I cannot stress enough the importance of staying up-to-date with the Cyber Essentials requirements. Ensuring your business is adequately protected against growing cyber threats involves implementing various technical controls, which are critical for maintaining your competitive edge and safeguarding your reputation.
Cyber Essentials and Cyber Essentials Plus are government-backed certification schemes to help UK organisations guard against the most common cyber threats. The Cyber Essentials certificate is designed to help small and medium enterprises to ensure basic security controls.
In April 2023, the National Cyber Security Centre (NCSC) and the IASME Consortium introduced several key updates to the CE requirements. These changes reflect the evolving nature of the cyber threat landscape and are intended to ensure that the certification remains an effective tool in protecting businesses.
As a business owner, it is crucial to understand these updates and take the necessary steps to ensure your organisation remains compliant. Failing to do so leaves your business vulnerable to cyber-attacks and may result in lost business opportunities and reputational damage.
We will cover the key changes introduced in the April 2023 update and their impact on your business, and guide how to ensure your organisation meets the latest Cyber Essentials requirements.
Let’s dive right in.
Fundamental Changes in the CE+ Requirements
Cyber Essentials MFA Requirements
One of the most notable changes in the 2023 update is requiring all users, not just administrative users, to enable multi-factor authentication (MFA). This additional layer of security helps prevent unauthorised access to your systems and data, even if a user’s password is compromised.
Expanded definition of software to include firmware
The definition of ‘software’ has been broadened to include firmware, such as routers and firewalls. This change recognises the critical role that firmware plays in the security of your network and ensures that these components are kept up-to-date with the latest security patches.
Effective asset management for user devices
When applying for Cyber Essentials certification, you’ll now only need to provide the user devices’ make and operating system rather than the specific model. The requirement to list the device’s model has been removed. However, you’ll still need to specify the make and model for firewalls and routers to ensure that the firmware receives necessary security updates.
Cyber Essentials Mobile Device Management Requirements
The update provides additional guidance on BYOD policies, acknowledging the challenges of managing user-owned devices. User-owned devices that access organisational data or services are now explicitly included in the scope of Cyber Essentials.
Updated guidance on third-party devices
The new requirements clarify how to handle devices used by third parties, such as contractors or managed service providers. Devices owned by your organisation but used by third parties must be included in the scope of your Cyber Essentials assessment.
Updated “Device Unlocking” instructions
The update recognises that some devices may have vendor-imposed restrictions on configuring certain security settings. In these cases, using the vendor’s default settings is acceptable when they cannot be changed to meet the Cyber Essentials requirements.
For instance, Samsung, one of the world’s largest smartphone providers, has set its minimum sign-in attempts at 15, with no adjustment provision
Mandatory active malware protection on all devices
All devices within the scope of your Cyber Essentials certification must now have active malware protection. You can choose from various options, including anti-malware software and application-allow listing, depending on the type of device and its role within your organisation.
Cyber Essentials Plus Testing Requirements Changes since April 2023
The most significant change for Cyber Essentials Plus certification is the more straightforward endpoint protection tests for applicants.
Sub-tests include:
- Where anti-malware software is installed
- check effectiveness against malware delivered through email and browser.
- Check if the software is updated in line with the vendor’s configuration instructions.
- Manual checks to ensure the software is operational through logs and vendor configuration instructions.
Where certificate-based applications allow listing is in use:
- check the list of trusted root certificates is the standard set
- additional certificates are added to the trusted root only with the user’s agreement
- any unsigned binaries (executables) and certificate-signed executables that don’t chain to a trusted cert will not be executed on the device
- operating system policies for code signing are applied to all executable file formats.
All the changes from the self-assessed Cyber Essentials certification are applicable.
Download the free Cyber Essentials questionnaire list here:
Cyphere – Updated Cyber Essentials Question Set – Montpellier January 2023
Compatibility with zero-trust architecture
A zero-trust architecture has been employed to safeguard networks, especially when diverse device types connect from various locations. This approach to system design operates on the premise that the network is potentially untrustworthy, and every access request is rigorously verified based on a predefined access policy, as outlined by the NCSC.
The new CE requirements acknowledge the growing adoption of zero-trust architectures and clarify that implementing Cyber Essentials controls does not prevent organisations from using this security model.
Suggested Read: Cyber Essentials Plus Checklist
Cyber Essentials Certification requirements by technical cyber security control theme
The Cyber Essentials scheme is structured around five key technical control themes that are in the assessment scope. These themes represent the essential security measures organisations must implement to protect themselves against cyber threats. Cyber Essentials Plus requires a technical audit by an external auditor, i.e. IASME Cyber Essentials Plus assessor before CE+ certification is awarded.
Let’s look at these cyber essentials’ mandatory control areas and what they mean for your business.
