Cyber Essentials gets biggest update to technical controls since launch

BCS cyber security trends

In the new year, the  government’s National Cyber Security Centre NCSC and IASME, the National Cyber Security Centre’s Cyber Essentials Partner, will implement  an updated set of requirements for Cyber Essentials. This update will be the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and comes in response to the cyber security challenges organisations now regularly face.

A simple but effective government backed scheme, Cyber Essentials helps organisations, whatever their size, guard against a whole range of the most common cyber threats. Not only does this reassure organisations and customers that their systems are secured against basic cyber-attacks, but Government contracts also often require this basic certification too.

The way we work has changed dramatically over a short period of time. The additional risks brought about by rapid digital transformation and the adoption of cloud-based services has been compounded by the move to home-working.

The impending refresh reflects these changes and signals a more regular review of the scheme’s technical controls.

The NCSC and IASME recently completed a major technical review of the scheme, the results of which have informed the updated requirements that will soon help organisations maintain their basic cyber hygiene, providing reassurance for their customers and their supply chain.

These include revisions around cloud services, as well as home-working, multi-factor authentication, password management and security updates. The controls, which have been updated with direct input from the NCSC’s and IASME’s technical experts, also align Cyber Essentials closer to other initiatives and guidance, including Cyber Aware.

Many of the changes are based on feedback from assessors and applicants, as well as consultation with the Cloud Industry Forum.

The new version of the Cyber Essentials technical requirements will be implemented for new assessment accounts from 24th January 2022. However, any assessment account that is already active before the 24th January will continue to use the current technical standard. This means that any time and effort already invested will not be wasted.  Such assessments will have 6 months to complete from the 24th January 2022. In recognition of the extra effort that may be involved for some organisations, there will be a period of grace of up to 12 months for some of the requirements.

The new requirements document and new question set is now published on the IASME website.

The Cyber Essentials Readiness Tool will also be updated accordingly to reflect the new controls from 24th January.

Cyber Essentials will:
– Reassure customers that you are working to secure your IT against cyber attack
– Attract new business with the promise you have cyber security measures in place
– Give a clear picture of your organisation’s cyber security level
– Enable you to bid for some Government contracts