Cyber Essentials has become a crucial element of any business. This Cyber Essentials update will ensure your business is better protected against cyber threats. This update will come into effect in April 2023.
A quick look at what is Cyber Essentials
Cyber Essentials helps your organisation guard against cyber attacks. It is a government backed scheme that helps organisations embrace good practice with regards to cyber security. It is operated by the National Cyber Security Centre (NCSC) and regardless of your company size, you can be accredited. Once you have completed your accreditation, this shows your customers and authorities that you have applied recognised practices and tools to safeguard your business.
It comes in two forms, a standard Cyber Essentials or a Cyber Essentials Plus accreditation. To discover more regarding the differences between these two, our blog on what is cyber essential plus outlines this.
What does this new Cyber Essentials update include?
The National Cyber Security Centre have provided businesses with the new updates. These are quoted below and can be read here.
- User devices. With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.
- Clarification on firmware. All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.
- Third party devices. More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated in your application.
- Device unlocking. We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.
- Malware protection. Anti-malware software will no longer need to be signature based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.
- New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
- Style and language. Several language and format changes have been made to make the document easier to read.
- Structure updated. The technical controls have been reordered to align with the updated self-assessment question set.
- CE+ testing. The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.
These above new technical requirements are to be implemented from 24th April 2023. Any application started after this point will include the new Cyber Essentials updates.
How Cambridge Support can help you
Cambridge Support have been helping businesses with Cyber Essentials for many years. We can guide you through your specific security risks with Cyber Essentials. Our experts can evaluate your current IT systems and offer detailed solutions and helpful reporting. We have great experience in many security focused services. These not only include Cyber Essentials updates, but also include Microsoft 365 audits, security audits, penetration testing, and more.
If you have any questions regarding Cyber Essentials, our Service Delivery Managers Adam & Amy will be pleased to help. Please contact us on 01223 921 000. Cambridge Support is open from 7am – 7pm Monday to Friday. Alternatively, you can email us at ask@cambridgesupport.com.