Cyber Essentials requirements: What are the new changes?
The National Cyber Security Centre (NCSC) is planning to update the technical controls of its Cyber Essentials scheme in the new year.
Cyber Essentials offers a simple set of steps that organisations can sign-up to and be certified against to prevent the most common cyber-threats. It’s available in a basic self-assessment version and a Cyber Essentials Plus scheme requiring hands-on technical verification by a third-party. It covers areas such as firewalls, secure configuration, access controls and malware protection.
The NCSC has indicated that it will introduce an updated set of requirements on 24 January in what it described as the biggest overhaul since the scheme was launched in 2014.
Reviewing technical controls for improved safety
The NCSC and its delivery partner for Cyber Essentials IASME have recently completed a major technical review of the scheme, the results of which have informed the updated requirements that make up the controls. These updates will help organisations maintain their basic cyber hygiene, providing reassurance for managers, staff and customers.
The IASME has provided an outline of the changes which includes: bringing home working devices but not routers into scope; using multi-factor authentication for access to cloud services; applying all high and critical updates within 14 days and removing unsupported software; and following guidance on backing up important data.
Two new tests have also been added: one to confirm account separation between user and administration accounts; the other to confirm multi-factor authentication is required for access to cloud services. Organisations using the current standard will have six months to complete the new assessment to retain their certification.
“The way we work has changed dramatically over a short period of time,” NCSC said. “The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the Covid-19 pandemic, which is now routine for many people.
“The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.”
Earlier this year NCSC launched Cyber Essentials Readiness, a free online tool to help organisations prepare for certification. This will be updated to reflect the revised controls and provide assistance to organisations aiming for certification from 24 January onwards.