The Cyber Essentials Scheme is changing in 2023 - are you prepared?

Earlier this year the NCSC and its Cyber Essentials delivery partner IASME announced that changes would be made to the technical requirements for the Cyber Essentials scheme in April of 2023. Now that April is upon us, it’s essential that businesses who aim to renew or gain a Cyber Essentials certification meet the updated criteria.

If your business currently holds this certification or you’re currently in the process of working towards it, then continue reading to understand how the requirements are changing, and how you can ensure your business successfully gains Cyber Essentials accreditation.

What is the Cyber Essentials scheme?

In summary, the IASME Cyber Essentials accreditation is a UK Government approved and recognised cybersecurity certification for businesses who want to demonstrate their commitment to exemplary cybersecurity practice. The scheme was launched in June 2014 under the direction of the National Cyber Security Centre (NCSC), with the aim of enabling businesses to understand and select the appropriate security controls for their IT environment.

Since October 2014 the accreditation has been a requirement for suppliers to the British government who handle specific kinds of sensitive and personal information. Businesses who aim to establish governmental contracts should gain the Cyber Essentials certification in order to expedite the process.

How do I apply?

Organisations seeking Cyber Essentials accreditation undergo a self-assessment process, marking themselves against five fundamental security controls. This self-assessment is subsequently verified by a qualified assessor and feedback is provided. Once the business has addressed any issues raised during the verification process the certification body will issue a certificate of compliance, and the business can operate with full accreditation.

The assessment questions are available to the applying entity beforehand, providing businesses with the opportunity to review and adjust their cybersecurity policies and practices before verification.

An additional bonus to gaining the Cyber Essentials accreditation is the possibility of obtaining government backed insurance; businesses with less than £20m annual turnover are automatically granted cyber liability insurance upon accreditation.

What has changed?

Organisations applying for the updated Cyber Essentials accreditation shouldn’t be worried about the upcoming changes. The scheme is regularly reviewed in order to match the ever-changing cyber-security landscape, ensuring businesses remain well protected against novel cyber threats. After the major overhaul made to the scheme in 2022, this year’s update is much less significant, providing new clarifications and guidance.

All changes made to the scheme are based upon feedback provided by applicants and assessors, and have been made in partnership with NCSC cyber experts. Here we’ve summed up the changes you’ll see implemented from April onwards:

• User devices: For devices declared within the certification scope (except for network devices), only the make and operating system need to be listed, and the model is no longer required. This change will be reflected in the self-assessment question set.
  
  
• Firmware clarification: Only router and firewall firmware need to be kept up to date and supported, instead of all firmware, due to feedback around the difficulty of finding this information.
  
  
• Third-party devices: Third-party devices are now explained in a new format, covering how they should be treated in your application.
  
  
• Device unlocking: Default device settings that are unconfigurable, such as the number of unsuccessful login attempts before the device is locked, can now be used by applicants as an acceptable option to mitigate security issues.
  
  
• Malware protection: Signature-based anti-malware software is no longer necessary and the suitable mechanism for different device types has been clarified. Sandboxing is no longer an option.
  
  
• Zero-trust architecture: New guidance on zero-trust architecture for achieving CE and a note on the importance of asset management.
  
  
• Style and language: Several language and format changes have been made to improve readability.
  
  
• Updated structure: The technical controls have been reordered to match the updated self-assessment question set.
  
  
• CE+ testing: The CE+ Illustrative Test Specification document has been updated to align with the changes in requirements. The biggest change is a refreshed set of Malware Protection tests to simplify the process for applicants and assessors.
  
  

Getting Cyber Essentials Certified

While it may seem daunting to comprehend and self-assess the stringent security requirements of the Cyber Essentials certification, the scheme is essential for organisations looking to demonstrate their commitment to exceptional cybersecurity practices, and those looking to obtain governmental contracts.

If you have any queries or qualms about applying for Cyber Essentials accreditation, then your trusted MSP partner should be able to help. At Fitzrovia IT we have helped a number of clients successfully gain accreditation; our cybersecurity experts initiate the process with a business pre-audit, to ensure compliance standards are being met and certification is achieved on the first application.

Our team conducts a comprehensive evaluation to ensure the implementation of cyber best practices. This includes scrutinising the installation and setup of devices, assessing user permissions and access, checking for patching and software usage, and confirming adherence to protocols and policies.

To ensure your business gains Cyber Essentials accreditation with minimal stress, contact our expert team today.