Major changes to Cyber Essentials

On 24th January 2022 Cyber Essentials will undergo a major update. These changes will be added to the requirements needed to pass the certification for both Cyber Essentials and Cyber Essentials Plus.

All Cyber Essentials applications starting on or after 24th will use the updated version of requirements. There will be a grace period of up to 12 months for some of the new requirements.

Since the start of the pandemic, the world has gone through a digital transformation with new technology and new working models. Remote working has highlighted the need for cloud services and a whole new set of security procedures. This update will reflect these changes, and help organisations maintain basic cyber security, providing reassurance for managers, staff and customers.

What is Cyber Essentials?

Cyber Essentials is a government-backed scheme that helps organisations defend themselves against the most common cyber threats. The scheme is not mandatory, but is often a requirement for organisations working on UK government contracts.

The certification has two levels – Cyber Essentials and Cyber Essentials Plus.

You must first complete a self-assessment questionnaire. Once submitted, an external infrastructure scan will take place. You will then be able to view critical vulnerabilities within your infrastructure, it will then be your job to fix these weaknesses to become Cyber Essentials certified.

Read more here.

What are the key changes?

The update includes changes to the use of cloud services, home working, multi-factor authentication, password management, security updates and more.

Home Working

Devices used by home/remote workers are in scope, regardless of who owns the device.

On the other hand, Internet Service Provider routers owned by the user will be out of scope. Cyber Essentials firewall controls will have to be transferred over to the user devices.

Routers supplied by the company will be in scope.

If the remote worker is using a corporate VPN, they will be use a company firewall or virtual/cloud firewall.

Wireless Devices

In scope – if they can communicate with other devices via the internet.

The exceptions to this are devices used for voice calls, text messages or multi-factor authentication apps.

Out of scope – if it’s not possible for a hacker to attack via the internet, or part of an ISP router within the home location.

All devices must be secured by biometrics or a minimum password of six characters.

Cloud Services

If your data or services are hosted on the cloud, these services must be in scope. The applicant is always responsible for ensuring the controls are implemented, but some of these controls can also be implemented by the cloud service provider.

New controls include multi-factor authentication and enhanced passwords of at least eight characters.

Updating your Devices

In scope devices must:

  • Be supported and licensed
  • Have automatic updates enabled
  • Apply ‘critical’ and ‘high’ updates within 14 days
  • Remove unsupported software
You can view the full list of changes here.

Contact us to find out more.