In April 2023, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for Cyber Essentials. The updates will help ensure the scheme continues to help UK organisations protect themselves against cyber threats.

Cyber Essentials Update: April 2023

What is Cyber Essentials?

As an information security standard, the Cyber Essentials scheme offers an affordable and effective level of assurance for businesses of all sizes and comes in two levels: Cyber Essentials and Cyber Essentials PLUS. The programme sets out 5 key technical controls to help businesses with cyber protection which, when implemented, will protect you against the most common cyber threats. In fact, the cyber security certification aims to reduce an organisations’ risk of attack from internet-borne threats by around 80%.

What will the 2023 update include?

The 2023 update will be slightly more relaxed, compared to last year’s major update, providing a number of clarifications, alongside some important new guidance:

  • User devices. With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. The requirement for the applicant to list the model of the device has been removed. This change will be reflected in the self-assessment question set, rather than the requirements document.
  • Clarification on firmware. All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, this has been changed to include just router and firewall firmware.
  • Third party devices. More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated in your application.
  • Device unlocking. A change has been made to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.
  • Malware protection. Anti-malware software will no longer need to be signature based and the mechanism that’s suitable for different types of devices has been clarified. Sandboxing is removed as an option.
  • New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
  • Style and language. Several language and format changes have been made to make the document easier to read.
  • Structure updated. The technical controls have been reordered to align with the updated self-assessment question set.
  • CE+ testing. The CE+ Illustrative Test Specification document  has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.

The above text has been taken from National Cyber Security Centre, Cyber Essentials technical requirements updated for April 2023

 

When will the Cyber Essentials requirements be updated?

This latest update will take effect from 24 April 2023. This will mean that all applications started on or after this date will use the new requirements and question set.

At Air IT, we strongly recommend businesses consider acquiring a Cyber Essentials certificate if your business runs and operates an IT infrastructure, your business collects, stores and uses customer or employee information on an online or computerised system and if you generally want to step up the protection of your business to avoid the serious impacts of cyber attacks. As a fully trained and licensed Cyber Essentials Certification Body, we offer full support and certification services for both Cyber Essentials and Cyber Essentials PLUS.

 

Guy Lui, Head of Cyber Security says:

NCSC has made some great changes to the already well-established Cyber Essentials standard, which will take effect from April 2023. These changes give further clarifications and improvements over the existing CE requirements, making the standard more accessible and relevant to organisations of all sizes.

It’s important that organisations work with security advisors that stay current with these changes. Air IT, as a licensed Cyber Essentials Certification Body, can give you most up-to-date and accurate advice which allows you to get the most value out of the Cyber Essentials standard.

Keep your business safe from cybercriminals

Cyber threats are just like any business risk. They need to be assessed then actions need to be taken to remove, mitigate or accept the risk. So, by implementing the five key controls under Cyber Essentials certification you will significantly reduce some of the risks.

To further protect your business, alongside Cyber Essentials, we also offer a choice of comprehensive cyber security packages and managed SIEM offering advanced 360° protection, managed detection, response as well as training against the latest threats and vulnerabilities, be they malicious or accidental.

In today’s ever-changing threat landscape, it’s no longer a matter of if, but when you’re likely to suffer a cyber-attack or intrusion. Beyond prevention, it’s critical that organisations are now fully equipped to proactively identify and eliminate any attacks that bypass standard perimeter defences before they cause serious damage.