Cyber Essentials requirements: What are the new changes?

In January 2022, the NCSC will introduce the biggest update to Cyber Essentials technical controls since its launch

The National Cyber Security Centre (NCSC) is planning to update the technical controls of its Cyber Essentials scheme in the new year.

Cyber Essentials offers a simple set of steps that organisations can sign-up to and be certified against to prevent the most common cyber-threats. It’s available in a basic self-assessment version and a Cyber Essentials Plus scheme requiring hands-on technical verification by a third-party. It covers areas such as firewalls, secure configuration, access controls and malware protection.

The NCSC has indicated that it will introduce an updated set of requirements on 24 January in what it described as the biggest overhaul since the scheme was launched in 2014.

 

Reviewing technical controls for improved safety  

The NCSC and its delivery partner for Cyber Essentials IASME have recently completed a major technical review of the scheme, the results of which have informed the updated requirements that make up the controls. These updates will help organisations maintain their basic cyber hygiene, providing reassurance for managers, staff and customers.

The IASME has provided an outline of the changes which includes: bringing home working devices but not routers into scope; using multi-factor authentication for access to cloud services; applying all high and critical updates within 14 days and removing unsupported software; and following guidance on backing up important data.

Two new tests have also been added: one to confirm account separation between user and administration accounts; the other to confirm multi-factor authentication is required for access to cloud services. Organisations using the current standard will have six months to complete the new assessment to retain their certification.

“The way we work has changed dramatically over a short period of time,” NCSC said. “The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the Covid-19 pandemic, which is now routine for many people.

“The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.”

Earlier this year NCSC launched Cyber Essentials Readiness, a free online tool to help organisations prepare for certification. This will be updated to reflect the revised controls and provide assistance to organisations aiming for certification from 24 January onwards.

 

Share

Featured Articles

Founder Shield MD on Navigating Multi-Cloud Complexities

Founder Shield Managing Director Jonathan Selby talks strategies to navigating the complexities of multi-cloud set ups

Qodea CISO Explains How Cyber Threats Could Outrun Cost

Qodea CISO Business Manager Ed Russell explains how growth in sophistication and volume of attacks means current investment in defences falls short

Nokia and NL-ix Deploy Europe’s Largest IXP-Based Anti-DDoS

This collaboration between Nokia and NL-ix is unprecedented both being Largest IXP-Based Anti-DDoS, but the first anti-DDoS solution deployed by an IXP

Bridging the Gap: Examining the UK-US Data Bridge

Data Breaches

Hiddenlayer CSO Tells Why It Made an AI Security Council

Technology & AI

Cooperation Key Theme at Microsoft Endpoint Security Summit

Cyber Security