Update to the Cyber Essentials technical controls

30 Nov 2021 04:18 PM

In January 2022, the NCSC will introduce the biggest update to Cyber Essentials technical controls since its launch.

In the new year, the NCSC will introduce an updated set of requirements for the Cyber Essentials scheme. This update is the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and is in response to the evolving cyber security challenges that organisations now face.

The way we work has changed dramatically over a short period of time. The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the COVID-19 pandemic, which is now routine for many people.

The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.

Cyber Essentials is a simple but effective government-backed scheme that helps organisations of all sizes defend against the most common cyber threats. It provides reassurance to organisations and their customers that systems are secure from basic cyber attacks. A Cyber Essentials certification is also often a requirement for organisations working on UK government contracts.

The NCSC and its delivery partner for Cyber Essentials IASME have recently completed a major technical review of the scheme, the results of which have informed the updated requirements that make up the controls. These updates will help organisations maintain their basic cyber hygiene, providing reassurance for managers, staff and customers.

The update includes revisions to the use of cloud services, as well as home working, multi-factor authentication, password management, security updates and more. The controls have been updated with input from NCSC technical experts and also better align Cyber Essentials with other initiatives and guidance, including Cyber Aware.

Many of the changes are based on feedback from assessors and applicants, as well as consultation with the Cloud Industry Forum.

The new version of the Cyber Essentials technical requirements is officially released on 24 January 2022. Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Organisations using the current standard will have six months from 24 January to complete the assessment.

All Cyber Essentials applications starting on or after 24 January will use the updated version of requirements. We recognise that some organisations may need to make extra efforts when assessed against the new standards, so there will be a grace period of up to 12 months for some of the requirements.

The NCSC has provided a series of FAQs on these changes, along with the updated requirements.

• FAQs page
• Cyber Essentials: Requirements for IT infrastructure v3.0

Our Cyber Essentials delivery partner IASME has also produced a technical blog which provides more detail about the changes and explains the reasoning behind it.

Earlier this year we launched Cyber Essentials Readiness, a free online tool to help organisations prepare for certification. This will be updated to reflect the revised controls and provide assistance to organisations aiming for certification from 24 January onwards.