Cyber Essentials Standards Update

Stephen Austin

On January 24th, 2022, some of the biggest revisions in recent years to Cyber Essentials will be undertaken.

Young male business professional staring at digital tablet device in modern office environment

There will be major changes to the technical controls that help organisations against the ever-increasing risk of cyber-attacks within the digital landscape, which are reviewed at regular intervals by a team of government approved experts. Here we explore the changes to the Cyber Security Essentials Scheme, so you can see how the development of Cyber Essentials continues to allow UK businesses to improve upon their best cyber security practices.

Cyber Essentials Scheme Summary

Here we have summarised how the Cyber Essentials Scheme has changed, outlining the various elements that may impact your organisation.

Home Working Devices and BYOD are in scope but most Home Routers are not

Home routers, provided by Internet Service Providers, are now out of scope. The new Cyber Essentials Scheme means that firewall controls are now transferred to the home worker’s own device. This means that a router, supplied by the applicant company requires Cyber Essentials controls to be utilised.

All Cloud Services are in scope

The new Cyber Essentials Scheme summary includes the full integration of cloud services. The data or services of an organisation are hosted upon the cloud, meaning the organisation becomes responsible in ensuring all controls are sufficiently implemented. New definitions of cloud services have also been added for Infrastructure as a Service, Platform as a Service and Software as a Service. The implementation of said controls is dependent on the type of cloud service used, be it Public Cloud, Private Cloud, or Hybrid Cloud.

Infographic illustrating the boundaries of scope for Cyber Essentials

Cloud Services: Multi Factor Authentication is Required for Access

While the provision of additional protection for passwords that aren’t currently protected by other technical controls is in place, multi-factor authentication should be utilised to give extra protection to the accounts of administrators and accounts that connect to cloud services.

In terms of the passwords used for multi-factor authentication, the Cyber Security Essentials Scheme also now requires a password length of at least 8 characters, with no maximum password length limits

Account Separation

The Cyber Security Essentials Scheme recommends that separate accounts are used to carry out administrative activities.

The Scope of an Organisation Must Include End-User Devices

Ignoring the threats that arise from administrators who administered their server systems can cause issues if an organisation certifies their server systems only. Within the Cyber Essentials Scheme summary, changes in this requirement resolves the issues regarding organisations who could certify their company without including end-to-end devices. With this update, all software on in-scope devices must:

Number One

Be licensed and supported

Number Two

Be removed from devices when it becomes unsupported

Number Three

Have automatic updates supported

Number Four

Be updated, involving the application of any manual configuration changes within 14 days of an update being released

This update to the Cyber Essentials Scheme is applicable to any issues surrounding critical or high-risk vulnerabilities and addresses vulnerabilities with a CVSS v3 score of 7 or above as well as when there is no information of the severity of vulnerabilities the update fixes provide by the vendor.

New Guidance on Backing Up

The Cyber Essentials Scheme Summary now provides guidance in terms of backing up your data. Although this not a technical requirement, executing the correct backup solution is highly advised.

The new recommendations include two additional tests within the Cyber Security Essentials Scheme audit:

  • Test to confirm account separation between user and administration accounts
  • Test to confirm MFA is required for access to cloud services

These changes within the Cyber Security Essentials Scheme will allow for a grace period of one year, permitting organisations to make changes to the following:

MFA for Cloud Services

In place from January 2022 for administrator accounts, January 2023 for user requirements.

Thin Clients

As they must be supported and receive Cyber Security Essentials Scheme updates, the requirement will be marked for compliance from January 2023.

Security Update Management

Unsupported software that is removed from scope is to be marked for compliance from January 2023 for the first 12 months.

If you are looking for Managed IT Support or have more questions regarding the Cyber Essentials Scheme update, contact Wanstor today. For organisations that are already CE certified, these certifications will remain valid until their expiry date. Upon re-certification these new requirements will need to be met to it is recommended that you leave yourselves with enough time to prepare for any remediation work.

Any businesses that have begun their Cyber Essentials journey before 24 January but are not yet certified must continue to follow the previous regulations and will have until 24 July 2022 to complete the certification.

The NCSC has created a FAQ document for further information here: Frequently asked questions

You can read a full explanation of the revised Cyber Essentials technical controls in a blog post released by the IASME here: The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today's digital environment