Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What are the April 2023 Cyber Essentials Changes?

The UK Cyber Essentials certification has been running since 2014 now, and over that time it has developed into a respected basis for cyber security protection especially for small and medium sized organisations. The National Cyber Security Centre (NCSC) and IASME, the chosen scheme partner, have recently published details of further changes being made to the requirements of the certification from 24th April 2023. Here we look at what those changes are and how you might comply with them.

Image showing Cyber updates

The New Question Set

The NCSC is keen to point out that the April 2023 Cyber Essentials changes (being referred to as Version 3.1 of Cyber Essentials) are about clarification and guidance rather than being a significant revamp. However IASME has published a new question set called Montpellier which will be used for all assessments after the change date. This is available to download free of charge from the IASME website.

Same Controls, (Slightly) Different Names, Different Order

The first most obvious amendment to the requirements is that the five controls have been slightly renamed and put in a different order than previously. The list is now as follows:

  1. Firewalls: Secure your internet connection with boundary and host-based firewalls.
  2. Secure Configuration: Device settings, passwords and multi-factor authentication (MFA).
  3. Security Update Management: Keep your devices and software up to date with security patches.
  4. User Access Control: Securing user and administrator accounts and limiting access to data and services.
  5. Malware Protection: including anti-malware software, allow-listing and code signing

Although this obviously won’t affect the technical aspects of your controls, it could mean a bit of updating here and there to your documentation, just to keep it aligned with the scheme. The control “Security Update Management” has been renamed from “Software Patching” presumably to emphasise that it’s specifically security patches we’re interested in, rather than those providing fixes to the functional aspects of software.

Scope Clarification

Partly due to the Pandemic, in recent years Cyber Essentials has moved away from a limited scope definition consisting of a main office location toward a more distributed one including remote workers and cloud services. The main changes either introduced or re-emphasised in the April update include:

  • BYOD (Bring Your Own Device) devices (that is, user-owned) are in scope if they are used to access work data, unless all they are used for is phone calls, texts and MFA (Multi-Factor Authentication) apps.
  • Home working – all devices used for home working are in scope, whoever owns them, but a user’s self-provided router is not, as the organisation will typically have little control over its configuration.
  • Wireless devices are in scope if they can communicate with the Internet (as Cyber Essentials is mainly concerned with protecting from attacks launched over the web).
  • Cloud services – you must be clear about how the cloud service provider provides their part of the security picture, and this must be documented in a contract or similar.
  • User accounts and devices provided by your organisation to be used by third parties to access your infrastructure are still your problem and must be defined as being in scope.

Note that a requirement for the cyber insurance that is provided as part of Cyber Essentials is that the whole organisation is included in the scope.

Other Clarifications

NCSC has also made it clear that:

  • There’s no longer a need to state the model of your devices in your return.
  • If a device is not configurable to meet the requirements, defaults may be used.
  • Sandboxing is out as an option for anti-malware.
  • Firmware is software, but you only need to worry about router and firewall firmware for Cyber Essentials purposes.

Additional Topics NCSC is Emphasising

The slightly expanded guidance from NCSC includes reference to the importance of a number of topics that aren’t directly included in the Cyber Essentials requirements which are:

  • Asset management – seen as a cross-cutting discipline that feeds into all five controls and much more besides. You are encouraged to ensure you understand where asset information of various types is held within your organisation.
  • Backups – also a vital control, especially if you want to have any chance of recovering from ransomware without paying the ransom.
  • Zero Trust – NCSC recognises that many organisations (and in fact the industry) are moving in this direction and are keen to point out that this is a good thing and the five Cyber Essentials controls fit in with this direction of travel.

Final Words

From recent experience of the certification process, it’s worth emphasising that you’ll need to get your list of cloud services straight before submitting your application, especially with regard to their support of MFA, which becomes mandatory not only for admins, but all users across the board. Password settings (such as minimum length) and proving that your software (such as browsers) is being updated within the required timescales are also topics that will trip many organisations up.

The good news is that Cyber Essentials continues to shape up into a standard worth its place in the government’s Cyber Security Strategy and as a useful upgrade to many organisations’ levels of cybersecurity.

In line with the upcoming changes, we are currently updating our Cyber Essentials toolkit and this will be released in April 2023.

 

Written by CertiKit’s Managing Director and founder, Ken Holmes CISSP, CIPP/E. Ken is the lead author of our Cyber Essentials toolkit.


CertiKit is a provider of document toolkits and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the Cyber Essentials scheme, we’ve put together a list of our best free resources including sample documents, blogs and downloadable documents.

Free Cyber Essentials Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The content is exactly what we needed to get started. We lean heavily on the templates to get most of the key points for each section in place and can focus on those points that are most important to us.

Traxo
USA

View all Testimonials