Cyber Essentials Plus - Get A Lot of Help

Conditions

Cyber Essentials Plus involves a technical audit of the systems that are in scope for Cyber Essentials. This includes a representative set of workstations, mobile devices, internally hosted servers, and build types used by the organisation’s end users to complete their day-to-day duties. The number of builds is defined by the number of configurations of operating systems and software suites installed. If more than one browser or Office suite is used, each variant will need to be tested. If they are installed on the same build, this is acceptable.

• This package includes a Cyber Essentials Plus audit at one location, of one type of user account, on up to ten sample devices. One location refers to one physical office/site, or all devices/machines selected for testing being on the same network. Additional workstations, mobile devices, server devices and build types may need to be tested to meet the sampling requirements of the scheme. If you require more than ten end-user workstation or server devices to be tested, you will need to purchase Cyber Essentials Plus Certification – Additional Device Testing. This testing will be conducted remotely in most instances.
• If you fail any of the Cyber Essentials Plus testing performed as part of the overall engagement, we will provide you with details of further tests required. Cyber Essentials Plus final reports must be completed no more than 30 days after the start date of the first scans. Any remediation work and required retesting must be completed with sufficient time for QA and generation of the report and certificate within this time frame. These tests will be billed separately.
• The package includes an external vulnerability scan for up to 16 IP addresses. If you have more than 16 IP addresses, you will need to purchase additional IP packages in packs of 16. If you fail your external scan, a rescan will need to be purchased, plus any additional IP packages that you need to cover the failing IP addresses if you have more than 16 IP addresses.
• If you ask that testing is undertaken at your business location, additional expenses will be charged to accommodate our consultant’s travel time and costs for the on-site assessment. These will be billed separately.
• Cyber Essentials certification: if you are not successful on your first submission for Cyber Essentials, you have two working days to submit a further attempt for certification. If you are not successful on your second submission, you will need to reapply at the cost of a new application.
• If your Cyber Essentials Plus application is unsuccessful, your Cyber Essentials certification may be revoked.
• If your Cyber Essentials Plus application is not fully completed within three months of the date of your Cyber Essentials certificate, you will need to repeat your Cyber Essentials certification at full cost.
• You can use your Cyber Essentials remote consultancy support time throughout the application process, but any unused time cannot be credited back or carried over.
• The charge for the Cyber Essentials certificate is included in the package and depends on the size of your organisation.

All of our Cyber Essentials (and Cyber Essentials Plus) packages include the cost of Cyber Essentials certification, as set out by IASME. Any additional charges above the cost of Cyber Essentials certificate are for consultancy services. The level of consultancy services delivered will vary based on organisation size.

This Cyber Essentials package includes the cost of your Cyber Essentials certification, as set out by IASME. Additional charges are for additional services delivered.

Please ensure you select the correct package for your organisation size. Prices quoted are available for purchase online through the website only. Any purchases processed offline through our sales teams will be subject to a £50 administration fee.

Test requirements

• All user devices are subject to testing and will be agreed upon before the testing date, including workstation, server devices within scope, mobile and BYOD (bring your own device), and must be available for testing on the agreed date/during the engagement.
• All devices within the scope of testing must be in use user devices and cannot be built specifically for testing.
• A genuine local user account with username and password must be available for each user in scope.
• Devices must have Internet access, allow emails from our test domain and be accessible by our test web server (https://ces.itgovernance.co.uk).
• You must provide details of a user email account per user being assessed.
• Workstation builds and server devices must be configured to allow an authenticated vulnerability scan that will determine patch and version numbers of installed software, and you must provide or enter details of the administrative user account to be used.
• Remote registry must be enabled on the workstation builds and server devices, and no global policies that block the authenticated vulnerability scan are permitted.

*Optional free cyber insurance available to UK companies with a turnover of less than £20 million. This includes a 24-hour helpline to report a cyber incident, which will provide crisis management and incident response, with a total liability limit of £25,000. See a full breakdown of what’s included here.