Cyber Essentials and AppCheck

What is Cyber Essentials?

Cyber Essentials (CE) is a UK-government scheme that encourages organizations to adopt good security practices. Companies are required to implement certain security measures and follow certain guidelines in order to be granted a Cyber Essentials certificate. The purpose of that certificate is to demonstrate to their clients that they take cyber security seriously.

What types of CE certification exist?

Two levels of certification are available:

1. Cyber Essentials (CE)
2. Cyber Essentials Plus (CE+)

The first one (CE) is based on self-assessment. Companies who wish to become certified assess their IT infrastructure themselves to ensure that it meets the Cyber Essentials standards. Then, they choose an Accredited Certification Body (ACB) that provides a questionnaire that the organization should complete. The completed questionnaire is reviewed by the chosen ACB, who then award the firm a certificate. 

The process of obtaining CE+ certification is the same as for CE except that portions of the assessment are conducted or verified by a accredited Certification Body.

Where can I find the Cyber Essentials requirements?

• https://www.cyberessentials.ncsc.gov.uk/advice/
• https://www.cyberessentials.ncsc.gov.uk/requirements-for-it-infrastructure

How does AppCheck fit in?

We are not an Accredited Certification Body and, therefore, cannot issue CE certificates to companies. However, companies can use our infrastructure scanning capabilities in order to help them prepare to meet some of the required guidelines. An internal scanning hub is needed to scan the nodes available only internally.

In other words, AppCheck can be one of the tools used in preparing to earn a CE certificate but it cannot be the only tool.

What does the "Cyber Essentials Checks" checkbox in scan configuration screen do?

This function  enables some extended checks aimed at helping organisations perform additional checks to provide greater assurance as to security posture before attempting to gain cyber essentials certification. These checks include additional password credential checks against any login portals discovered during the scan as well as additional information in the results geared towards re-mediating issues that are typically information but may be flagged as cyber essentials failure points.