In January 2022 the NCSC and IASME will implement an updated set of requirements for the Cyber Essentials scheme.  This will be the biggest overhaul of the scheme’s technical controls since its launch in 2014. The important changes will ensure UK businesses stay secure in the ever-changing threat landscape.

The simple, yet effective Government approved Cyber Essentials scheme includes five technical controls that help protect organisations from many cyber-attacks. By holding a certificate, you protect your business and clients from the potentially devastating effects of these threats whilst also demonstrating your commitment to IT security.

The IASME and NCSC regularly review the Cyber Essentials technical controls to ensure they are up to date and relevant. On 24^th January, some of the requirements will change to incorporate recommended security updates. This is mainly due to the digital transformation that has occurred since the start of the Covid-19 pandemic.

Driven by the significant growth of home-working and the associated adoption of cloud-based services, these updates will ensure Cyber Essentials is as effective as possible in protecting devices and software against threats.

Find out all you need to know about the key changes to the Cyber Essentials Scheme below.

1. A new home working requirement, whereby all home working devices are in scope (excluding personal broadband routers)

Devices used to access organisational information, whether they are owned by the organisation, or by the user are in scope for Cyber Essentials.

Personal routers are out of scope, therefore it is the user device that must have Cyber Essentials controls employed. Routers supplied to the home worker by the organisation are in scope.

2. All cloud services are in scope. Access to cloud services must use Multi Factor Authentication (MFA).

If an organisation’s data or services are hosted in the cloud, the organisation are responsible for ensuring all Cyber Essentials controls are implemented. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope, however the updated requirements request organisations take responsibility for user access control and secure configuration of their services.

In some instances, the cloud service implements the controls, in this case, the company must seek assurance that this is to the required standard.

Cloud services face an increasing number of cyber attacks, that aim to steal account passwords. Therefore Multi-factor Authentication (MFA) will be a requirement for users to be able to access an account.

3. A new ‘Licensed and Supported’ definition.

The new definition states: “Licensed and supported software is software you have a legal right to use and that a vendor has committed to support by providing regular patches or updates. The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.”

4. All smart phones and tablets connecting to organisational data and services are in scope when connecting to a corporate network or mobile internet.

All devices should be password protected with a minimum length of 6 characters or have biometric facilities to unlock them.

5. Updated password-based authentication requirements and a new section on multi-factor authentication.

Either multi-factor authentication, throttling the rate of unsuccessful guessed password attempts or account locking after no more than 10 unsuccessful attempts should be used to protect against brute force password guessing.

The scheme now includes a section on secure password guidance. This includes guidance on how to change to a more secure password if necessary.

Technical controls manage the quality of passwords. Organisations will need to employ one of the following to adhere to the standards:

1. MFA password with at least 8 characters
2. Minimum password length of at least 12 characters
3. Minimum password length of 8 characters with automatic blocking of common passwords using a deny list

6. The requirement to update all high and critical updates within 14 days and removal of unsupported software.

All software on in scope devices must be licensed and supported, and should be removed in the instance it is no longer supported. Users should have automatic updates enabled and installed within 14 days of their release date in the following instances:

– The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’

– The update addresses vulnerabilities with a CVSS v3 score of 7 or above

– There are no details of the level of vulnerabilities the update fixes provide by the vendor

These updates raise the bar of IT security as organisations can no longer choose whether they apply patches or not.

Further changes include:

• A slightly amended definition of a ‘sub-set’,
• Thin clients are now in scope when connecting to organisational information or services,
• All servers, including virtual services on a sub-set or a whole organisation assessment are in scope,
• The scope of an organisation must include end-user devices,
• New guidance on backing up important data and implementing appropriate backup solutions has been provided.

The new Cyber Essentials technical requirements will officially be released on 24^th January. If your business registers for Cyber Essentials certification before this date, you have 6 months to complete your self assessment and will follow the old guidance.

To find out more about the changes, you can visit the NCSC and IASME websites:

• NCSC – Update to the Cyber Essentials technical controls
• IASME – The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment

At SupPortal, we are ready for the new guidance and can support you through your Cyber Essentials Certification process. If you have any questions about Cyber Essentials, please feel free to send us an email or give us a call as we’d be happy to help.