In January 2023, the NCSC (National Cyber Security Centre) and the IASME Consortium disclosed that they would introduce fresh technical requirements for the government-endorsed Cyber Essentials scheme. These modifications were slated to take effect on April 24, 2023. This update forms a regular evaluation of the technical controls within the Cyber Essentials scheme, ensuring that the certification remains effective in safeguarding UK organizations against common cyber threats.
This update focuses on enhancing the Cyber Essentials technical requirements as part of the ongoing refinement of the Cyber Essentials scheme. Here are the new updates for April 2023, you need to look at:
This is one of the most significant Cyber Essentials certification requirements changes. Multi-factor authentication helps reduce the attack surface to a great extent by discouraging most of the common attacks aimed at authentication.
Contrary to admin users, all users (standard users) must have multi-factor authentication.
Firmware is now considered a form of software
The definition of ‘software’ in the requirements has been expanded to include a broader range of components, such as operating systems, off-the-shelf applications, plugins, interpreters, scripts, libraries, network software, and firmware for firewalls and routers. This change is driven by the critical role that firmware plays as the operating system for crucial security devices like firewalls and routers, and so these must kept up to date for security.
When applying for Cyber Essentials certification, applicants must provide detailed information about their laptops, desktops, servers, computers, tablets, and mobile phones, including their make and operating system. However, only the make and model must be specified for firewalls and routers. This streamlined approach allows assessors to quickly determine whether the firmware on these security devices is receiving necessary security updates.
Consider asset management as a fundamental element of security, as its effective utilization can contribute to the fulfilment of all five security controls. Asset management has a far-reaching impact, influencing various aspects of a business, including IT operations, financial accounting, software license management, procurement, and logistics. These functions often overlap and depend on one another, underscoring the critical need for seamless integration and coordination within an organization to mitigate conflicts.
The critical requirement is that asset management isn’t merely about creating lists or databases that gather dust; it’s about establishing and maintaining precise and authoritative information about your assets. This information should support daily operations and facilitate well-informed decision-making when needed.
[elemeemphasisesate id= “47237”]
IASME emphasizes that many significant results from organizations having assets still organization, even when the organization is unaware of their continued activity. Effective asset management serves as a means to monitor and govern devices as they are introduced into your business environment.
bring your technology-added information (BYOD)
Additional guidance has been provided to address potential uncertainties arising from the growing trend of bringing your own devices (BYOD). This is primarily introduced by customized user experiences, making it more difficult to implement security controls consistently. To address this, the new technical requirements now specify that user-owned devices, as depicted in the organisation below, which access corporate data or services, are considered within the scope of the guidelines.
However, mobile or remote devices used exclusively for native voice applications, native text applications, or multi-factor authentication (MFA) applications fall outside the scope of these requirements.
Clarified definition of third-party devices
The new requirements state that organization devices owned by your organization and lent to a third party should be considered within the assessment scope. Additionally, a helpful table is provided to clarify whether organisation devices not owned by your organization fall within or outside the scope of assessment.
This clarification is especially useful in clarifying how individuals like students, volunteers, or consultants should use the organisation’s devices. It underscores organizations’ need to apply security controls through technical measures and documented policies.
IASME explicitly mentions that devices used by students, where the applying organisation owns organisation devices, have never been and currently are not considered within the assessment scope.
The presence of active malware protection is required on all devices
You must choose at least one of the following malware protection tests for each device, and these options are typically integrated into the provided software. Anti-malware software is not required to be just signature-based, and sandboxing is removed as an option.
Alternatively, you can acquire products from a third-party provider. Regardless of the choice, the software must be active, regularly updated according to the vendor’s instructions, and configured as outlined below:
1. Anti-Malware Software (available for in-scope devices running Windows or MacOS, including servers, desktops, and laptops):
- Ensure that the software is updated following the vendor’s recommendations.
- Configure it to block malware from running.
- Set it up to prevent the execution of malicious code.
