As the end of the UK financial year and the start of a new one, April tends to be a month of change and strategy updates for many companies. In April 2023, the National Cyber Security Centre (NCSC) released new updates to the Cyber Essentials accreditation. As accredited Cyber Essentials experts at Creative Networks, we are thrilled to see these updates as they further enhance the capabilities of this security compliance measure.
What is Cyber Essentials?
Cyber Essentials is also one of the best security accreditations with a worldwide following. Launched in 2014, Cyber Essentials is an award given to companies that showcase excellent cyber security measures.
Thanks to the universal approach to security measures, the accreditation is suitable for global businesses looking to improve safety. This is achieved by implementing five core pillars deemed to be the basis for any strong cyber security network. These are firewalls, user control and access, software security, malware protection, and patch management. Each must work together cohesively and be configured to the individual company’s needs.
The certificate can be obtained by any business that demonstrates adherence to the security measures outlined and is awarded via a self-assessment process. Businesses looking to further extend their cyber security measures can also become Cyber Essentials Plus accredited. This award requires the same core pillars to be placed but also tests the external vulnerability of an organisation.
Securing Cyber Essentials starts from £300+ vat, and certificates are valid for 12 months. After this time, companies will need to complete the self-assessment process again. During this time, companies are also listed on the official database of approved companies and allowed to include their status within marketing materials. This means the benefits are plentiful, with brand exposure and improved competitiveness among the advantages.
You can learn more about what the Cyber Essentials accreditation is here.
Why is the Purpose of the Cyber Essentials Updates?
Cyber Essentials is a dynamic security compliance programme designed to tackle the most intelligent cyber threats. The update has been released after an audit of the technical controls on offer. The updates improve security safeguarding measures and help protect organisations.
This is one of the benefits of being Cyber Essentials accredited and why we choose to align with the scheme as both a supplier and business. Cyber risks will continue to evolve in 2023, with cyber security expected to cost $13.82 trillion by 2028.
Ensuring compliance measures and security controls are suitable for modern threats is essential, which this update has been released to achieve.
How Are the Updates Chosen?
Cyber Essentials is an interactive scheme which is designed to help businesses take control of their cyber security. This is reflected in the importance that the NCSC places on client feedback.
All changes to the scheme have been decided on using both assessor and applicant comments. They also provide a comforting balance of technical and standard considerations to ensure everyone’s needs are met.
What Does the 2023 Cyber Essentials Update Include?
The Cyber Essentials scheme is regularly audited and updated, but this year’s update is substantial. Covering factors that represent the changing trends in security threats, the updates are as follows:
Device Unlocking Changes have been made to some issues surrounding device locking, such as multiple incorrect password attempts. In the latest update, the rules were changed to now allow applicants to use those default settings should they wish to do so.
This means that companies can create their own bespoke processes, to a certain extent, and inform employees of different ways to proceed should they forget their access details.
Firmware Clarification Only router and firewall firmware are now included within the update requirements. This was after an assessment found that the information can be too difficult for companies undertaking the required task.
Third-Party Devices Many companies work with third-party agents such as contractors, students, or external event agencies. The trend for remote access and cloud operations is rising, so the accreditation has updated its policies in this area. Now, more information and a new table of content are available to companies, clarifying how third-party devices should be treated in your application.
Zero Trust Architecture New guidance has been included with notes on the importance of assessment management and zero trust architecture for achieving CE.
The CE marking represents the safety, health, and environmental needs to be met to sell products in Europe. Due to international trading becoming more prevalent; this update was deemed essential.
User Devices The latest update means that all devices associated with the scheme now only need to have the make and operating system listed.
The difference is that the model no longer needs to be listed, which was a compliance measure beforehand. To reflect this, the self-assessment questionnaire has been updated to remove this question and documentation requirements.
Style and Language The global reach of Cyber Essentials means that the materials have been updated to encompass the growing audience. Now available in several languages and formats, all amends are designed to make the supporting documents easier to interact with. This improves adherence levels to the scheme and ensures all information is transparent regarding the self-assessment.
Structured Update The technical controls have been reordered to align with the updated self-assessment question set.
As teams carry out the assessment, this update has been released to ensure no gaps of coverage within the evaluation. It will also reduce the need to contact the body with questions and allow the assessments to be completed in a speedier manner.
Malware Protection The process for implementing and approving malware has been updated. The software will no longer need to be signature-based, and MCSC has clarified which mechanism is suitable for different types of devices.
Furthermore, Sandboxing has been removed as an option.
CE+ Testing The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change is an update to the Malware Protection tests which have simplified the process for both applicants and assessors.
The complete CE+ Illustrative Test Specification document can be found here.
Alongside the updates listed above, the NCSC and IASME will also release several new guidance documents, which will help applicants throughout the process. Although the scheme is self-assessed, along with a successful accreditation comes support from both official bodies for the duration of the certification.
As well as offering insights into the five core pillars, this also covers any questions about the application process. We think this is important as it ensures security measures are robust and suitable for modern threats.
How Can Creative Networks Assist with Cyber Essentials?
We offer a complete Cyber Essentials service to help companies achieve and retain accreditations. Our process involves to following support:
- Full strategic planning to create a bespoke Cyber Essentials plan for your organisation.
- An assessment of your existing security features to obtain clear idea of what needs to be improved on or implemented to achieve the accreditation.
- Configuration of all security measures to meet the scheme’s compliance measures and work with your company’s requirements.
- Support in applying for the Cyber Essentials certificate, including help with the self-assessment and planning for long-term compliance.
- Ongoing services once you achieve the status to ensure you retain your status. This also makes it simple for you to re-apply again when the 12 months come to an end.
These updates are brilliant in our opinion and offer even more assurance that the Cyber Essentials scheme is ideal for companies around the world. To speak with us about starting your journey to achieving this professional security compliance standard, please contact us today.
We have lots more articles about Cyber Essentials, check them out below to learn more:
How Long is Cyber Essentials Valid For?
Do I Need Cyber Essentials if I Have ISO 27001?