Cyber Essentials – What are the changes to the technical control requirements?

The Government approved Cyber Essentials scheme includes five technical controls that help protect organisations from the majority of cyber-attacks. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape.


The scheme was introduced by the UK Government in 2014 as a way to help make the UK the safest place to do business. On January 24th 2022, some of the technical control requirements will change in line with recommended security updates. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security.


So, what are the changes? To simplify the changes, we have created this short video that highlights what is now in and out of scope.


Other changes

Cyber Essentials must now include end point devices: The scope of an organisation must include end-user devices - If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loophole where organisations were able to certify their company without including any end user devices.

 

All high and critical updates must be applied within 14 days and remove unsupported software. All software on in scope devices must be:

  • Licensed and supported

  • Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet.

  • Have automatic updates enabled where possible.

  • Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:

Ø The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’

Ø The update addresses vulnerabilities with a CVSS v3 score of 7 or above

Ø There are no details of the level of vulnerabilities the update fixes provide by the vendor

 

Previously, there was a set criteria that the vulnerabilities which had to be applied had to meet which were laid out in the requirements. These criteria have now been dropped and organisations need to apply all high and critical updates on all their systems. This is raising the bar because organisations can no longer be selective about which patches they apply and leave themselves weak and vulnerable.


Two additional tests have been added to the cyber essentials plus audit, they are:

  • A test to confirm account separation between user and administration accounts

  • A test to confirm multi-factor authentication is required for access to cloud services.

 

When will the changes apply?

There will be a grace period of one year to allow organisations to make the changes for the following requirements:


MFA for Cloud Services

  • The requirement will apply for administrator accounts from January 2022

  • The MFA for users requirement will be marked for compliance from January 2023

Thin Clients

  • Thin Clients need to be supported and receiving security updates, the requirement will be marked for compliance from January 2023

  • The new question will be for information only for first 12 months.

Security Update Management

  • Unsupported software remove from scope will be marked for compliance from January 2023

  • The new question will be for information only for first 12 months.

If your organisation registers and pays for Cyber Essentials certification before 24th January 2022, you will be assessed on the old Cyber Essentials question set and have up to six months to complete your self-assessment.


Please be aware that the Cyber Essentials Readiness Tool will be updated with the new requirements for the 5 technical controls on 24th January 2022. If you would like to use the tool for guidance on the old question set, please access the guidance before 24th January 2022.


Additional guidance will be made available on these changes shortly – follow IASME on social media for notification.


The new requirements for infrastructure and question set can be found here.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.