabilities, safeguarding your customers’ data. This not only helps ensure your business is working safely, but also builds trust with your customers and can help you win new business.
The first step in completing the Cyber Essentials Plus audit is to let our audit partners CyberSmart know that you are ready to schedule an audit:
How to Schedule your Cyber Essentials Plus Audit
Once you have confirmed, you’re ready to begin your Cyber Essentials Plus journey. CyberSmart will send you the Qualys agent to deploy to your devices. This agent will scan your machines for known vulnerabilities and compare them against the National Vulnerability Database. Any vulnerabilities found with a CVSSv3 score of 7 and higher (Critical/High) will need to be resolved.
On the day of the assessment, the following will take place:
Internal vulnerability credentialed patch audit scan of all sample devices in scope using Qualys. (unless you have your own PCI DSS approved scanner)
- External vulnerability scan of externally facing IPs/services
- Observing how devices process emails with test attachments – access to user device required via screen sharing. The email address of the user of the in-scope device will be required not a generic generated one for the assessment
- Observing how devices handle downloads of file attachments from our test websites – access to user devices is required via screen sharing.
- Checking the installation and configuration of anti-virus software.
- iOS / mobile checks (If in scope)
- Perform Multi-Factor Authentication (MFA) test on all listed Cloud Services provided in Cyber Essentials self-assessment to ensure MFA is enabled on Admin and User accounts
- Confirm Account separation between Admin and User accounts
During the assessment, the auditors will carry out the Cyber Essentials Plus audit which includes a scan of your external IP addresses. Please note, that the scan can only be completed if you have signed our consent form. This will be emailed to you during the process.
It’s vital the consent form is returned to CyberSmart before the day of the audit in order to ensure that it can be completed without delay.
Once the audit has been successfully completed, CyberSmart will upload the results to IASME and issue your certificate.
For more information on the Qualys agent please see CyberSmart's guide to deploying the Qualys agent.
If you have any questions on the Cyber Essentials Plus process please reach out to your account manager, or directly to your CyberSmart audit contact.