By Cyber Essentials assessor Euan Henderson
This document is a broken-down version of Indelible Data’s Cyber Essentials guide targeting some of the most common clarifications and how to avoid them.
- Always make sure that the organisation name given on the Cyber Declaration form and in answer to Q1.1 match – and both these match with that displayed on Companies House.. This requirement is designed to check that the certificate is exclusive for the organisation certifying and that it cannot be claimed by an organisation with a similar name such as Acme (UK) Limited and Acme Limited.
- If the organisation has decided to exclude parts of the network or networks from the Cyber Essentials assessment then they cannot answer ‘Yes’ to Q2.1 Does the scope of this assessment cover your whole organisation?
Therefore, the organisation must answer Q2.2 with the scope description.
- For Q2.6, we not only need to know the operating system that is running on devices but also its edition and version. For example, Windows 10 Pro v1909, MacOS Big Sur.
Please also be aware that whilst Windows 10 is now in continuous support, there is not always continuity on the feature versions that are supported ie. Windows 10 Enterprise 1809 is in support until May 2021 – however Windows 10 Home/Pro 1809 is no longer supported and cannot be accepted for Cyber Essentials.
- For Q2.7, we need to know the operating system and the version of the operating system in use on the mobile devices. We also need to know the make and model of the mobile devices in scope. For example, iPhone 12 running IOS 14.4.1, Google Pixel 5 running Android 11.
- For Q4.4 the organisation needs to provide the process they carry out for changing potentially compromised passwords for not only firewall admin accounts but also user accounts on user devices and any service presented by the firewall. This is not explicitly clear due to the question being located in the firewall section.
- Q4.5 is a question that often confuses applicants as it requires a double negative. The answer ‘Yes’ in this question is stating that the organisation has firewall rules in place that do not have a documented business case (documented approval request) for their creation. This would result in a Major Non-Compliance if this was the case.
- Question 5.5 does seem to imply that an organisation must only answer ‘Yes’ if they provide services for internal access or allow external users like customers or shareholders to access sensitive information.
An organisation must answer yes to this question if it allows access to sensitive or critical business data remotely via a method like VPN or RDP access, or a file server. Then the subsequent questions of 5.6 to 5.9 must also be answered.
- For question 6.2, please remember to include a summary of the key applications and frameworks in use including their versions where possible. For example, Office 365, Adobe Reader DC, Java 8, Google Chrome, .Net Framework 4.8 etc. Not every application must be listed, only the key ones ie. commonly used and can access or transfer data.
- For question 6.4 please remember to include the patching process for firewall, mobile devices, servers and computers for critical or high-risk vulnerability fixing patches.
- Section 7 focuses on processes. An organisation must have the processes and controls in place for this section regardless of the size of the organisation. A good example of this is having a formally documented process for granting access to admin accounts.
Most micro or small companies will not have this in place, but is a requirement of Cyber Essentials and must be implemented to pass this requirement.
Failure to do so will result in a Major Non-Compliance for this question or any answer that does not meet the requirement.