Cyber Essentials updated for April 2023

The program’s technical controls undergo regular reviews to ensure that Cyber Essentials remains effective in safeguarding UK organisations against prevalent cyber threats. This blog discusses the upcoming update to the scheme’s technical requirements for April 2023 and how it aims to enhance cybersecurity for UK organisations.

In April 2023, the NCSC and IASME, Cyber Essentials’ delivery partner, will revise the Cyber Essentials technical requirements by reviewing the scheme’s technical controls. This update aims to help UK organisations better protect themselves against the most common cyber threats.

The 2023 revision of Cyber Essentials will be a lighter touch compared to last year’s significant update, which was the biggest since the program’s establishment in 2014. The update will include some crucial new guidance and clarifications to enhance the scheme’s effectiveness in safeguarding against cyber threats.

Updates include:

• User devices

  With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set rather than the requirements document.

• Clarification on firmware

  All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.

• Third-party devices

  More information and a new table that clarifies how third-party devices, such as contractor or student devices, should be treated in your application.

• Device unlocking

  We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.

• Malware protection

  Anti-malware software will no longer need to be signature-based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.

• Zero trust architecture

  New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.

• Style and language

  Several language and format changes have been made to make the document easier to read.

• Structure updated

  The technical controls have been reordered to align with the updated self-assessment question set.

• Cyber Essentials Plus testing

  The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests to simplify the process for applicants and assessors.

The upcoming Cyber Essentials update, version 3.1, has been shaped by input from assessors and applicants, as well as guidance from NCSC’s technical experts. Marking the start of version 3.1, the latest update to Cyber Essentials’ technical requirements will take effect on April 24, 2023. From this date onwards, all applications initiated will adhere to the new set of questions and requirements.

For more information, please see this blog , which provides more details on the changes. An updated set of FAQs is also available on the NCSC website.