Cyber Essentials updated for April 2023

The program’s technical controls undergo regular reviews to ensure that Cyber Essentials remains effective in safeguarding UK organisations against prevalent cyber threats. This blog discusses the upcoming update to the scheme’s technical requirements for April 2023 and how it aims to enhance cybersecurity for UK organisations.

In April 2023, the NCSC and IASME, Cyber Essentials’ delivery partner, will revise the Cyber Essentials technical requirements by reviewing the scheme’s technical controls. This update aims to help UK organisations better protect themselves against the most common cyber threats.

The 2023 revision of Cyber Essentials will be a lighter touch compared to last year’s significant update, which was the biggest since the program’s establishment in 2014. The update will include some crucial new guidance and clarifications to enhance the scheme’s effectiveness in safeguarding against cyber threats.

Updates include:

  • User devices

    With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set rather than the requirements document.

  • Clarification on firmware

    All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.

  • Third-party devices

    More information and a new table that clarifies how third-party devices, such as contractor or student devices, should be treated in your application.

  • Device unlocking

    We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.

  • Malware protection

    Anti-malware software will no longer need to be signature-based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.

  • Zero trust architecture

    New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.

  • Style and language

    Several language and format changes have been made to make the document easier to read.

  • Structure updated

    The technical controls have been reordered to align with the updated self-assessment question set.

  • Cyber Essentials Plus testing

    The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests to simplify the process for applicants and assessors.

The upcoming Cyber Essentials update, version 3.1, has been shaped by input from assessors and applicants, as well as guidance from NCSC’s technical experts. Marking the start of version 3.1, the latest update to Cyber Essentials’ technical requirements will take effect on April 24, 2023. From this date onwards, all applications initiated will adhere to the new set of questions and requirements.

For more information, please see this blog, which provides more details on the changes. An updated set of FAQs is also available on the NCSC website.

Subscribe to receive the latest cyber insights

RECENT UPDATES

Deltia.ai shows commitment to security with ISO 27001

CASE STUDY

Deltia.ai shows commitment to security with ISO 27001

Learn how Deltia.ai, an AI-driven manufacturing solutions provider, protected their data and customers with ISO 27001.

The biggest cyber attacks and vulnerabilities from October 2024

NEWS

The biggest cyber attacks and vulnerabilities from October 2024

Insights and trends from recent cyber threats and vulnerabilities from October.

Top 10 best practices for API security

BLOG

Top 10 best practices for API security

Learn why API security is more important than ever and how strategies like encryption, input validation, and Zero Trust can help protect your data.