Introduction.

If you’re renewing your Cyber Essentials certification for your business, you’ll need to know about the latest updates to the scheme.

According to the NCSC, these changes emphasise and clarify key aspects of Cyber Essentials certification. Instead of adding new requirements, they ensure existing guidance and definitions aren’t misinterpreted. These updates came into force on 24 April 2023. So anyone renewing their certification must follow the new guidelines and questions.

Here’s our quickfire guide to the changes.

If you’re getting started with Cyber Essentials, take a look at our previous blog explaining what Cyber Essentials involves and how it helps your business.

What’s new for Cyber Essentials in 2023?

The latest Cyber Essentials updates are part of regular reviews into the scheme’s effectiveness. They ensure it continues helping businesses defend against evolving cyber threats.

The changes stem from assessor and business feedback, alongside input from technical experts from the NCSC.

As well as changes to language and structure, updates include:

User Devices.

Every user device within the scope of Cyber Essentials certification only needs the make and operating system listed. You don’t have to list the device model anymore. This change applies to the self-assessment questions.

Software and Firmware.

There’s an updated definition of “software” to clarify what’s in scope. All firmware is included in “software”, meaning it has to be kept up-to-date and fully supported. For firewalls and routers, you just need to list the make and model (not the operating system version, as this information is often difficult to find).

Third-Party Devices.

There’s more information on third-party devices as well as clarification on how these devices (for instance student or contractor devices) should be managed.

Device Unlocking.

Updates reflecting that some device configurations can’t be altered due to manufacturer restrictions. For instance, a device locks after a certain number of login attempts. In these cases, using unalterable default settings is acceptable.

Malware Protection.

Dropping requirements for anti-malware software to be “signature-based”. There’s clarification on which mechanisms are best for specific devices, with sandboxing removed as a possibility.

Zero Trust Security.

New guidance on the importance of asset management and using a Zero Trust model. Extra information on how this impacts Cyber Essentials certification.

Cyber Essentials Plus.

Updates to the Cyber Essentials Plus “Illustrative Test Specification Document” to reflect the changes above. The most important changes are an updated and simplified set of Malware Protection tests.

BYOD Guidance.

Links added to the NCSC’s BYOD guidance (that’s “Bring Your Own Device”), helping employees use their own phones, laptops and tablets to conduct work and access data.

For more details on these changes, check out the latest Cyber Essentials news from the NCSC.

Lastly.

There’s also further guidance from IASME to help businesses through the Cyber Essentials certification process. This includes new question explanations and an in-depth knowledge base.