Softwerx is the UK’s leading Microsoft cloud security specialist
As the way we work continues to evolve, it’s important for your organisation to demonstrate that it has an up-to-date level of protection from current cyber-attack vectors. The Cyber Essentials (CE) certification scheme is responding to this challenge by refreshing its criteria for certification as of January 2022.
Cyber Essentials is a Government-backed scheme designed to guard against the most common internet-based cyber security threats. It allows organisations of all sizes to demonstrate their commitment to cyber security and protects organisations from 80% of attacks. IASME is the UK National Cyber Security Centre’s Cyber Essentials Partner, responsible for the delivery of the scheme.
Meeting the challenge
The latest changes were developed as a result of feedback from CE assessors and applicants, as well as discussions with the Cloud Industry Forum. CE is updating its technical controls which cover five main areas to ensure best practice across:
- Device configuration and passwords
- User access controls and permissions
- Endpoint malware protection
- Software security updates
This will be the first time the technical controls have significantly changed since the release of the scheme in 2014, and the changes will come into force on 24th January 2022.
The five main changes to CE
There are, according to IASME, 15 changes being made to the technical controls, and you can find more details on each on their website. Here are five highlights of what will now be included in CE certification as of next year:
- Type: Hardware || Category: Home devices connecting to corporate networks || New CE status: All smartphones and tablets connecting to organisational data and services are confirmed in scope when connecting to a corporate network or mobile internet. Biometrics, a password, or a pin of a minimum of 6 characters must be used to unlock the device. Stronger requirements for passwords and MFA.
- Type: Cloud services || Category: Corporate network and data access || New CE status: All cloud services are in scope and MFA must be used (where available).
- Type: Software || Category: Updates || New CE status: All high and critical updates must be applied within 14 days and unsupported software removed.
- Type: Data || Category: Backups || New CE status: New guidance on data backup requirements.
- Type: Hardware || Category: Thin clients || New CE Status: Thin clients to be supported and receive security updates.
In addition, if you are working towards Cyber Essentials plus, there are two new tests for the Plus audit.
The changes to the technical controls are more comprehensive and secure due to the new way we now work, with a lot of emphasis on the fact that devices are now being used more frequently outside of an office environment so BYOD policies, Zero Trust methodologies and remote access to networks are now all high priorities for most security teams.
What to expect
As of January, the new CE certification process will apply to the Cyber Essentials self-certification questionnaire and Cyber Essentials Plus. Any organisation that registers and pays for the certification before this date will be assessed using the existing scheme and will include the usual six months in which to complete the assessment.
IASME acknowledge that not all parts of the updated technical controls will be quick and easy to implement. As a result, they are providing a grace period of one year to allow organisations to make appropriate changes, but only for the following requirements:
- MFA for cloud services – Administrator accounts will be part of the scope from January 2022, with User accounts being included from January 2023.
- Thin clients – This new question will be for information only for the first 12 months, however, come January 2023 CE requires thin clients to be supported and receive security updates.
- Security Update Management – For the first 12 months, the removal of unsupported software questions will be for information only, coming into scope in January 2023.
These new CE questionnaires are already available to download from IASME’s website so I encourage you to take a look. This will give you a head-start whether you are planning to re-certify next year or get CE for the first time.
Where to go to get cyber-secure
To conclude, this update is a significant evolution of the UK’s go-to cyber threat certification for today’s new era of hybrid work. If you’re interested in obtaining the Cyber Essentials certification, then please do get in touch. Softwerx are Cloud Industry Forum founding members, Cyber Essentials Plus certified, and are partnered with IT Governance to help organisations get CE certified. For a limited period of time, we’re offering a discounted price for the Cyber Essentials certification.
Cyber Essentials is a basic level of cybersecurity assurance you would overlook at your own risk.