In January 2022, the biggest update to Cyber Essentials technical controls since its launch will be introduced by the NCSC and IASME. The updated set of requirements is seen as the biggest overhaul of technical controls since it was launched in 2014 and is in response to the challenges that organisations face around cyber security.
With how businesses work taking on new challenges, the refresh of Cyber Essentials reflects the rapid rise of digital transformation and the adoption of cloud services. It is also in response to changes in modern working practices, with the move to home and hybrid working.
The Government’s Cyber Essentials Certification scheme was set up to provide an important cyber security accreditation for organisations of any size and is used in many supply chains, especially when tendering for public sector contracts.
Performing a Cyber Essentials assessment, implementing the controls, and acting on any remediation that is required helps organisations become protected from a whole range of the most common cyber security threats and cyber attacks.
Key to Cyber Essentials remains the five technical control themes which include: Firewalls, secure configuration, user access control, malware protection, and security update management.
New requirements
The use of technology has evolved quickly over time, and this has been accelerated by the Covid-19 pandemic forcing increased home and remote working. The update now takes on greater importance with the recent announcement by the UK government that we are moving to working from home due to the latest Omicron variant.
Coupled with ongoing changes to the cyber security landscape, it is important that the Cyber Essentials scheme evolves to take new threats and methods of working into account. The technical requirements have been adjusted to include a number of important changes which help organisations bolster their defences. Key to this is re-iterating the importance of installing security updates. The requirements for this security control theme have been clarified to mandate that all high and critical updates must be applied on all their systems before 14 days following release.
Transition Period
Initially, there will be a transition period that allows organisations a lead in time to implement some of the updated technical controls before their assessment. They can re-certify based mostly on the current requirements this time, as many changes will be enforced from January 2023. However, the best cyber security benefit would of course be gained by increasing the security of systems as soon as possible, before they become a requirement of Cyber Essentials and some changes will take time to introduce controls.
Broader scope
Cloud services in use for company data or services, are now to be fully integrated into Cyber Essentials requirements and it will be the organisation’s responsibility to ensure the correct management of the services/configuration. Providing evidence that the relevant controls have been applied.
Multi-factor authentication (MFA) must be used for cloud services where available and there have been some tweaks to the requirements for passwords to comprise three random words.
Cyber Essentials+ will now include tests for separation of the user and administrator accounts along with MFA.
Changes are also being introduced to clarify the definition of ongoing support and what constitutes supported software. Alongside this, backups are now included in the guidance, and although not part of the assessment, a robust backup strategy is recommended.
Changes being introduced for home working
Going forward, users will count as home workers if they work anytime from home. (Previously users were counted as home workers if they work for a minimum set number of hours from home). Most home routers will not be in scope unless provided by their organisation.
End-user devices
Organisations can no longer certify only their server infrastructure, omitting end-user devices. End-user devices must be included in the requirements. Devices (including remote desktop clients) are now in scope where they connect to company data or services as they can connect to the internet.
All smartphones and tablets that connect to organisational data are in scope unless used only for voice calls/text messages and MFA.
Firewalls
Where a network is partitioned, the in-scope network must be bordered by a perimeter such as a VLAN, rather than using individual firewall controls on devices.
What to do now
Assured Digital Technologies is a specialist IT company offering managed IT, Cyber Security, Connectivity, and Digital Transformation. With a team of over 30 staff and over 30 years of experience, we are able to provide specialist, up-to-date advice on compliance with cyber security standards including Cyber Essentials and Cyber Essentials+