1. Firewalls
Firewalls are critical components of network security for incoming and outgoing traffic. This key control area includes locking administrative interfaces to block untrusted networks, ensuring unnecessary ports are closed for remote access, or MFA enabled, tightening firewall rules and blocking potentially malicious connections through Internet gateways. Under the Cyber Essentials scheme, you must ensure that a securely configured firewall protects all your devices, whether a boundary firewall or a software firewall on individual devices.
2. Secure configuration
Secure configuration involves ensuring that your devices and software are set up in a way that minimises vulnerabilities related to the use of cloud services, avoiding infections from accessing content from malicious websites, security of user accounts and privilege escalation issues. This includes disabling unnecessary user accounts, blocking installation of untrusted software or access to IT systems, changing default passwords, use of separate accounts for privileged tasks, device locking controls, protection against brute force attacks, securing admin accounts, disabling unnecessary software and services, and implementing appropriate access controls. Securely configuring your systems reduces the risk of attackers exploiting known weaknesses or file execution without verifying the access against approved applications.
3. Security update management
Keeping your software and firmware licensed, supported, and up-to-date is essential for maintaining a solid security posture. Vendor recommendations include configuring automatic updates and regularly patching against known security issues or known vulnerabilities, and you must apply these updates promptly. Under the Cyber Essentials scheme, you must have a process to ensure that all software and firmware are kept up-to-date on the in-scope devices, with critical updates applied within 14 days of release.
4. User access control
User access control is about ensuring that only authorised individuals have access to your systems and data and that they only have the level of access required to perform their roles. For instance, using administrative accounts to perform privileged tasks only. This involves implementing robust authentication methods, such as multi-factor authentication (MFA), and regularly reviewing and updating user permissions. Securely managing user access minimises the risk of unauthorised access and data breaches, including supply chain security risks.
5. Malware protection
Malware, such as viruses, worms, and ransomware, can cause significant damage to your systems and data. To protect against these threats, the Cyber Essentials requires antivirus software protection on all your devices.
By understanding and implementing these five technical control themes, you’ll be well on your way to achieving Cyber Essentials certification and protecting your business against common cyber threats. Remember, these controls are not just about ticking boxes for certification – they represent best practices that every organisation should adopt to maintain a strong security posture in today’s digital landscape.
Impact of the Cyber Essentials Scheme April 2023 updates on businesses
As a business owner, it’s essential to understand how these changes will affect your organisation and what steps you need to take to ensure compliance.
New version (3.1) and question set (Montpellier)
The updated Cyber Essentials scheme, version 3.1, was released on April 24, 2023. This new version introduces a new question set called Montpellier, which replaces the previous Evendine question set. It’s important to note that assessments started before April 24 will still use version 3.0 and the Evendine question set, even if your account was created before that date.
Assessment timelines and deadlines
The assessment timelines for the certification remain unchanged. Once you receive your IASME portal login details, you have six months to complete the Cyber Essentials Basic assessment. After achieving Basic certification, you have three additional months to complete the Cyber Essentials Plus assessment, if desired.
Illustrative Test Specification document
The Cyber Essentials Plus Illustrative Test Specification document has been updated to reflect the changes in the April 2023 update. This document guides Cyber Essentials Plus assessors on conducting the necessary tests to verify compliance with the scheme’s requirements. The most notable change is in the malware protection testing section, updated to align with the new requirements for malware protection on all devices.
To ensure compliance with the updated Cyber Essentials scheme, your business should:
- Review your current cybersecurity measures against the updated requirements.
- Identify gaps or areas where your current setup falls short of the new requirements.
- Implement the necessary changes to address these gaps, such as enabling MFA for all users, updating device firmware, and ensuring active malware protection on all devices.
- Conduct a self-assessment using the new ‘Montpellier’ question set, or engage a Certification Body to guide you.
- Once certified, maintain compliance by regularly reviewing your cybersecurity measures and applying updates as needed. Get in touch with our cyber advisors at Cyphere should you need free consultation.
Achieving CE certification not only helps safeguard your organisation but also instils trust in your customers and stakeholders, showing that you take the security of their data seriously.
Conclusion
While achieving certification may seem like a headache, it’s important to remember that you don’t have to do it alone. Engaging with experienced cybersecurity consultants, like those at Cyphere, can help guide you through the process and ensure that your business meets all the requirements. Compliance is a requirement for business, and security is how proactive you are to protect your people, processes and tech.
At Cyphere, our team of highly skilled cybersecurity professionals has extensive experience helping businesses of all sizes navigate the certification process. From conducting initial assessments and identifying areas for improvement to implementing the necessary changes and supporting you through the certification process, we’re here to help you every step. Stay safe online! 🛡️
Don’t let the updated CE certification requirements be a tick-in-a-box exercise but a proactive security business buy-in. Contact Cyphere today to get started on your Cyber Essentials Plus journey and take your business’s cybersecurity to the next level.







