On 24 January 2022, the Government approved Cyber Essentials certification will undergo its most significant update. Here’s what you need to know…
What is Cyber Essentials?
Cyber Essentials is a nationally recognised certification. It shows that your business has achieved cyber security standards set by the National Cyber Security Centre (NCSC). There are two levels to the certification: Cyber Essentials and Cyber Essentials Plus.
If you’d like to know more about the certification, read our previous insight ‘What is Cyber Essentials’.
Why is Cyber Essentials Changing?
The NCSC have said: “The way we work has changed dramatically over a short period of time. The speed of the digital transformation and the adoption of cloud services are driving factors here. As well as the move to home and hybrid working, accelerated by the COVID-19 pandemic, which is now routine for many people.
The refresh of Cyber Essentials reflects these changes and signals a more regular review of the scheme’s technical controls.”
What Changes are Being Made to Cyber Essentials?
There are several changes coming to the technical control requirements needed to pass the certification. This is for both Cyber Essentials and Cyber Essentials Plus. Here are some of the key changes:
Anyone working from home for any amount of time will be classified as a home worker. Devices used by home workers that access organisational data will be in scope, regardless of who owns the device.
Internet Service Providers (ISP) routers owned by the user will be out of scope. This means Cyber Essentials firewall controls will be transferred to the device. Any routers supplied by the company will be in scope.
If a Virtual Private Network is used, the firewall transfers to the corporate firewall or virtual cloud firewall.
All smart phones and tablets connecting to organisational data and services via a corporate network, or a mobile network will be in scope. The exceptions to this are devices used just for voice calls, text messages or multi-factor authentication apps.
All devices must be secured by biometrics or a minimum password or pin of six characters.
Any data or services you host in the cloud will be subject to Cyber Essentials. New controls here include using multi-factor authentication and enhanced passwords of at least eight characters.
Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user implements the control, depends on the type of cloud service.
Updating Devices and Software
All in scope devices must:
- Be supported and licensed
- Have automatic updates enabled where possible
- Have all high and critical updates applied within 14 days
- Have unsupported software removed
For a full, in-depth update of the changes coming to Cyber Essentials, read the IASME update here.
What does your business need to do?
Any assessments already underway, or that start ahead of the 24 January will continue to use the existing control requirements. Any organisation doing so will have six months from 24 January to complete their assessment under the previous requirements.
Any assessments starting on or after the 24 January will use the updated requirements. Due to the significance of the update, NCSC have stated that there will be a grace period of up to 12 months for some of the requirements.
The NCSC has provided an FAQs page in relation to this update.