Cyber Essentials Standards Update

Stephen Austin,
On January 24th, 2022, some of the biggest revisions to the Cyber Essentials scheme in recent years will be observed.
Cyber Essentials Standards Update

There will be major changes to the technical controls that help organisations against the ever-growing risk of cyber-attacks within the digital landscape, which are reviewed at regular intervals by a team of government approved experts. Here we explore the changes to the Cyber Security Essentials Scheme, so you can see how the development of Cyber Essentials continues to allow UK businesses to improve upon their best cyber security practices.

Cyber Essentials Scheme Summary

Here we have summarised how the Cyber Essentials Scheme has changed, outlining the various elements that may impact your organisation.

Home Working Devices & BYOD are in scope - Most Home Routers are not

Home routers, provided by Internet Service Providers, are now out of scope. The new Cyber Essentials Scheme means that firewall controls are now transferred to the home worker’s own device. This means that a router, supplied by the applicant company requires Cyber Essentials controls to be utilised.

All Cloud Services are in Scope

The new Cyber Essentials Scheme summary includes the full integration of cloud services. The data or services of an organisation are hosted upon the cloud, meaning the organisation becomes responsible in ensuring all controls are sufficiently implemented. New definitions of cloud services have also been added for Infrastructure as a Service, Platform as a Service and Software as a Service. The implementation of said controls is dependent on the type of cloud service used, be it Public Cloud, Private Cloud, or Hybrid Cloud.

Updated Scope of requirements for IT Infrastructure in accordance with Cyber Essentials

Cloud Services: Multi Factor Authentication is Required for Access

While the provision of additional protection for passwords that aren’t currently protected by other technical controls is in place, multi-factor authentication should be utilised to give extra protection to the accounts of administrators and accounts that connect to cloud services.

In terms of the passwords used for multi-factor authentication, the Cyber Security Essentials Scheme also now requires a password length of at least 8 characters, with no maximum password length limits.

Account Separation

The Cyber Security Essentials Scheme recommends that separate accounts are used to carry out administrative activities.

The Scope of an Organisation Must Include End-User Devices

Ignoring the threats that arise from administrators who administered their server systems can cause issues if an organisation certifies their server systems only. Within the Cyber Essentials Scheme summary, changes in this requirement resolves the issues regarding organisations who could certify their company without including end-to-end devices.

With this update, all software on in-scope devices must:


Be licensed and supported


Be removed from devices when it becomes un-supported


Have automatic updates supported


Be updated, involving the application of any manual configuration changes within 14 days of an update being released

This update to the Cyber Essentials Scheme is applicable to any issues surrounding critical or high-risk vulnerabilities and addresses vulnerabilities with a CVSS v3 score of 7 or above as well as when there is no information of the severity of vulnerabilities the update fixes provide by the vendor.

New Guidance on Backing Up

The Cyber Essentials Scheme Summary now provides guidance in terms of backing up your data. Although this not a technical requirement, executing the correct backup solution is highly advised.

The new recommendations include two additional tests within the Cyber Security Essentials Scheme audit:

  1. Test to confirm account separation between user and administration accounts
  2. Test to confirm MFA is required for access to cloud services

These changes within the Cyber Security Essentials Scheme will allow for a grace period of one year, permitting organisations to make changes to the following:

  • MFA for Cloud Services

In place from January 2022 for administrator accounts, January 2023 for user requirements.

  • Thin Clients

As they must be supported and receive Cyber Security Essentials Scheme updates, the requirement will be marked for compliance from January 2023.

  • Security Update Management

Unsupported software that is removed from scope is to be marked for compliance from January 2023 for the first 12 months.

Contact Wanstor Today

If you are looking for Managed IT Support or have more questions regarding the Cyber Essentials Scheme update, contact Wanstor today. For organisations that are already CE certified, these certifications will remain valid until their expiry date. Upon re-certification these new requirements will need to be met to it is recommended that you leave yourselves with enough time to prepare for any remediation work.

Any businesses that have begun their Cyber Essentials journey before 24 January and not yet been certified will continue to follow the previous regulations and will have until 24 July 2022 to complete it.

The NCSC has created a FAQ document for further information here: Frequently asked questions

You can read a full explanation of the revised Cyber Essentials technical controls in a blog post released by the IASME here: The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today's digital environment