The Cyber Essentials Framework: Revisited and Updated

Earlier this year we highlighted IASME’s announcement that the Cyber Essentials Framework would be changing in late February, anticipating how your business would have to adapt its cybersecurity practices. The IASME Cyber Essentials accreditation is a UK Government approved and recognised cybersecurity certification for businesses who want to demonstrate their commitment to exemplary cybersecurity practice.  

With the full announcement of the Cyber Essentials changes having been made, it’s now possible to provide clearer guidance on the cybersecurity alterations your business should be implementing. All primary changes largely relate to homeworking practices, reflecting the everchanging cybersecurity landscape firms now find themselves in.  

The Process  

To complete the Cyber Essentials accreditation process, organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided. All assessment questions are available pre-assessment, allowing businesses to review and alter their cybersecurity practice and policy before verification. Additionally, all businesses that gain accreditation automatically receive cyber liability insurance if they have less than £20m annual turnover.  

Whilst businesses can self-assess their readiness to apply for Cyber Essentials Accreditation, it can be difficult to understand some of the technical questions if you have a complex company structure or do not have an IT background. If your business completes the certification process with Fitzrovia IT, we initiate the process with a pre-audit, to ensure compliance standards are being met and certification is achieved on the first application. We come in to ensure cyber best practice is being implemented – also checking how your devices are installed and set up; assessing user permissions and access; checking for patching and software usage, and ensuring protocols and policy are being followed.  

What’s New?  

As highlighted, the major changes reflect updated home working requirements – with a focus on cloud services, password-based authentication, multi-factor authentication (MFA), bring your own device (BYOD) practices, and clarification around the inclusion of end-user devices in the scope of certification.  

IASME’s new standing is that all corporate or BYOD home working devices used for work purposes whilst at home are in scope for Cyber Essentials. Whereas user devices were traditionally managed through centralised administration, employees are now more frequently using personal devices for work activities. Businesses must now implement more stringent security policies and controls for those users accessing corporate data through their own devices.   

It’s important to ensure that malware protection is being supplied to employees, to prevent harmful attacks and data breaches. Similarly, employees must be maintaining updated systems and software to minimise the threat of attacks. A final serious point to consider with regards to general employee best practice is the implementation of MFA and stringent password best-practice; inadequate password and security protection will be detrimental to your business’s cybersecurity standing and Cyber Essentials application.  

The incorporation of user devices within your business’ cybersecurity policy can be simple, however, organisations must also account for network security with regards to home workers. All Internet Service Provider (ISP) routers and user-provided routers are out of scope which means that the Cyber Essentials firewall controls need to be applied on user devices (e.g. a software firewall). If a router is supplied to the homeworker by your organisation, then that router will be in scope. If the home worker is using a corporate VPN, their internet boundary is on the company firewall or virtual/cloud firewall.     

If your business’ data is hosted on a cloud service, then these services must now also be Cyber Essentials compliant. With regards to cloud services, dependent on the service either your business or your cloud service provider is responsible for ensuring all controls are implemented. Infrastructure as a Service (IaaS) is configured and managed by you; Platform as a Service (PaaS) is delivered by your provider, but the applications are managed by you; Software as a Service (SaaS) is delivered by the provider and configured by you. Examples of these services are:  

• IaaS: Rackspace, Google Compute Engine, or Amazon EC2.  

• PaaS: Azure Web Apps and Amazon Web Services Lambda.  

• SaaS: Microsoft 365, Dropbox, Gmail.  

Updated Definitions  

IASME has also introduced some new and updated definitions within the Cyber Essentials framework, of which businesses should be aware. Highlighted below are the terms and their updated definition:  

• Servers: are specific devices that provide organisational data or services to other devices as part of the business of the applicant.  

• Sub-set: defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.  

• Licensed and supported: is software that you have a legal right to use and that a vendor has committed to support by providing regular updates (patches). The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.  

Implementing Change  

While the requirements may be stringent, Cyber Essentials accreditation is fundamental for businesses looking to gain large and/or governmental projects, and those looking to prove their cybersecurity credentials to clients and contractors alike. Demonstrably strong cybersecurity policy is beneficial across the board, also providing financial savings to businesses in the long run, preventing data breaches and cyber-attacks.  

Adhering to the Cyber Essentials Framework can be a daunting task, therefore it is often advisable to engage your MSP in ensuring accreditation readiness. Our team of Fitzrovia IASME specialists can guide you through the application process, auditing and readying your systems for approval, whilst making the process more easily understandable for your team.  

If you want to find out more about the Cyber Essentials accreditation process with Fitzrovia IT or engage our cyber experts to help expedite the process, contact one of our team today.