On 30th November 2021, the National Cyber Security Centre (“NCSC”) announced new infrastructure requirements for Cyber Essentials and Cyber Essentials Plus. The new conditions will come into force on 24th January 2022.
The update is the most significant amendment to the scheme’s technical controls since it launched in 2014. For companies considering becoming Cyber Essentials or Cyber Essentials Plus certified, understanding the new requirements is essential to successful certification.
Cyber Essentials is the NCSC’s flagship cyber security standard. Achieving the standard helps organisations guard against the most common cyber threats and demonstrate their commitment to cyber security. For more information on the certification, you can read or download our extensive Guide to Cyber Essentials. Or we have a knowledge hub on the topic, for everything you need to know about Cyber Essentials.
Whilst the NCSC advertises Cyber Essentials as suitable for any size of organisation, our experience is it’s better suited to small and medium-sized enterprises (“SMEs”) or organisations with a small IT footprint. Larger and more complex organisations – particularly those with an IT department and a risk management function – should look towards the NCSC’s 10 Steps, ISO 27001 or the NIST Cyber Security Framework.
The UK government often requires its suppliers to achieve Cyber Essentials, it is recommended by the Information Commissioner’s Office (“ICO”); those who process NHS patient data will benefit from achieving Cyber Essentials Plus before they complete the NHS’s Data Security and Protection Toolkit.
What does ‘Cyber Essentials’ testing involve?
Organisations may apply directly for Cyber Essentials, although most use a Certification Body to support their application. This is an organisation (like Evalian) trained and licenced to certify to Cyber Essentials. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus.
Certification begins with a self-assessment form featuring questions about your security policies, details about how often you update your systems, and the general security posture of your organisation. Once the form has been completed, you share it with your Certification Body, who will review your answers and provide guidance on whether you have passed or failed the Cyber Essentials certification.
Cyber Essentials Plus
To achieve Cyber Essentials Plus, an organisation must meet the standard of Cyber Essentials and, in addition, must undergo a vulnerability scan and other technical assessments by their Certification Body.
Why are changes occurring to Cyber Essentials?
Over the last two years alone, the way companies work has dramatically changed. Hybrid working, cloud applications, mobile communications, and digital transformation enable new modes of productivity and efficiency, but they also create new security risks.
In line with this, the NCSC has chosen to refresh Cyber Essentials, so it reflects today’s working practices and addresses current cyber security risks.
What will change from 24th January 2022 in Cyber Essentials and Cyber Essentials Plus?
Below we have highlighted some of the changes to Cyber Essentials and Cyber Essentials Plus.
Bring your own device (“BYOD”)
Mobiles and laptops owned by the organisation have always fallen in the scope of Cyber Essentials. However, now, user-owned devices which access organisational data or services also fall in scope – unless they are used solely for one of the below, in which case they remain out of scope:
- Native voice applications
- Native text applications
- Multi-factor authentication applications
Routers, wireless devices and working from home
Internet Service Provider (“ISP”) routers and a user’s own routers are out of scope, meaning the Cyber Essentials firewall controls must be employed on the user’s devices. However, if the organisation supplies a router to the employee, the router will be in scope.
Wireless devices, such as wireless access points, are considered:
- In scope if they can communicate with other devices through the internet
- Not in scope if a threat actor is unable to attack directly from the internet
- Not in scope if they are a component of a home-based, user-owned ISP router
Cloud services and web applications
Cloud services are now fully integrated into the scheme. If an organisation’s data or services are hosted in the cloud, they are subject to Cyber Essentials, and the organisation is responsible for ensuring the proper controls are implemented.
Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. New controls here include using multi-factor authentication to protect administrator and user accounts to connect to cloud services. Please see page 9 of Cyber Essentials: Requirements for IT infrastructure for further details on the breakdown of responsibility of cloud controls between service provider and organisation.
Moreover, third-party web applications now also fall in scope, although bespoke and custom components of web applications are not. Here, the NCSC refers to the need for robust development and penetration testing practices to mitigate vulnerabilities, in line with the Open Web Application Security Project (“OWASP”) standards. We have written detailed guidance on web application penetration testing.
For further information on the new technical controls that underpin the scope, we advise reading the NCSC’s guidance: Cyber Essentials: Requirements for IT infrastructure. IASME has also provided a brief overview in a blog on the changes to Cyber Essentials.
What does my organisation need to do?
The new version of Cyber Essentials will launch on 24th January 2022, with further changes planned for January 2023. For organisations which are currently Cyber Essentials certified, your certification will remain valid until you need to recertify. It’s worth familiarising yourself with the changes, in preparation for recertification as the changes will apply to certified organisations when they re-certify.
Organisations already undergoing assessments, or which have assessments before that date, will continue to use the previous technical standard, meaning the process will not be altered. These organisations have until the 24th July to complete assessments against the current standard.
Cyber Essentials applications planned to begin on or after 24th January must use the new version. The NCSC has recognised some organisations may need to make extra efforts to meet the new controls, so they have permitted a grace period of up to 12 months.
In our view, the updates to Cyber Essentials will make certification more difficult to achieve. However, this is no bad thing. Security, after all, is becoming ever more complicated as organisations embrace mobile-first, cloud and dispersed or hybrid working.
The stronger an organisation’s security posture, the harder it will be to breach. While achieving Cyber Essentials might now be slightly more of an investment, the pay-off in the long run – when compared to the cost of a security incident – is worthwhile.
The NCSC has created an FAQ page on the Cyber Essentials update if you want further information. Moreover, our consultants are always on hand to support with any queries.
Contact us for a friendly, no-obligation chat if you are looking for support with Cyber Essentials or Cyber Essentials Plus certification. As an IASME-accredited Certification Body, we are trained and licenced to certify your company to the current and new Cyber Essentials and Cyber Essentials Plus.