Cyber Essentials Plus vulnerability scan requirements

Any organisation wishing to achieve Cyber Essentials Plus certification must undergo internal and external vulnerability scans as part of their application.

What’s a vulnerability scan?

A vulnerability scan is a scan performed against your internal or external networks to identify devices on those networks, and the operating systems and software they are running; this information is then compared to a catalogue of known vulnerabilities to determine whether any of the discovered software and operating systems is vulnerable to hackers. The results of a vulnerability scan are usually provided in the form of a report, breaking down vulnerabilities per host.

Generally a vulnerability scan report will include the following for each vulnerability found:

Severity – generally rated from 0–5 with the ratings translating to “Informational”, “Low”, “Medium”
Threat – why the device has been flagged with a vulnerability
Impact – the impact if the vulnerability is manipulated by a hacker
Solution – a suggested way of resolving or mitigating the vulnerability
CVSS v3 Score – The Common Vulnerability Scoring System (CVSS) version 3 score (a number from 0 to 10). CVSS is a standard used by organisations to capture the characteristics of a vulnerability and score it based on those characteristics. More on this later.

What are the requirements for Cyber Essentials?

For Cyber Essentials, internal and external scans will be performed using an approved vulnerability scanning tool.

External scan

External scan(s) are run against any externally facing (or internet facing) devices which have access to the corporate network or customer data.

If you choose to apply for Cyber Essentials through us, we’ll use a cloud-based scanner to scan your external network. The devices scanned may include your organisation’s website, office firewall and any other internet facing hosts, services or network devices.

In order to qualify for certification, all external hosts scanned must:

Contain no vulnerabilities with a CVSS v3 score greater than or equal to 7
Authenticate users or restrict access if non-public and/or non-read-only information is made available
Prevent users from easily bypassing authentication (the use of multi-factor authentication can help here)
Throttle login attempts or lock users out after (at most) 10 failed login attempts

You can view a flow diagram of the pass/fail decision making process on page 6 of the NCSC’s Cyber Essentials Plus Illustrative Test Specification.

Internal scan

Internal scan(s) are performed against a sample of the organisation’s devices (for smaller organisations, all devices may be included) which will be determined by the assessor based on device types and builds.

The internal scan is performed using credentials, so the scanner can see exactly what’s running on the internal devices, generally gathering a lot more information than an external scan.

For each vulnerability discovered during the internal scan, the assessor will review whether it meets the following CVSS v3 parameters:

attack vector: network only
attack complexity: low only
privileges required: none only
user interaction: none only
exploit code maturity: functional or high
report confidence: confirmed or high

If there are any vulnerabilities which meet these parameters, and for which the vendor provided patch has been available for more than 14 days, the test will fail and the vulnerability will need to be addressed before a re-test is performed.

How can I get a vulnerability scan?

A vulnerability scan will be performed by your assessor. If you choose to get assessed for Cyber Essentials Plus through Cyber Toolkit, all of our Cyber Essentials Plus packages include multiple scans as standard, which means if you fail your first, you’ll be able to remediate and take another test.

Additionally, we can provide a regular or one-off vulnerability scanning service. Contact us for more information.

Are there any other requirements for Cyber Essentials Plus?

The internal and external vulnerability scans form a large part of the Cyber Essentials Plus certification, and often require the most remediation to pass; however, other tests are performed.

Here’s a list of the tests performed as part of a Cyber Essentials Plus certification:

External vulnerability scan
Internal vulnerability scan (checking patching)
Checking malware protection on end-user devices
Checking effectiveness of end-user device defences against malware delivered by email
Checking effectiveness of end-user device defences against malware delivered through a website

Cookie	Duration	Description
__stripe_mid	1 year	A token set by Stripe (payment provider) to facilitate the payment of online orders.
__stripe_sid	30 minutes	A token set by Stripe (payment provider) to facilitate the payment of online orders.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
woocommerce_cart_hash		Helps us determine when cart contents/data changes
woocommerce_items_in_cart		Helps us determine when cart contents/data changes.
wp_woocommerce_session_	2 days	Contains a unique code for each customer so we can retrieve the cart contents for a returning user

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
1P_JAR	Various	Used to collect information about how visitors use our site which we use to compile reports to help us make improvements. The cookies enable the collection of information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
DV	Various	Used to collect information about how visitors use our site which we use to compile reports to help us make improvements. The cookies enable the collection of information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
NID	Various	Used to collect information about how visitors use our site which we use to compile reports to help us make improvements. The cookies enable the collection of information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

Cyber Essentials Plus vulnerability scan requirements

What’s a vulnerability scan?

What are the requirements for Cyber Essentials?

External scan

Internal scan

How can I get a vulnerability scan?

Are there any other requirements for Cyber Essentials Plus?

Cyber Security within the Charity Sector

Is “auto-run” or “auto-play” disabled on all of your systems?

Cyber Essentials January 2022 Evendine Changes – What’s new?

Cyber Essentials vs Cyber Essentials Plus – What’s the difference?

About us

LINKS

CONTACT

CONTACT US