- Configure it to block connections to malicious websites over the internet.
2. Application Whitelisting (available for all in-scope devices):
- Only approved applications, verified by code signing, are permitted to run on devices.
- You must proactively approve these applications before deploying them to devices.
- Maintain an up-to-date list of approved applications so users do not install unsigned applications with invalid signatures.
‘Device Unlocking’ instruction has been updated
Cyber Essentials recommends adhering to the minimum security settings that a vendor permits when concerns arise about the inability to modify specific default settings. This is because there are instances where an applicant may be using a device for which altering the configuration to meet Cyber Essentials requirements is not feasible. A case in point is the requirement to lock a device after ten failed sign-in attempts. For instance, Samsung, one of the world’s largest smartphone providers, has set its minimum sign-in attempts at 15, with no provision for adjustment.
The new requirements specify that adopting the vendor’s default setting is advisable when a vendor does not provide the flexibility to configure these settings.
Using a zero-trust architecture is not prohibited by Cyber Essentials
Recent developments, such as the increasing migration of services to the cloud, the widespread adoption of organisational Service (SaaS), and organizations embracing flexible work arrangements, have changed network design.
A zero-trust architecture has been employed to safeguard networks, especially when diverse device types connect from various locations. This approach to system design operates on the premise that the network is potentially untrustworthy, and every access request is rigorously verified based on a predefined access policy, as outlined by the NCSC.
FREE Cyber Essentials, Yes. That’s on us.
Secure your business with our annual IT health check to assess your security posture and get a FREE Cyber Essentials certification.
This verification process builds confidence with an authorisation test by considering factors like robust authentication, authorization, the health of the connecting device, and the sensitivity of the data being accessed.
The new technical requirements acknowledge the shift towards zero-trust architecture models and ensure that the implementation of these controls aligns with the principles of a zero-trust architecture, as defined in the NCSC guidance. This allows organizations to embrace this security approach without hindrance.
What impact will these updates have on you?
Cyber Essentials new version, 3.1, was released on April 24, 2023. The ‘Montpellier’ question set replaces ‘Evendine.’ Importantly, any assessments that commenced before April 24 will still use version 3.0 with the ‘Evendine’ question set, including accounts created before that date.
Assessment timelines remain the same: You have six months to complete Cyber Essentials Basic when you receive IASME portal login details. After achieving Cyber Essentials certification, you have three months to finish the Cyber Essentials Plus assessment.
The CE+ illustrative specification document has been updated with the following changes:
- Malware protection updates impact how CE+ Assessors conduct malware protection tests. Additional details will be discussed during a CE+ audit if necessary.
- The technical requirements document has been improved for readability with organised language enhancements.
- The technical controls have been reorganized to match the self-assessment question set.
- The scheme requirements now follow the same sequence as the self-assessment question set: firewalls, secure configuration, security update management, user access controls, and malware protection.
The Cyber Essentials certification has undergone significant updates in April 2023 to ensure it continues to help UK organizations guard against the most common cyber threats. The changes include:
- User Devices: Only the make and operating system of user devices must be listed, removing the requirement to list the device model.
- Firmware: The definition of ‘software’ has been updated to include only router and firewall firmware.
- Third-Party Devices: More information and a new table clarify how third-party devices should be treated in your application.
- Device Unlocking: It’s now acceptable for applicants to use default settings in devices where they are unconfigurable.
- Malware Protection: Anti-malware software no longer needs to be signature-based, and sandboxing is removed as an option.
- Zero Trust Architecture: New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
- CE+ Testing: The CE+ Illustrative Test Specification document has been updated to align with the changes in the requirements.
As we move forward, staying updated with these changes is crucial to ensure our cybersecurity measures are robust and effective. Thanks to the initiative from NCSC and IASME, who are pillars of this entire certification, it is possible to provide businesses around the UK with a much-needed push for improving their posture. Stay safe online! 🛡️
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.