Cyber Essentials has recently released an update regarding their requirement changes as of April 2023. This is part of a regular review of the scheme’s controls; this ensures that UK organisations which are Cyber Essentials qualified continue to be guarded against the most common cyber threats.
The requirements for Cyber Essentials will change through this update provided by the NCSC and its Cyber Essentials partner IASME. This update is part of regular updates, which review the current scheme to see what needs to be changed.
This ensures that Cyber Essentials stays on top of the ever-changing cyber security landscape and adapts to new threats. These new changes that will be implemented aren’t big but provide clarifications on processes within the accreditation process.
Below are the included changes within Cyber Essentials provided by the NCSC (National Cyber Security Centre):
User Devices
This update is towards devices within the scope of the certification that can have their operating system listed. This does not affect network devices such as firewalls and routers. With the new changes as of April 2023, the applicant will no longer need to list the model of devices.
Not only will the model not need to be listed, but it will be easier to provide as a document is no longer needed and, moving forward, will be reflected within a provided self-assessment question sheet.
Firmware
To help clarify firmware within the accreditation, all firmware included and defined as ‘software’ must be kept to date and supported. As this can be hard to maintain, information required will only be for routers and firewall firmware.
Third-Party Devices
A new table will be provided with more information about how third-party devices, such as contractor or student devices, should be treated.
Device Unlocking
Changes will be made according to the default settings of certain devices. The default setting where the number of unsuccessful login attempts a device will be locked will be changed. Previously they had to be changed according to business standards, but now, default settings are allowed.
Malware
Sandboxing will be removed as an option. Anti-malware software will no longer need to be signature-based, and mechanisms will be clarified which are suitable for different devices.
New Guidance
This new guidance will revolve around zero trust architecture for achieving Cyber Essentials Accreditation and the importance of asset management.
Languages
Several new languages will be added, and style changes will be made to make the document easier to read.
Cyber Essentials Plus Testing
A refreshed set of Malware Protection tests will simplify the process for the applicants and processors.
Round up
All changes to be implemented above are made through feedback from assessors and applicants of the accreditation to help improve the process for everyone involved. These changes have gone through consultation with internal technical experts from the NCSC, which will also begin providing informative articles in the coming months about Cyber Essentials.
All these updates will take effect from the 24th of April, 2023. This then means that all new applications for Cyber Essentials will use these new requirements. If you wish to learn more about Cyber Essentials and how Texaport can help your business through its digital transformation journey, read more here.
