Cyber Essentials Questions Answered: Technical Requirements, BYOD Compliance and the Future of the Scheme

What are the requirements for laptops in relation to firmware/driver updates?

Whilst CE previously required that firmware be kept up to date, and the Question Set contained a specific question to confirm this, this is no longer included in the current Question Set.  As such, there is no specific requirement to state firmware levels or whether firmware is up to date, and this is also the case for driver updates.  However, when you patch your devices, some patches will be via firmware and driver updates, and the vulnerability scanning performed for CE+ will identify out-of-date firmware and drivers.  So, while there is not a dedicated question for firmware and driver updates, they are still indirectly required for compliance.  

Do iPhones and Android phones require any antivirus to ensure that a ‘malware protection mechanism is active on all devices in scope’?

There is, currently, no IASME approved malware solution for iPhones or Android phones.  Instead, you are recommended to implement other mechanisms to protect these devices against malware, such as a mobile device management (MDM) or mobile application management (MAM) solution.  These tools allow you to monitor the software running on the devices and prevent the installation or execution of unauthorised applications.  

If you are unable to implement these solutions, you can also enforce malware protection of iPhones and Androids via a policy that specifies the requirements for acceptable use of such devices (e.g., users can only install applications from the App Store or Google Play Store) and the consequences of nonconformance (e.g., disciplinary action or termination of employment).  

How do you determine what is a cloud service and needs to be considered in-scope?

IASME considers a cloud service to be anything that is provided as a service, i.e., infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), etc.  This is based on the greater risk to your organisation associated with accessing these services if they were to be compromised, as opposed to the risk associated with creating an account for a website to purchase products it sells, for example, which would not be considered a cloud service and therefore would not be in scope.

How do you handle eSIMS?

As CE is concerned with your devices and networks, eSIMS should not be treated any differently to a regular sim and do not have any unique requirements for compliance.

Does CE require you to implement technical controls on BYOD?  

It is important to note that allowing BYOD does pose extra risks to your organisation, as this will generally be an easier target for attackers than company-owned devices.  

If you do need to allow BYOD, you are not required to have an agent or software installed on the personal devices to check or control them – this is ideal as it is the most secure approach, however it is not required for compliance with CE.  Instead, technical controls can be via an MDM or MAM solution or another control or policy that prevents non-compliant devices from connecting to your information or networks.  All technical controls applicable to company-owned devices are also applicable to BYOD, such as requirements for accounts, correct use of admin accounts, etc.

Does CE allow you to access emails via browser on a personal device?

If you access any organisational data (including emails) via a browser, CE requirements dictate that you cannot do this using an untrusted device.  So, if your organisation operates BYOD and you access emails with a registered BYOD, this would be compliant, but accessing emails from a personal device not within scope of the BYOD policy would be in breach of the scheme’s requirements.

Email platforms, such as Microsoft 365, often provide configuration options that allow you to restrict access to trusted devices only.  If your organisation does not have the ability to implement this, you can instead stipulate within policies that accessing organisational emails via untrusted devices is prohibited.

What are the main areas you can cover yourself before engaging a third party to assist with achieving CE/CE+ certification?

This is highly dependent on the level of knowledge and expertise within your organisation.  In theory, if your organisation has staff members who know how to patch and configure devices, you would not need any assistance.  However, even if you do have this in-house expertise, it is often beneficial to work with a third party to help you fill out the application and respond to the questionnaire.  It is not always clear what information each question is asking you to provide, and, as such, your CE assessment is more likely to be successful if you are supported by a third party with a comprehensive understanding of the scheme and its requirements.

If you are certified to ISO 27001, what additional controls or policies are required for compliance with CE/CE+?

This will depend on the nature of your information security management system (ISMS) and how it has been implemented.  There are not any specific, additional controls that are required for CE compliance that are not required by ISO 27001, and many requirements you have in place for conformance to the Standard, such as your password policy and keeping software up to date, will also be applicable to CE.  

However, one area that causes issues fairly frequently is the risk-based approach taken by ISO 27001, which allows you to accept risks if they are within your organisation’s risk tolerance, in contrast with the more binary approach and compulsory requirements of CE.  For example, your organisation could accept the risk associated with unpatched software or implement another mitigation for the risk it presents and still be ISO 27001 conformant.  Meanwhile, to be compliant with CE, you would need to ensure software is patched, regardless of whether unpatched software is within your organisation’s risk tolerance, or you have another mitigation.

To what extent is CE recognised and taken up outside of the UK?

A surprising number of organisations look to obtain CE certification that are not based in the UK.  Certification to the scheme is open to non-UK-based organisations, and we at URM are assisting a growing number of organisations from various regions around the world to achieve CE compliance .

What is the future of CE?

Based on the approach IASME and the NCSC have taken to updating CE since its launch in 2014, it is likely that changes will continue to be small and introduced over time, instead of significant overhauls of the scheme being introduced at once.  This approach enables organisations to keep pace with the scheme’s requirements and remain compliant as new versions of the Question Set are released.

Could artificial intelligence (AI) play a role in CE+ in the future?  

Tools are already being used from both the blue teaming (defensive) and red teaming (attack) perspectives of the CE+ technical audit which leverage AI, with many tools used to protect or attack having AI components. Looking to the future, it is likely that an increasing number of products used for CE+ will include an AI component.  However, it is less likely that in the immediate future specific questions will be introduced to the Question Set regarding the management of AI security.