Cyber Essentials requirements: What are the new changes?

In January 2022, the NCSC will introduce the biggest update to Cyber Essentials technical controls since its launch

The National Cyber Security Centre (NCSC) is planning to update the technical controls of its Cyber Essentials scheme in the new year.

Cyber Essentials offers a simple set of steps that organisations can sign-up to and be certified against to prevent the most common cyber-threats. It’s available in a basic self-assessment version and a Cyber Essentials Plus scheme requiring hands-on technical verification by a third-party. It covers areas such as firewalls, secure configuration, access controls and malware protection.

The NCSC has indicated that it will introduce an updated set of requirements on 24 January in what it described as the biggest overhaul since the scheme was launched in 2014.


Reviewing technical controls for improved safety  

The NCSC and its delivery partner for Cyber Essentials IASME have recently completed a major technical review of the scheme, the results of which have informed the updated requirements that make up the controls. These updates will help organisations maintain their basic cyber hygiene, providing reassurance for managers, staff and customers.

The IASME has provided an outline of the changes which includes: bringing home working devices but not routers into scope; using multi-factor authentication for access to cloud services; applying all high and critical updates within 14 days and removing unsupported software; and following guidance on backing up important data.

Two new tests have also been added: one to confirm account separation between user and administration accounts; the other to confirm multi-factor authentication is required for access to cloud services. Organisations using the current standard will have six months to complete the new assessment to retain their certification.

“The way we work has changed dramatically over a short period of time,” NCSC said. “The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the Covid-19 pandemic, which is now routine for many people.

“The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.”

Earlier this year NCSC launched Cyber Essentials Readiness, a free online tool to help organisations prepare for certification. This will be updated to reflect the revised controls and provide assistance to organisations aiming for certification from 24 January onwards.



Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security