Cyber Essentials Scheme Update 2022

What is the Cyber Essentials scheme?

The Cyber Essentials Scheme was introduced by UK Government in 2014 in order to assist organisations improve their security controls and protection against the most common cyber threats. 

The Scheme involves organisations implementing 5 technical controls:

Access control

Access control

Making sure that only those people who need access to specific information in your organisation have it and ensuring that this is monitored and checked regularly.

Secure Configuration

Secure Configuration

Choosing and applying the most secure settings for all of your devices and software by changing passwords and removing unused accounts and software.

Software Updates

Software Updates

Ensuring that your software and operating systems are regularly checked and updated with the latest patches to protect against vulnerabilities.

Malware Protection

Malware Protection

Reducing the likelihood of being infected by some form of malware including computer viruses, worms, spyware, botnet software and ransomware, by ensuring that you have correctly configured anti-malware software which only allows trusted applications.

Firewall and Routers

Firewall and Routers

Creating a ‘buffer zone’ to allow you to analyse traffic looking to gain access to your network to establish whether or not it should be allowed.

The Scheme offers 2 levels of certification, namely Cyber Essentials and Cyber Essentials Plus.  Cyber Essentials involves an online self-assessment questionnaire being completed by the organisation which is then independently assessed by a certification body, such as URM. 

Cyber Essentials Plus is a follow-on certification to Cyber Essentials and involves a more robust examination to ensure that the IT infrastructure is secure and the cyber solutions which are in place comply with the requirements of the Scheme.

The Cyber Essentials Scheme was updated on 24 January 2022 and some of the technical control requirements changed in line with recommended security updates.

Why Were Changes Made?

The Scheme has been updated in order to address the ever-changing nature of cyber threats and the way we work. The Scheme is regularly reviewed by technical experts from the NCSC and its delivery partner for Cyber Essentials, IASME.  

The 2022 update principally reflects the increasing adoption of cloud services seen since the Scheme’s introduction in 2014, along with the dramatic trend towards home and hybrid working, fuelled by the COVID-19 pandemic. With these changes have come additional security threats which need to be addressed.

There has, for example, been an increasing number of attacks on cloud services, using techniques to steal users’ passwords to access their accounts.

As a result, some of the Scheme’s technical controls have been strengthened, e.g. focus on multi-factor authentication and password management in order to combat these evolving threats.

With Cloud-related services, there is also now an expectation that users will take responsibility for the services they use and spend time researching and checking their cloud services and applying the Cyber Essentials controls where possible.

There is now greater clarity over which software updates need to be applied within 14 days of release, i.e. where the update fixes address vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ or where no level of vulnerabilities is provided by the vendor, or where the fixes address vulnerabilities with a CVSS v3 score of 7 or above.

What Were the Key Changes?

The key changes being made to the requirements of the Cyber Essentials Scheme are primarily in response to the greater adoption of cloud services and homeworking (defined as anyone working from home ‘for any amount of time’).

What Falls Within The Scope Of Cyber Essentials?

All cloud services. If your organisation’s data or services are hosted on cloud services, e.g. ‘infrastructure as a service’ (IaaS), ‘platform as a service’ (PaaS) and ‘software as a service’ (SaaS), then your organisation is responsible for ensuring that all the Cyber Essentials controls are implemented.

With the new requirements, your organisation must take responsibility for user access control and the secure configuration of service providers, which would include securely managing access to the different administration accounts and blocking accounts not required.

Cyber Essentials now includes all end-point devices. As such, any device used by your homeworkers to access organisational information, whether owned by the organisation or by them (i.e. BYOD), are now within scope.

This includes any smartphones and tablets which connect to organisational services (including cloud services) and data when connecting to the corporate network or mobile Internet such as 4G and 5G.

If, for example, an end-user (BYOD) device accesses a cloud service, it is in scope. Mobile or remote devices which are solely used for voice calls, text messages or multi-factor authentication applications are not in scope. The vector variable has now been removed, which means that all updates scoring 7 or above on CVSS v3 have to be applied regardless of the vulnerability vectors.

Thin clients are also in scope when connecting to your organisation’s information or services.

All servers including virtual servers on a sub-set or a whole organisation assessment are now in scope.

Under the new requirements, firewall controls are now transferred to your home worker’s device, although the use of a virtual private network (VPN) transfers the boundary to your corporate firewall or virtual cloud firewall.

Routers supplied by your organisation are in scope, but those supplied by your homeworkers are not.

What Additional Controls Need to Be Implemented?

• Multi-Factor Authentication (MFA) Must Be Used For Access To Cloud Services.

As well as providing extra protection for passwords that are not protected by other technical controls, MFA is also required to provide additional protection to administrator accounts and accounts when connecting to cloud services.

