Monday, 13 February 2023

New changes to Cyber Essentials for 2023

Following last year's update, the NCSC and IASME have made additional changes and clarifications to the Cyber Essentials scheme this year. Read them here:

This blog is an important read for any organisation with Cyber Essentials certification or which is thinking about getting certified. It lists the changes and clarifications which will come into effect in April 2023.

Cyber Essentials is updated regularly to reflect the changing cyber threats we face and the changing technologies we use.

Following the major changes made last year, the National Cyber Security Centre and its Cyber Essentials certification body IASME have made additional changes and clarifications to the scheme this year.

What are the changes to Cyber Essentials in 2023?

The major changes to the Cyber Essentials scheme listed for version 3.1, which come into effect from 24th April 2023, are:

•    Clarification on user devices

•    Clarification on firmware

•    Changes to device unlocking guidance

•    Changes to malware protection guidance

•    New guidance to align Cyber Essentials with existing NCSC guidance on “zero trust” architecture

The structure of the technical controls has been updated to reflect these changes and the CE Illustrative Test Specification document has been aligned accordingly.

Let’s explore a little more about what these changes mean in practice.

Clarification on user devices

A new table which outlines which user devices fall into scope has been provided. Devices owned by your organisation always fall into scope. The table illustrates when BYOD devices and devices owned by a third party fall into scope. Devices of students that are not owned by the organisation are not and have never been in scope.

Furthermore, the changes mean that user devices declared within scope need only the make and operating system to be listed. The requirement to list the model of the device has been removed (except for network devices such as firewalls and routers; these still require the model to be listed). 

Clarification on firmware

Firmware is currently included in the definition of software, so it must be kept up to date and supported. Following feedback that the information can be difficult to find, the new guidance advises that this applies only to router and firewall firmware.

Changes to device unlocking guidance

Samsung, one of the biggest-selling mobile device manufacturers, sets its minimum sign-in attempts at 15. It offers no option to change this. This makes it impossible to lock the device after 10 failed sign-in attempts. To reflect problems like this, where device manufacturers prevent changes to their default settings in a way that prevents compliance with Cyber Essentials requirements, the guidance has been updated.

When the vendor does not allow you to configure the settings, it is now allowable to use the device vendor’s default setting.

Changes to malware protection guidance

The malware section has also been updated. Anti-malware software will no longer need to be signature based. Clarification has been provided about which mechanism is suitable for different types of devices. Sandboxing is no longer an option. 

Anti-malware software is an option for devices running Windows or MacOS, including servers, desktops and laptops. If you choose this option, it must: be updated in line with vendor recommendations; prevent malware from running; prevent the execution of malicious code; and prevent connections to malicious websites over the Internet.

Alignment with “zero trust” architecture

Zero trust is an increasingly important approach to cyber security. IASME has worked with NCSC to ensure that the Cyber Essentials requirements are now in line with the existing NCSC guidance about how to implement zero trust.

The importance of asset management

The guidance also emphasises the need to ensure good asset management practice. Although asset management is not one of the Cyber Essentials controls, the new guidance does emphasise its importance as part of your organisational cyber security strategy.

How will the changes to Cyber Essentials affect your organisation?

The changes come into effect on April 24, 2023.

Any organisation which begins its Cyber Essentials certification on or after this date will be measured against the new guidance (v3.1).

Any assessments which began before April 24, 2023, will use the current question set (v3.0).

You can find the new guidance here.

And you can find the new illustrative specification document for Cyber Essentials Plus assessment here.

As normal, the certifications last for 12 months.

What next?

Grant McGregor can help you with your Cyber Essentials assessment, getting prepared and putting the necessary controls in place. Speak with our team today.

Call us: 0808 164 4142

Message us: 

Further reading

You can catch up with the major changes to Cyber Essentials made in 2022 on our blog. Read more here.

You can also find additional advice about cyber security topics:

•    12 questions to ask your web developer about cyber security

•    How do you solve a problem like Suella?

•    What Does the War in Ukraine Mean for Your Cyber Security?

•    What does the UK Government’s national cyber strategy 2022 mean for SMEs?

•    And: A recent case exposes why cyber security requires multiple lines of defence