Cyber Essentials has just undergone the biggest update in its eight-year history. So what’s changed? And why? The Grant McGregor team gives you the low down on the update.

Cyber Essentials was launched in 2014, to encourage UK organisations of all sizes and types to attain a basic level of cyber security.

Since its launch, the scheme has been a huge success, with more than 30,000 organisations choosing to get Cyber Essentials certified. However, as the National Cyber Security Centre, which oversees Cyber Essentials, points out: eight years is a long time in cyber security.

What’s changing with Cyber Essentials?

The updated scheme reflects the move to cloud computing by updating the five technical controls.

It also seeks to aid the certification of organisations with home working scenarios by taking the configuration of home workers’ ISP routers out of scope. However, it emphasises the need to ensure firewall controls are correctly applied to end user devices.

A new requirement for multi-factor authentication brings the standard in line with official NCSC guidance.

And, importantly, new guidance has been added to clarify the scope of the standard. In particular, it emphasises that end user devices should never be taken out of scope.

Additional guidance emphasises the need for effective backup and recovery. This has been added in response to the ransomware threat. However, the NCSC has stopped short of requiring this as part of the certification process.

The updated list of cyber security essentials for IT infrastructure can be found on the NCSC website here(1).

The five technical controls

The five technical controls of cyber essentials are:

• firewalls

• secure configuration

• user access control

• malware protection

• security update management

As part of the new guidance, the NCSC has worked with the Cloud Industry Forum to map these five technical controls to the three main types of cloud services (infrastructure as a service; platform as a service; software as a service).

The new standard rests on the idea of a shared responsibility model whereby the lines of responsibility are clear and organisations are fully aware of how their cloud providers should be properly implementing and delivering their services.

What isn’t changing in Cyber Essentials?

So, what isn’t changing?

The certification continues to represent the minimum baseline cyber security standard in the UK.

And the cost of certification isn’t changing. It remains £300 + VAT for micro companies and £500 + VAT for larger organisations.

The scheme will continue to be run by IASME for NCSC.

Plus, the certification will continue to be valid for 12 months.

Another aspect we’re pleased to report will be staying is that insurance will continue to be offered to small organisations.

When will the changes happen?

The changes were announced back in November 2021, but only came into effect on 24th January 2022. Any assessments that began on or after this date need to align with the new technical requirements and are certified to the new standard. You’ll have six months to complete certification.

If you’re already in the process of being certified, don’t worry. You’ll be working to the standards at the time of initiating your certification or recertification process. Provided you complete that process within six months, the new standards will kick in for your organisation the next time you certify.

Why have these changes been made?

With little fanfare, the National Cyber Security Centre and IASME, the organisation responsible for delivering the scheme, in November 2021 announced that Cyber Essentials scheme would be updated.

It points out that eight years is a long time in cyber security.

Changes towards digitalisation and cloud computing mean that the typical IT environment looks very different to how it did eight years ago. The global pandemic has expedited these trends and created a demand for remote and mobile working that isn’t likely to abate fully. Further, the threat of ransomware has increased.

For all these reasons, the NCSC felt it was necessary to overhaul to scheme to reflect and meet the needs of the new IT landscape.

What next?

Are you worried about what these changes might mean for your organisation or your own recertification process? If so, please get in touch with our team so we can talk you through the changes as they apply to you.

If you haven’t already attained Cyber Essentials certification, we highly recommend that you do. As this blog makes clear, it represents the minimum baseline standard for cyber security in the UK. Going for certification can help you to identify areas that you might not be aware need improving. It can be a very useful exercise. Plus, at the end of it, you have a certification to show that you adhere to the standard. You can read more about why we think that’s a good idea here.

To discuss your Cyber Essentials requirements, get in touch with us below:

Sources:

1. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure-3-0.pdf