Cyber Essentials Update 2023

Cyber Essentials Update 2023

In April 2023, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for Cyber Essentials and its certification process.

This update is part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.

As an information security standard, the Cyber Essentials scheme offers an affordable and effective level of assurance for businesses of all sizes. It comes in two levels: Cyber Essentials and Cyber Essentials PLUS. 

The programme sets out 5 critical technical controls to help businesses with cyber protection, which will protect you against the most common cyber threats when implemented. In fact, the cyber security certification aims to reduce an organisation’s risk of attack from internet-borne threats by around 80%.

What will the 2023 update include?

The 2023 update will be slightly more relaxed, compared to last year’s major update, providing several clarifications, alongside some important new guidance:

User devices.

With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.

Clarification on firmware. 

All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.

Third-party devices. 

More information and a new table that clarify how third-party devices, such as a contractor or student devices, should be treated in your application.

Device unlocking. 

We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.

Malware protection. 

Anti-malware software will no longer need to be signature-based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.

New guidance on zero trust architecture 

For achieving CE and a note on the importance of asset management.

Style and language. 

Several language and format changes have been made to make the document easier to read.

Structure updated. 

The technical controls have been reordered to align with the updated self-assessment question set.

CE+ testing. 

The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.

All these changes are based on feedback from assessors and applicants and have been made in consultation with technical experts from the NCSC. 

As well as the updated requirements and new question set, IASME is also providing more guidance documents to help applicants during the certification process. 

This includes articles to help applicants understand the questions and access to a dedicated knowledge base. 

These resources will become available over the coming months.

*info above taken from National Cyber Security Centre, Cyber Essentials technical requirements updated for April 2023

When will the Cyber Essentials requirements be updated?

This latest update will take effect from 24 April 2023. 

This will mean that all applications started on or after this date will use the new requirements and question set.

Why you need to get certified …

We strongly recommend businesses consider acquiring a Cyber Essentials certificate if your business runs and operates an IT infrastructure, your business collects, stores and uses customer or employee information on an online or computerised system and if you generally want to step up the protection of your business to avoid the serious impacts of cyber attacks. 

Highlights:

1. Reduce your risk of cyber attack
2. Stakeholder assurance
3. Secure more business
4. Simple and cost-effective
5. Support compliance
6. Lower insurance premiums

Become Cyber Essentials Certified with the help of CSG

At CSG, we specialise in cyber security frameworks and our experienced technical delivery staff can help you understand and align with the certification process, as well as provide guidance and support throughout the entire process. With their expertise and knowledge, you can rest assured that you are in the best hands and will be fully prepared for certification.

We are committed to helping your organisation become Cyber Essentials certified. Our team will conduct a comprehensive gap analysis, reporting on the 5 critical controls, as well as any related remediation measures that need to be taken. We will work with you to ensure your organisation meets all of the necessary requirements for certification.

Once you’re ready, one of our fully certified assessors will complete and submit your response and issue the certification.

If you feel you’re ready to take Cyber Security seriously and need the peace of mind that the Cyber Essentials certification process brings you, then please read more or book here, or if you have any questions on the process and what it may mean for your business, contact us here!