Cyber Essentials Scheme being Updated on 24 April 2023

It should be noted that the updates being planned for April 2023 are not as significant as those introduced in 2022, but there are a number of updates and extra guidance being made to technical requirements, along with recommendations on non-compulsory controls.  Other guidance and clarification updates are being made to improve the user friendliness and accessibility of the Scheme.

End of grace period for 3 requirements from 2022 Update

Before providing an overview of the new NCSC guidance, it is worth providing a reminder that the 24 April 2023 represents the end of the grace period for 3 of the requirements from the major 2022 update.  As such, from 24 April, it will be a requirement of Cyber Essentials for:

• All cloud-based user accounts to be protected by multi-factor authentication (MFA)
• All unsupported software to be either removed or segregated from scope via a sub-set
• All thin clients in scope to be supported and be receiving security updates

What are the changes, clarifications and guidance being made in the April update?

The updates being introduced fall into 2 general categories, and are aimed at:

• Updating guidance on technical controls and recommending other non-mandatory controls
• Improving practicality of the Scheme and reducing the administrative burden

Changes and guidance on controls

• Malware protection.  Anti-malware software will no longer have to be signature-based, and sandboxing will no longer be an option.  Organisations must ensure that a malware protection mechanism is active on all devices in scope.  In all cases, the software must be active, kept up to date in accordance with the vendors instructions, and appropriately configured.
• New guidance on zero-trust architecture.  In a zero-trust architecture, the network is not trusted by default.  Every access request is evaluated based on an access policy and context, which is established through strong authentication, authorisation, device health checks, and the value of the data being accessed.  This approach removes the assumption of trust within the network, and instead verifies each access request. There are still no requirements to implement a zero-trust architecture, the new content is guidance only.
• Asset Management.  Although not a compulsory requirement, asset management can play a crucial role in achieving Cyber Essentials compliance.  It should be considered as a core security function that supports various business operations, and one that helps in tracking and controlling devices as they are introduced into the business.  The NCSC has produced comprehensive guidance for organisations on asset management.

Changes aimed at reducing the administrative burden and improving the Scheme’s practicality

• Simplifying listing of user devices. With the exception of network devices (such as firewalls and routers), you are now only required to list the make and operating system for user devices declared within the scope of the certification.  There is no requirement for organisations to list the model of the device.  The change will be reflected in the self-assessment question set, rather than the requirements document.
• Reduction in firmware information required.  With existing requirements, all firmware is currently included in the definition of ‘software’ and, as such, must be kept up to date and supported.  In response to feedback that information on firmware can be difficult to find, from 24 April organisations will only be required to include router and firewall firmware.
• Clarification on third-party devices. More information and a new table (see below) is provided on how third-party devices, such as contractor or student devices, should be treated in any application.  When a third-party device has a green tick, it is in scope and the applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy.

‍

‍

• Simplification of device unlocking. Changes have been made to address issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked).  In such scenarios, it's now acceptable for applicants to use those default settings.
• Style and language. A number of language and format changes are being introduced to make the requirements document more accessible and easier to read.
• Structure updated.  For consistency, the Scheme requirements have been reordered to align with updated self-assessment question set, i.e., firewalls, secure configuration, security update management, user access controls, and malware protection.

Changes to Cyber Essentials Plus Testing

In line with the changes to the requirements, testing methodologies will be changing, most notably with a refreshed set of malware protection tests to simplify the process for both applicants and assessors.  URM will provide more information on these changes in the weeks leading up to v3.1 taking effect on 24 April 2023.

What happens in the period leading up to 24 April 2023?

This latest update (version 3.1) will take effect from 24 April 2023. This means all applications started before this date will use the old requirements and Evendine question set.  If you have any queries regarding the update and preparing to meet the new requirements, please email cyberessentials@urmconsulting.com.

‍

‍