Logo Transparent

The Cyber Essentials Plus Tests

A Cyber Essentials Plus assessment consists of 7 tests:

  1. An external vulnerability assessment
  2. An internal vulnerability assessment 
  3. A malware protection assessment
  4. Email malware protection assessment
  5. Web malware protection assessment
  6. Multi factor authentication assessment
  7. Account separation tests
These tests are described in turn below. 

Test 1. External Vulnerability Assesments

  • In a cyber essentials plus audit, the Key Sigma consultant will scan your company’s external services. 

The company will pass the assessment providing that:

  •  The services do not include high risk vulnerabilities (with a CVSS 3.1 score greater than 7).
  • For all services that give access to information that is either non-public or writable: 
           ○ Users need to authenticate to access the service 
           ○ Multifactor authentication is in use.
For services that do not have multifactor authentication available:
  • Default passwords must have been changed
  • The service must throttle login attempts or lock users out

Test 2. Internal Vulnerability Assesments

Cyber Essentials Security Update Management

An internal vulnerability scan of your internal assets will be performed by the Key Sigma assessor against selected sample devices, including servers.

 The scan needs to be performed with administrative privileges (in a credentialed patch audit). The discovery of any vulnerabilities with any of the following characteristics results in a failure:

• Vulnerabilities rated High or Critical by the vendor for which a patch was released more than 14 days ago. 

• Vulnerabilities rated at 7 or higher on the CVSS scale for which a patch was released more than 14 days ago.

Test 3. End User Device Malware Protection

As part of the cyber essentials plus audit, the Key Sigma consultant will check your company’s servers, desktops, computers, tablets, laptops. mobile phones Infrastructure as a Service (IaaS), PaaS and Software as a Service (SaaS) for malware protection. As part of the assessment the Key Sigma assessor will verify that your malware protection is functional. 
There are three categories of malware protection that satisfies the cyber essentials malware protection requirements: 


1)  Antimalware with its definitions no more than 24 hours old and with its engine updated within the past 30 days. 

2) App store or code signing is enabled

3) Application sandboxing is deployed


Test 4. Email Malware Protection Assessment

As part of the cyber essentials plus audit, the Key Sigma consultant will send emails to an account on your system containing inert malware files.

 These files have been created with all the hallmarks of a malicious untrusted file as they are unsigned and uncommon and should trigger software restriction policies. 
To pass the assessment, the malware attachment must be blocked by the mail filter on your mail server or by the mail client.

Test 5. Web Malware Protection Assessment

As part of the cyber essentials plus audit, the Key Sigma consultant will test the secure configuration of all of your browsers. 

To pass the assessment, all of the browsers must present a warning about or block the inert malicious binary hosted by the Key Sigma assessor. 
To pass the assessment all virus files must be blocked, all executable files must prompt a warning or require user interaction before being run (this is the two click rule).

Test 6. Multifactor Authentication Test Assessment

To confirm the use of multi-factor authentication the Key Sigma assessor will observe users accessing cloud services using their organisation issued accounts on an untrusted device.

 If thee test results in the user being prompted for a form of MFA before access is granted then a pass is awarded.

This test is performed on all cloud services which are tested for user and administrator access.

Test 7. Account Separation Assessment

The cyber essentials plus standard requires administrative and user accounts to be separated. 

To confirm this in the Cyber Essentials Plus assessment, the key sigma consultants will try to run administrative processes on our standard user accounts. 

A pass is obtained if the user is prompted for an additional login and the process does not run using the user account details. 

How to Start Your Assessment

Begin Your Cyber Essentials Plus Journey With a Free Consultation With a Key Sigma Technical Expert!

Shopping Cart