The NCSC (National Cyber Security Centre) has announced a major update to the technical controls of Cyber Essentials.
The changes, which are based on feedback from assessors and applicants, will alter the way organisations are expected to protect and manage various forms of hardware and software.
It’s part of a regular review of the scheme, conducted in consultation with technical experts from the NCSC, and follows a major overhaul last year.
Thankfully, this year’s update is a “lighter touch” that provides some clarifications on organisations’ obligations as well as new guidance.
This includes new guidance on zero trust architecture, as well as a reordering of the technical controls to align with the updated self-assessment question set.
What’s changing?
There are six main changes in the latest update of Cyber Essentials.
1. User devices
The current version of Cyber Essentials requires organisations to list specific information about company laptops, desktops, servers, computers, tablets and mobile phones.
For instance, documentation would specify that organisations not only have a certain number of laptops but that they were manufactured by, say, Dell and running on Windows 10 Pro 21H2.
The latest version of Cyber Essentials simplifies these requirements, with organisations no longer required to list the model of the device.
This change does not apply to network devices (such as firewalls and routers) and will be reflected in the self-assessment question set rather than the requirements document.
2. Clarification on firmware
Firmware is currently included in the definition of ‘software’, and as such, organisations are expected to keep it up to date and supported.
Following feedback, the NCSC concluded that relevant information is unduly difficult to find and is therefore narrowing the scope of the requirements. Organisations are now required to update and support just router and firewall firmware.
3. Third-party devices
The NCSC has provided more information about how third-party devices, such as those belonging to contractors, should be treated in organisations’ certification application.
4. Device unlocking
The scheme currently requires organisations to establish certain security controls, such as a limited number of login attempts before a user is locked out of the system.
However, the NCSC noticed that some programmes do not give administrators the option to adjust these settings. As such, organisations will be permitted to use default settings where necessary.
5. Malware protection
The NCSC has clarified that anti-malware software will no longer necessarily need to use signature-based detection.
It’s the most common method of identifying malware, with the programme looking for digital footprints within code that has previously been logged as malicious. However, it’s not the only way to identify malware.
The latest version of Cyber Essentials will contain guidance on which mechanism is suitable for different types of device. Elsewhere, sandboxing has been removed as an option.
6. Cyber Essentials Plus testing
Cyber Essentials Plus is an advanced qualification that involves an additional technical audit of in-scope systems.
The NCSC has updated its Illustrative Test Specification document to align with the changes to its requirements. The biggest changes are to malware protection tests, simplifying the process for both applicants and assessors.
What next?
The changes will take effect from April 2023, meaning all applications started on or after this date will use the new requirements and questions set.
In addition to these changes, IASME – the certification body behind Cyber Essentials – is providing additional guidance to help applications during the certification process.
Due to go live in the next few months, this guidance will include articles explaining assessment questions, as well as a dedicated knowledge base.
You can find more advice about Cyber Essentials by downloading our free guide.
Cyber Essentials: A guide to the scheme provides guidance on the five controls and how to obtain certification.
IT Governance is one of the founding Cyber Essentials certification bodies and remains one of the largest in the UK.