Introduction

What is Cyber Essentials?

Business-Purpose: Cyber Essentials is a UK government-backed program designed to help businesses protect themselves against the widely anticipated cyber threats.

It focuses on implementing five key security principles to ensure that systems are properly safeguarded, helping to maintain the confidentiality, integrity, and availability of business and customer data.

Why we are doing this: By following Cyber Essentials (CE) and the enhanced CE+ practices, organisations can reduce the risk of cyber attacks, demonstrate due diligence to customers and auditors, and ensure regulatory compliance.

CE+ builds on the basic CE controls by adding additional monitoring, logging, and evidence collection to provide assurance that security measures are not only in place, but actively working.

In this runbook, you will see step-by-step instructions to implement, monitor, and record evidence for CE+ compliance.

Folder

Step 1: Create Folder Structure

Goal: Organise files so scripts, logs, screenshots, and statements are separated for easy auditing.

Description: This step ensures all evidence is stored systematically, making audits efficient and straightforward.

• Create main folder: C:\CyberEssentials-Evidence
• Create subfolders: Scripts/, Logs/, Screenshots/, Statements/

Justification: CE+ requires clear segregation of evidence types for transparency and reproducibility.

Implementation: Use Windows Explorer, PowerShell New-Item -ItemType Directory, or Notepad file paths to create folders.

Risk Assessment & Impact: Minimal risk; no impact on system operations.

Backout Plan: Delete empty folders if needed.

Post Implementation: Verify folder structure exists and matches CE+ requirement.

Script

Step 2: Create Detection Script (Core Control)

Automate the tasks: Monitor Windows logon events and export logs for auditing.

Description: Script captures Event ID 4624 logons and extracts relevant properties.

File: C:\CyberEssentials-Evidence\Scripts\Detect-SuspiciousLogons.ps1

Purpose: Detect suspicious logins including failed attempts, SYSTEM logons, and external IP addresses.

Justification: Required to satisfy CE+ Logging and Monitoring controls.

Implementation: Use Notepad, PowerShell ISE, or VS Code to create the script; save in Scripts/ folder.

Risk Assessment & Impact: Read-only access to event logs; minimal operational impact.

Backout Plan: Remove or disable the script or scheduled task if required.

Post Implementation: Verify script runs successfully and logs output to CSV.

Logs

Step 3: Generate Logs

Run the scripts: Execute the detection script to produce CSV logs of successful and failed logons.

Description: Provides evidence of monitoring and suspicious logon detection.

• Run Detect-SuspiciousLogons.ps1 in PowerShell as Administrator
• Verify CSV files generated in Logs/: SuspiciousLogons_*.csv, FailedLogons_*.csv

Implementation Notes: Ensure proper permissions to read security logs.

Risk Assessment & Impact: Low risk; only reads security logs.

Backout Plan: Delete CSVs if incorrect; no system impact.

Post Implementation: Verify logs contain correct data; save in Logs/ folder.

Evidence

Step 4: Capture Screenshots

Store it for Analysis: Capture visual evidence of folder structure, scripts, Task Scheduler, and logs.

Description: Screenshots provide proof of implementation for auditors.

• Use Snip & Sketch, Print Screen, or equivalent
• Save in Screenshots/ folder with meaningful names

Risk Assessment & Impact: Low risk; purely visual evidence capture.

Backout Plan: Delete screenshots if incorrect.

Post Implementation: Verify all required screenshots captured.

Statement

Step 5: Create Compliance Statements

Incident Management blueprint: Document how logging, monitoring, and suspicious logon detection are implemented.

• Create LoggingAndMonitoringStatement.docx in Statements/
• Include Purpose, Implementation, Evidence Mapping, Responsibility, Review Frequency

Risk Assessment & Impact: Minimal risk; purely documentation.

Backout Plan: Revise document if incorrect.

Post Implementation: Verify document is accurate and saved in Statements/ folder.

Package

Step 6: Package CE+ Evidence

Architectural achievement: Consolidate all scripts, logs, screenshots, and statements into a single CE+ evidence pack with an interactive HTML dashboard.

• Ensure all folders are complete
• Create index.html linking all evidence
• Optionally compress folder as ZIP for submission

Risk Assessment & Impact: Low; ensures audit-ready package.

Backout Plan: Remove or rebuild package if incomplete.

Post Implementation: Verify all evidence links and screenshots are accessible.