With the MFA requirement, your users are expected to have 2 or more types of credentials before being able to access an account.

• Password and MFA Requirements

In order to protect against brute-force password guessing, the updated Cyber Essentials Scheme requires that an additional protection is implemented in the form of either MFA, ‘throttling’* the rate of unsuccessful or guessed attempts, or locking accounts when there have been up to a maximum of 10 unsuccessful attempts.

In addition, the new Scheme requires that the quality of passwords also needs to be managed and provides 3 options for your organisation to adopt (one of which includes using passwords in conjunction with MFA).

Guidance is also provided on forming unique passwords and establishing a process to change passwords promptly if there has been any suspected compromise.

* increasing time delay between successive login attempts

• Software Licensing, Support, Updating and Removal

With the updated Cyber Essentials requirements, your organisation must ensure that all software on your in-scope devices is fully licensed and supported. The software also needs to be removed from devices when it becomes unsupported or removed from scope by adopting a defined ‘sub-set’ that prevents all traffic to and from the Internet.

Wherever possible, your organisation should have automatic updates enabled. A key change is that when a vendor provides a ‘critical’ or ‘high risk’ update fix, your organisation must apply these updates within 14 days of release.

The same applies if the update addresses vulnerabilities with a CVSS v3 score of 7 or above, or where the vendor does not provide any details of the level of vulnerabilities the update fixes.

• Device Locking for Physically Present Users

There is now a requirement to use biometrics or a password or PIN length of at least 6 characters* to physically unlock a device (e.g. laptop logon, mobile phone).

The credentials must be protected against brute force attack by either throttling the rate of attempts (e.g. permitting no more than 10 guesses in 5 minutes) or locking devices after no more than 10 unsuccessful attempts.

*Will need to be greater if device unlocking credentials are used elsewhere.

What is the Updated Pricing ?

As of 24 January 2022, a tiered pricing structure was introduced by the National Cyber Security Centre (NCSC) to reflect the additional time involved in assessing the more complex, larger organisations. Pricing for Cyber Essentials starts at £300 ex VAT for ‘micro’ organisations and rises up to £500 ex. VAT for ‘large’ organisations. The full pricing can be seen in the table below.

Company Size* Cyber Essentials Assessment Cost
Micro = 0 - 9 employees £300
Small = 10 - 49 employees £400
Medium = 50 - 249 employees £450
Large = 250 or more employees £500

*: adopts the internationally recognised definition for micro, small, medium and large enterprises

What are the Key Changes You Will See When Completing the Questionnaire?

Those organisations which are familiar with the current questionnaire will find that the new questionnaire has the same look and feel. Whilst there are some new questions, there are others which were originally part of a question that have now been given their own dedicated question status . With the new questionnaire, you will now need to:  

With the new questionnaire, you will now need to:

  • Include within your self-assessment, all end-point workstations in the cloud. A paragraph has now been added, specifying that BYODs are in scope as well.
  • List all cloud services provided by third parties
  • Detail how firewall controls are applied on BYOD devices, that are not connected to your internal network.
  • Confirm locking arrangements on end devices which have access to software and services installed.
  • Describe methods for unlocking devices and measures for protecting against brute-force attacks.
  • Describe how you protect accounts from brute-force passwords guessing in your organisation.
  • Describe technical controls used to manage the quality of your passwords within your organisation.
  • Explain how you encourage people to use unique and strong passwords.

What Changes Were Made to Cyber Essentials Plus?

Naturally, all the changes to security control requirements are equally applicable to Cyber Essentials Plus as they are to Cyber Essentials. In terms of the actual Cyber Essentials Plus assessment, there are now 2 new tests being added.

In the first, the assessor will be looking to confirm account separation between user and administration accounts. In the second, the assessor will be looking to confirm that your organisation has implemented multi-factor authentication in order to access cloud services.

Is There a Grace Period in Terms of Complying With the Changes?

For some requirements, these will need to be implemented from January 2022, but for others there will be a grace period of 1 year to allow organisations to make the necessary changes. 

Here, are some of the key compliance dates:

MFA For Cloud Services

Your organisation will be expected to implement MFA to provide additional protection to administrator accounts and accounts when connecting to cloud services from January 2022. However, the MFA requirements for users will not be assessed for compliance until January 2023.

Thin Clients

The requirement for thin clients to be supported and receiving security updates will only be assessed for compliance from January 2023.

Security Update Management

The need to remove unsupported software from your Cyber essentials scope will not be assessed for compliance until January 2023.

What About the Period of Certification?

No change, all certificates will continue to have a duration of 1 year.

More about Cyber Essentials

Consultancy Services

About URM

Follow us on