Cyber Essentials Update: April 2023

In April 2023, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for Cyber Essentials. The updates will help ensure the scheme continues to support UK organisations to protect themselves against cyber threats.

What is Cyber Essentials?

The Cyber Essentials scheme is an information security standard that offers an affordable and effective level of assurance for businesses of all sizes and comes in two ‘flavours’ – the base Cyber Essentials and the more demanding Cyber Essentials Plus. The programme sets out five key technical controls to help businesses with cyber protection, which will help protect you against the most common cyber threats. In fact, the cyber security certification aims to reduce an organisation’s risk of attack from internet-borne threats by around 80%.

You can find more about Cyber Essentials requirements here.

What will the 2023 update include?

After a major update last year – the most significant update to the scheme since it was first set up in 2014 – the 2023 update will be lighter touch, providing several clarifications alongside some important new guidance. The following details are from the National Cyber Security Centre, Cyber Essentials technical requirements updated for April 2023.

• User devices: With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. The requirement for the applicant to list the model of the device has been removed. This change will be reflected in the self-assessment question set rather than the requirements document.
• Clarification on firmware: All firmware is currently included in the definition of ‘software’ and must be kept up-to-date and supported. However, following feedback that this information can be challenging to find, this has been changed to include just router and firewall firmware.
• Third-party devices: More information and a new table clarify how third-party devices, such as contractors or student devices, should be treated in your application.
• Device unlocking: A change has been made to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.
• Malware protection: Anti-malware software will no longer need to be signature-based, and we have clarified which mechanism is suitable for different types of devices. Additionally, Sandboxing is removed as an option.
• New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
• Style and language: Several language and format changes have made the document easier to read.
• Structure updated: The technical controls have been reordered to align with the updated self-assessment question set.
• CE+ testing: The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The most significant change here is a refreshed set of Malware Protection tests to simplify the process for applicants and assessors.

When will the Cyber Essentials requirements be updated?

This latest update will take effect from the 24th of April, 2023. This means that all applications started on or after this date will use the new requirements and question list.

At Netitude, we strongly recommend that businesses consider acquiring a Cyber Essentials certificate. In fact, we ensure all our clients achieve Cyber Essentials as standard, and our experienced Technical Alignment Managers audit our clients every quarter to ensure they stay compliant. In addition, if you’d like to know what your business needs to do to achieve Cyber Essentials and Cyber Essentials PLUS, we can perform a gap analysis audit and provide a report with any remedial work you need.

Protect your business from cybercriminals

Cyber threats are just like any business risk; they have to be assessed, and actions must be taken to remove, mitigate or accept the risk. 

Implementing the five key controls under Cyber Essentials certification will significantly reduce some of the risks.

While our Managed IT service offers a comprehensive security package as standard, including Security Awareness training, we also have a choice of Managed Cyber Security packages to add additional layers to your business security.

In today’s ever-changing threat landscape, it’s no longer a matter of if but when you’ll suffer a cyber incident. Preventative solutions are great, but companies must also be equipped to proactively detect and respond to attacks before they cause serious damage. This is where services like 24/7/365 SOC monitoring and SIEM come in handy. 

At Netitude, we favour the Cyber Essentials PLUS audit and certification for ourselves because we’re in an industry that requires a high level of security. Therefore, we need to show our clients that we invest in security and take it seriously. For us, Cyber Essentials PLUS is just the starting point, and we have processes and technology above and beyond this. Check out how we pass Cyber Essentials PLUS every time.