Cyber Essentials technical controls update - Cribb Cyber Security

In January 2022, the NCSC is introducing the largest Cyber Essentials (CE) technical controls update since it was first launched in 2014. Today we look at what is changing to see what it might then mean for you moving forwards.

The new year will see the introduction of an updated set of requirements for the CE scheme. This update is in direct response to the ever-evolving cyber security challenges facing organisations on a daily basis. The post-pandemic world is a vastly different one for all of us. So many now work in a completely different way, either remotely or in their own home. Cloud service uptake is huge nowadays; digital transformation had been gathering momentum before Covid but then accelerated in its aftermath. The CE changes are designed to reflect all of these differences. There will also then be more regular reviews of the CE scheme’s technical controls.

What is Cyber Essentials?

In simple terms it is a government-backed scheme that helps organisations to defend themselves against common cyber threats and basic cyber-attacks. It is designed to provide some peace of mind to them, their people and to their customers. Organisations working on UK government contracts are required to be Cyber Essentials-certified.

A recent, large-scale technical review of the scheme was completed by the NCSC and its delivery partner for CE, IASME. The results of this review have then been used to create updates to the requirements that make up the scheme’s controls. These include revisions to the use of cloud services plus updates and new definitions for home working, multi-factor authentication and more (see the list below). It is believed that once updated, the controls will then see Cyber Essentials more aligned with other initiatives such as ‘Cyber Aware’.

Changes to Cyber Essentials

  • All cloud services are now in scope
  • These will require Multi-Factor Authentication (MFA)
  • Scoping requirements are to be updated
  • Home working requirements will be defined
  • ‘Bring your own device’ (BYOD) information is to be updated
  • Password-based authentication requirements will be introduced
  • There will be new device lock requirements
  • Unsupported software requirements to be added to security update management

When does the new version of CE launch?

The official release date is 24th January 2022. Organisations using the current standard will then have six months from 24th January to complete the new assessment. The updated version of requirements will be used for all CE applications starting on or after 24th January. There will be a grace period of up to 12 months for some of the requirements to allow certain organisations needing extra efforts additional time.

Some key FAQs

  • When do the changes begin? 24th January 2022
  • When will technical details be released? You can view the requirements here, plus read through the question set
  • What if I am currently completing the CE assessment? You will have up to 6 months to complete that assessment before then moving onto the new assessment

You can view the full series of FAQs from the NCSC on these changes here.

The Cyber Essentials technical controls update will further improve cyber resilience at a time when threats are continuously growing. CRIBB Cyber Security is an official certification body and we can help if you need guidance with the new CE. Simply contact us today and we’ll help you improve your defences.