National Cyber Security Centre
Cyber Essentials technical requirements updated for April 2023
Part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.
In April 2023, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for Cyber Essentials. This update is part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.
After a major update last year – the biggest update to the scheme since it was first set up in 2014 – the 2023 update will be lighter touch, providing a number of clarifications, alongside some important new guidance. This includes:
- User devices. With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.
- Clarification on firmware. All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.
- Third party devices. More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated in your application.
- Device unlocking. We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it's now acceptable for applicants to use those default settings.
- Malware protection. Anti-malware software will no longer need to be signature based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.
- New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
- Style and language. Several language and format changes have been made to make the document easier to read.
- Structure updated. The technical controls have been reordered to align with the updated self-assessment question set.
- CE+ testing. The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.
All these changes are based on feedback from assessors and applicants, and have been made in consultation with technical experts from the NCSC. As well as the updated requirements and new question set, IASME are also providing more guidance documents to help applicants during the certification process. This includes articles to help applicants understand the questions, as well as access to a dedicated knowledge base. These resources will become available over the coming months.
This latest update (version 3.1) will take effect from 24 April 2023. This means all applications started on or after this date will use the new requirements and question set. For more information, please see this IASME blog which provides more details on the changes. An updated set of FAQs is also available on the NCSC website.
Latest News from
National Cyber Security Centre
Schoolgirls across UK prepare to vie for crown of cyber security champion31/01/2023 13:20:00
Girls prepare to go head-to-head at the finals of the 2023 CyberFirst Girls Competition, run by GCHQ’s National Cyber Security Centre.
SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest27/01/2023 11:10:00
Activity against targeted organisations and individuals in the UK and other areas of interest.
UK cyber experts warn of targeted phishing attacks from actors based in Russia and Iran27/01/2023 10:10:00
Advisory highlights techniques used by attackers in spear-phishing campaigns.
Charities offered latest insight into key cyber threats to help keep out attackers20/01/2023 13:05:00
Latest report published by the NCSC outlines key threats facing the UK charity sector.
Ukraine cyber defenders in UK for high-level talks19/01/2023 12:15:00
Members of the national Computer Emergency Response Team for Ukraine (CERT-UA) held bilateral talks to discuss the conflict and resilience building.
NCSC announces new joint directors for software security research institute13/01/2023 10:15:00
The National Cyber Security Centre (NCSC) has announced new joint directors for one of its academic research institutes, which specialises in software security and safety.
Organisations helping most vulnerable in society offered free cyber security support09/01/2023 13:05:00
Funded Cyber Essentials Programme offers some small organisations in high-risk sectors free practical support to help put cyber security controls in place.
NCSC reveals top government email impersonation scams taken down in 202230/12/2022 11:20:00
Public encouraged to continue reporting suspicious emails after 6.4 million reports were received in 2022.