National Cyber Security Centre
Update to the Cyber Essentials technical controls
In January 2022, the NCSC will introduce the biggest update to Cyber Essentials technical controls since its launch.
In the new year, the NCSC will introduce an updated set of requirements for the Cyber Essentials scheme. This update is the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and is in response to the evolving cyber security challenges that organisations now face.
The way we work has changed dramatically over a short period of time. The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the COVID-19 pandemic, which is now routine for many people.
The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.
Cyber Essentials is a simple but effective government-backed scheme that helps organisations of all sizes defend against the most common cyber threats. It provides reassurance to organisations and their customers that systems are secure from basic cyber attacks. A Cyber Essentials certification is also often a requirement for organisations working on UK government contracts.
The NCSC and its delivery partner for Cyber Essentials IASME have recently completed a major technical review of the scheme, the results of which have informed the updated requirements that make up the controls. These updates will help organisations maintain their basic cyber hygiene, providing reassurance for managers, staff and customers.
The update includes revisions to the use of cloud services, as well as home working, multi-factor authentication, password management, security updates and more. The controls have been updated with input from NCSC technical experts and also better align Cyber Essentials with other initiatives and guidance, including Cyber Aware.
Many of the changes are based on feedback from assessors and applicants, as well as consultation with the Cloud Industry Forum.
The new version of the Cyber Essentials technical requirements is officially released on 24 January 2022. Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Organisations using the current standard will have six months from 24 January to complete the assessment.
All Cyber Essentials applications starting on or after 24 January will use the updated version of requirements. We recognise that some organisations may need to make extra efforts when assessed against the new standards, so there will be a grace period of up to 12 months for some of the requirements.
The NCSC has provided a series of FAQs on these changes, along with the updated requirements.
Our Cyber Essentials delivery partner IASME has also produced a technical blog which provides more detail about the changes and explains the reasoning behind it.
Earlier this year we launched Cyber Essentials Readiness, a free online tool to help organisations prepare for certification. This will be updated to reflect the revised controls and provide assistance to organisations aiming for certification from 24 January onwards.
Latest News from
National Cyber Security Centre
New look Cyber Essentials scheme supports organisations to stay ahead of the cyber threat25/01/2022 09:15:00
Overhaul of the technical control requirements reflect the changes in the way organisations are now working.
UK’s tech innovators urged to join fight against ransomware threat21/01/2022 11:15:00
Opportunity for cyber security startups with ideas to protect small businesses to work with the NCSC's cyber security experts.
Big brands urged to 'scam-proof' messages to public19/01/2022 13:05:00
The NCSC launches new guidance for organisations on securely communicating with customers via SMS and phone calls.
NCSC joins US partners to promote understanding and mitigation of Russian state-sponsored cyber threats13/01/2022 11:15:00
The NCSC supports CISA, FBI, and NSA advice in understanding and countering Russian cyber threats.
Public urged to protect themselves from online sales scams27/12/2021 12:12:00
Yesterday (26 December), the government urged the public to protect themselves from online sales scams through five actionable steps.
Government publishes blueprint to protect UK from cyber threats15/12/2021 15:10:00
National Cyber Strategy sets out how government will protect and promote UK interests in rapidly evolving online world
Seasonal scam warning for last minute Christmas shoppers14/12/2021 13:15:00
The NCSC urge last minute Christmas shoppers to stay safe online by following best practice guidance.
Four more tech innovators join NCSC for Startups07/12/2021 09:10:00
Pioneering tech companies will benefit from NCSC’s expertise and insights by joining the programme.