On January 24th 2022, the NCSC (National Cyber Security Centre) and IASME implemented an updated set of requirements for Cyber Essentials. 

This update is the most significant overhaul of the scheme’s technical controls since it launched in 2014. The change comes in response to the cybersecurity challenges organisations have faced in the last seven years to ensure the scheme stays effective in the continually evolving threat landscape. 

What is cyber essentials?

Cyber Essentials aims to safeguard businesses against common cyber threats. The cyber essentials scheme is an industry-supported scheme backed by the UK government.

The Cyber Essentials scheme’s purpose is to create a simple prescriptive formula based on attack evidence. There are two ways to achieve cyber essentials certification: 

Cyber Essentials

Cyber Essential is an audited self-assessment via a questionnaire that validates how you ensure a minimum acceptable level of protection against the most common cyber-attacks.

The self-assessment covers the five key areas and ensures that appropriate technical, process and governance controls have been established. This will result in formal certification.

The cyber essentials certification demonstrates to your stakeholders and any third parties you do business with that you take cyber security seriously and help reassure customers and attract new business.

Cyber Essentials Plus

The cyber essentials plus certification takes the initial self-assessment further by including an independent audited technological verification of an organisation’s self-assessment and scope to confirm it meets the minimum criteria of the scheme.

Cyber Essentials Plus Certification 2022

The newly updated cyber essentials scheme still covers the same key five technical areas that help protect organisations from most cyberattacks; however, there are now some additional requirements for 2022, and beyond that, you will have to consider.

The continued development of the Cyber Essentials scheme will allow UK businesses to strengthen their cybersecurity posture further and help fulfil the National Cyber Security strategy.

So, what are the changes?

The CE and CE+ scheme updates are significant and will impact certification for all organisations, including Certifying Bodies (CBs), considering the implications and complexity/technologies involved with the changing requirements.

Cyber essentials certification: what you need to know

Homeworking devices are in scope, but most home routers are not.

Those who work from home for any time are now classified as ”home workers”. The devices that home workers use to access organisational information, whether the organisation or the user owns them, are in scope for Cyber Essentials.

Home routers provided by Internet Service Providers or homeworkers are now out of scope. However, if the organisation supplies a router, it is in scope and must have the minimum Cyber Essentials controls.

The home worker’s device (computer, laptop, tablet and phone) are directly transferred to the Cyber Essentials firewall.

According to the IASME Consortium:

A corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate or virtual cloud firewall.

All cloud services are in scope.

Cloud services are now part of the updated scheme. If your business data or services are hosted on cloud services, you and your cloud service provider must ensure all the minimum cyber essential controls are implemented.

A definition of cloud services and the everyday cyber security responsibilities have been added for:

• Infrastructure as a Service (IaaS);
• Platform as a Service (PaaS); and
• Software as a Service (SaaS).

What does this mean?

Cloud services are not always secure by default. Before this scheme update, only IaaS was in scope now, the Cyber Essentials scheme considers all the cloud services an organisation uses.

You must take responsibility in reading up and checking on your cloud services and then ensure you or your cloud provider have applied the minimum required Cyber Essentials controls.

Multi-factor Authentication is Now Operated for Access to Cloud Services.

One of the most significant changes in the scheme is that Multi-Factor Authentication for cloud services is now mandated for all administrative users.

From 2023 Multi-Factor Authentication will be required for all other users. The multi-factor authentication approach’s password element must be at least eight characters long, with no maximum length limits.

What does this mean?

There have been numerous attacks on cloud services, using various techniques to steal passwords to access user accounts.

Before accessing your account, it is recommended that multi-factor authentication authenticate your credentials for regular users – which is now mandated for administrators of cloud services.

Multi-factor authentication requires the user to have two or more types of credentials before accessing an account.

There are four types of additional factors that may be considered:

• An enterprise device that is managed
• An app on a trusted device
• A physically distinct token
• A well-known or reliable account

Thin clients are in scope when they connect to organisational information or services.

A thin client, sometimes known as a “dumb terminal,” is a device that allows you to access a remote desktop.

These devices typically don’t have a lot of storage capacity, but they can connect to the internet and the business data in scope.

All thin clients will need support devices and receive security updates from January 2023 as part of the scheme update.

All servers, including virtual servers on a sub-set or a whole organisation assessment, are in scope.

Servers are specialised equipment that provides data or services to other devices within your organisation.

The definition of a “Sub-set” and how it affects the scope.

A sub-set of an organisation is described as a section of the network separated via a firewall or VLAN.

