Cyber Essentials – January 2022 Changes
On January 24th 2022, The National Cyber Security Centre (NCSC) in partnership with IASME will be releasing the latest version of the internationally recognised Cyber Essentials Scheme. Implemented by thousands of organisations year upon year, the scheme enables organisations to ensure they are compliant and cyber secure, attracting Government contracts and clients alongside ensuring you’re protected against the most prevalent of cyber attacks.
Why Is The Scheme Changing?
With the constantly evolving technology landscape of the 21st Century comes the evolution of threats and techniques used by cyber-criminals to try gain access to systems or information. Due to this, cyber security certifications like IASME’s Cyber Essentials Scheme also need to adapt and evolve to ensure that technologies used are secure and commonly exploited vulnerabilities are mitigated against.
It’s worth mentioning that some changes have been implemented into the question scheme from January 2022, but will not be required for compliance until 12 months later, in January 2023 due to grace periods. Not only does this future proof the question set used, but also provides this coming year’s applicants a view at what they will need to ensure is in place by January 2023 in order to remain compliant.
These new requirements include thin clients being actively supported by vendors, unsupported software that is removed from scope being marked for compliance, and multi-factor authentication being used on all cloud service accounts. Our previous article on the importance and effectiveness of two-Factor Authentication (2FA) in relation to Cyber Essentials can be found here.
Multi-factor Authentication and The Cloud
The new requirements surrounding multi-factor authentication have been adopted by the scheme partially due to the additions to the scoping requirements which can be found in the newest version of the NCSC’s Cyber Essentials: Requirements For IT Infrastructure document, required to be read before the application process begins.
In short, the updated scope of Cyber Essentials now includes all cloud services, including Infrastructure as a service (IaaS), Platform as a service (PaaS), and Software as a Service (SaaS) alongside Bring Your Own Device (BYOD) devices and home working equipment.
Home and remote working has always been a major talking point within the cyber security community, heightened by the influx of people who suddenly had to switch to being home based due to COVID – 19, and IASME have addressed this by ensuring that home working requirements are covered in detail. By addressing the specific scoping requirements of home working, applicants can be confident in their answers and ensure that all required information is provided as part of the self assessment submission.
Other requirements of the updated scheme include tighter password based authentication requirements alongside more specific device locking requirements and unsupported software being more tightly controlled. All information surrounding the new requirements can be found within the prior mentioned Cyber Essentials: Requirements For IT Infrastructure document alongside an article posted by IASME detailing the changes which can be found here.
On top IASME’s article detailing the changes, the NCSC have also released multiple resources to ensure the switchover is conducted as smoothly as possible when the new version is finally released. A detailed article explaining the reasoning behind the changes can be found here alongside a FAQ specifically surround the changes here.
Cyber Security Advisor