Cyber Essentials

Cyber Essentials Plus: What are the 2023 changes?

Contact us about Cyber Essentials

A challenging cyber threat landscape

In January 2022 the Cyber Essentials scheme was revamped. This was the biggest change to the program since its launch in 2014. These changes were introduced to reflect the changing threat landscape, brought about in part by widespread remote working, BYOD policies, and an increasing reliance on the cloud.

Now, the National Cyber Security Centre (NCSC) has made another round of updates to the program. These changes are being referred to as “light touch” and represent a smaller, but still significant, update to the scheme’s technical controls along with recommendations for non-compulsory controls. Other guidance and clarification updates are being introduced to improve usability of the scheme.

Appurity is hosting a series of webinars examining the Cyber Essentials framework – including the new updates. On March 15 we’ll be going through everything your business needs to know about the 2023 requirements. Over the next few months we’ll be looking at some of the individual controls within the scheme and how your business can use technologies and tools to satisfy these controls – from asset management to malware protection. All webinars are free of charge.

Register here for our events.

A quick update on the 2022 controls

After the 2022 update, the NCSC recognised that some organisations might need extra effort and resources to meet the new standards. A grace period of up to 12 months was given for three of the requirements:

  • Any thin clients included in the scope of certification must be supported and receiving security updates
  • All unsupported software is either removed or segregated from scope via a sub-set
  • All user accounts on cloud services are protected by multi-factor authentication (MFA)

The decision has been made to extend this grace period for a further three months until April 2023. More information is available here.

What’s next?

The 2023 updates will include:

  1. Updated guidance on technical controls and non-compulsory recommendations
  2. General improvements to the Cyber Essentials scheme

Changes to the technical controls and recommendations:

  • Malware protection: Anti-malware software will no longer have to be signature-based, and sandboxing will no longer be an option. Malware protection software must be active on all devices in scope. Malware protection software must be updated in line with vendors’ instructions and configured according to the Cyber Essentials requirements.
  • Zero trust architecture: There is no new requirement to implement a zero trust architecture. However, the new guidance outlines how the rise in flexible working, BYOD policies, and SaaS use can all introduce new threats and vulnerabilities to our systems. Implementing a zero trust architecture is a way to minimise the risks inherent in this changing threat landscape. The updated controls to the Cyber Essentials scheme will work in tandem with a zero trust approach, which is encouraged, although not required. Join our webinar with Absolute on Wednesday 22 March to find out more about mitigating against the risks of remote and hybrid working, and how to develop a resilient zero trust security strategy.
  • Asset management: While not a specific Cyber Essentials control, effective asset management is highlighted as a core security function which can enable businesses and organisations to meet all five controls within the scheme. When implemented correctly and effectively, proper asset management goes beyond simply building lists and databases of devices and applications that nobody ever looks at again. It means creating, establishing, and maintaining comprehensive and up-to-date information about all your business’s assets. This can be an effective tool against threats, and can help businesses build a proactive cybersecurity strategy.

General improvements:

  • User device listing: With the exception of network devices (such as firewalls and routers), businesses are required to list the make and operating system only for in-scope user devices. There is no requirement to list the device model. This change will be reflected in the self-assessment question set.
  • Firmware information: The existing scheme stipulates that all firmware is included within the Cyber Essentials definition of ‘software’ and requires this firmware to be kept up to date, supported, and maintained. In the latest update, organisations will only need to include router and firewall firmware.
  • Third-party devices: Clearer information is provided for in-scope third-party devices, including contractors, volunteers, and students. Details of when a device is in scope and therefore must satisfy the five controls are provided.
  • Device unlocking: Changes have been made to address issues around default settings in devices. If a setting is unconfigurable (for example, the number of unsuccessful login attempts before the device is locked), organisations can use the vendor’s default settings.

Changes to Cyber Essentials Plus testing

There are also some changes to the scheme’s testing methodologies. For example, a refreshed set of malware protection tests has been introduced to simplify the process for both applicants and assessors. This latest update (version 3.1) will take effect from 24 April 2023.

Please contact the Appurity team today if your business has any questions about the updated framework, and to learn more about how we’re helping customers secure their infrastructures and meet the technical control requirements.

Contact us about Cyber Essentials
RESOURCE

Cyber Essentials

Cyber Essentials is a government-backed scheme that helps businesses protect against a range of online threats.

More about cyber essentials
DOWNLOAD

Appurity Cyber+

Is your business ready for Cyber Essentials Plus accreditation?

CYBER + DATA SHEET

Share This Story, Choose Your Platform!

Ready to talk?

Confirm you are a human *

We're committed to your privacy. Appurity uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Statement.