A sub-set can describe what is covered by a Cyber Essentials certification and what is not. It is no longer acceptable to utilise individual firewall rules for each device.

”Licensed and supported” definition.

Software that you have a legal right to use and that a vendor has committed to supporting by sending regular patches or updates is known as licenced and supported software.

The vendor must state when they will stop releasing updates in the future.

The vendor does not have to be the software’s original inventor, but they must modify it to create updates.

Software must be removed from all devices or from scope (e.g. using a Sub-set) when this is no longer supported.

When connecting to corporate networks or mobile internet such as 4g and 5g, all smartphones and tablets relating to organisational data and services are confirmed in scope.

Mobile or remote devices used solely for voice conversations, text messaging, or multi-factor authentication applications, on the other hand, are not covered.

Locking of the device.

A minimum password or pin length of 6 characters must be used to unlock a device or the use of biometrics.

Requirements for password-based and multi-factor authentication.

One of the following precautions should be employed when using passwords to prevent brute-force password guessing:

• Authentication with many factors
• Throttling the number of failed or guessed tries.
• After ten or fewer unsuccessful login attempts, accounts are locked.

The quality of passwords is managed via technical controls. 

One of the following will be included:

• Using multi-factor authentication with a password is at least eight characters long and has no length limitations.
• A minimum password length of 12 characters, but there are no limits on how long a password can be.
• There is a minimum password length of eight characters, no maximum password length limits, and an automatically denies list banning common passwords.

New instructions on how to create strong and secure passwords have been created. It is currently advised that three random words be used to construct a long, difficult-to-guess password that is unique.

Suppose you know or suspect a password/account is compromised. In that case, you must change the password as soon as possible and report this potential security incident via your organisation’s incident reporting process or helpdesk.

Account Separation.

Separate accounts should be used for administrative tasks (no emailing, web browsing or other standard user activities may expose administrative privileges to avoidable risks).

The scope of an organisation must include end-user devices.

If an organisation certifies its server systems, it ignores the vulnerabilities posed by the administrators who manage such systems.

The amendment to this criterion plugs a loophole that previously allowed companies to certify themselves without incorporating end-user devices.

All endpoint devices must now be included in Cyber Essentials.

All critical updates must be applied within 14 days, and unsupported software must be removed.

On in-scope devices, all software must be:

• Licensed and supported
• When it becomes unsupported, it is deleted from devices or withdrawn from scope using a defined sub-set that blocks all traffic to and from the internet.
• Wherever practical, enable automatic updates.
• Within 14 days of an update being released, updated, including any manual configuration modifications required to make the upgrade effective, where:

– The patch addresses vulnerabilities classified as ”critical” or ”high risk” by the vendor.
– Vulnerabilities having a CVSS v3 score of 7 or above are addressed in the update.
– There are no details on the severity of the vulnerabilities addressed by the vendor’s update solutions.

Guidance on backing up.

Although backing up your data is not a technical requirement of Cyber Essentials, there is now guidance on backing up important data.

Using a suitable backup solution regularly is highly recommended by experts.

The NCSC has released guidance for businesses on how to improve their cyber security posture to help protect against possible ransomware attacks.

To the cyber essentials plus audit, two new tests have been added.

1. The assessor must confirm account isolation between user and administration accounts by performing a specific test.
2. The assessor must confirm that MFA is required for cloud service access by administrators.

When will the changes be effective?

There will be a one-year grace period for businesses to make changes to the following requirements:

MFA for services in the cloud.

From January 2022, the requirement will only apply to administrator accounts.

However, you may be able to do so if your organisation has designated (in the self-assessment) it’s enabled for all users.

In this case, it will be part of the additional new tests for Cyber Essentials Plus.

From January 2023, the MFA for users’ requirements will be indicated for compliance.

Thin Clients.

Thin Clients must be supported and get security upgrades.

The deadline for mandatory compliance will be January 2023.

For the first 12 months, the new questions will be for information purposes, only when you submit your self-assessment via IASME’s website.

Security management update.

From January 2023, unsupported software will be removed from the scope and tagged for compliance. For the first 12 months, the new question will be for information only. The new requirements for infrastructure and question sets can be found here.

Price updates for the Cyber essentials certification.

A new price scheme has been introduced for cyber essentials certification. The price changes reflect the cyber security we all live in and the changes in the scheme. To learn more about the new tiered structure (based on the size of your organisation), please click here.

How can Sapphire support my organisation?

Sapphire is Cyber Essentials Plus (CE+) certified. In addition to this, Sapphire is qualified to examine and certify firms against both the Cyber Essentials and Cyber Essentials Plus programmes.

Contact us here today.