Cyber Essentials Scheme updates for 2022

Last updated: 18th January 2022

Since being launched in 2014 by the UK Government, the Cyber Essentials scheme has helped thousands of small and medium businesses secure their systems and information by using the five key controls that make up Cyber Essentials.

However, overtime, changes are required to ensure that the scheme is kept current and relevant in today’s everchanging cyber landscape. In April 2021, Cyber Essentials had a small update, which was known as Beacon.  Now, however, on the 24th January 2022, bigger changes are coming, not only for the self-assessed Cyber Essentials basic certification, but also for the audited Plus certification.

You can find the new requirements for the infrastructure as well as the updated question set on IASME’s website here.

What are the changes?

There are several changes which are coming into play, some may not affect you at all, some may require some changes to the way your business operations. However, all the changes within Cyber Essentials are designed to ensure that your business and its information is protected as much as possible.

Price changes

Starting from the 24th January, there will be a new pricing structure for Cyber Essentials Basic. The new structure will adopt the internationally recognised definition for micro, small, medium and large enterprises – is shown in the table:

Micro organisations (0-9 employees) £300 +VAT
Small organisations (10-49 employees) £400 +VAT
Medium organisations (50-249 employees) £450 +VAT
Large organisations (250+ employees) £500 +VAT

Cloud based services

If your business has any type of business-related data or services which are hosted within a cloud-based environment, this cloud-based service will now be in scope. This means that you as the business, will be responsible for ensuring that all the controls for Cyber Essentials are implemented within the environment.

What does this mean? For example, if you utilise Microsoft Azure or Amazon AWS or one of the other cloud vendors, if you have a virtual machine running, as an example, you must ensure that you have a firewall enabled, that passwords adhere to the Cyber Essentials requirements and all virtual machines are patched and kept up to date within the 14 day window for all high and critical updates.

Cloud based services, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) are all now in scope as of January 24th 2022.

Security Updates

All security updates which are classified as high or critical must be installed within 14 days of release, This not only includes Operating Systems, but any applications and firmware which are installed/used on the device.  For example, Java or Adobe Reader must have any updates applied when available.

This also includes findings such as old obsolete SSL v3 which will return a high CVSS score and thus a failure of the Cyber Essentials Plus assessment.

Any unsupported applications of Operating Systems will be marked as a failure of the scheme and your assessment. If you are using Windows 10, make sure all your devices are kept up to date.  Where possible, ensure that all Operating Systems and applications are configured for automatic updates.

Multi-factor authentication must now be used for cloud services

This new requirement should be nothing new to anyone utilising cloud-based services, but under the new Cyber Essentials scheme, you must ensure (where available), that multi-factor authentication is enabled and used by all people (administrative and normal users) who access any cloud based services.

Additionally, the password requirements when used with multi-factor authentication must have a password length of 8 characters in length, with no maximum length defined.

Home working devices in scope

After nearly the last two years most businesses have been working from home in one aspect or another. When it comes to Cyber Essentials, anyone who is working from home for any amount of time is classified as a ‘Home Worker’ under the scheme. This means that any devices which are used by the home worker to access business data or services is in scope of the scheme, regardless of whether the devices are owned by the business or not. This could include a computer, tablet or mobile device. This means that you as a business, will have to ensure that anyone who uses their own devices for access business data, that their devices are in line with Cyber Essentials.

It should be noted, however, that home routers which are provided by the users Internet Service Provider (ISP) are not in scope of the scheme. However, if a business provided a router to the staff member, this will be in scope and must comply with the scheme controls. For example, updates applied, default credentials changed.

If home-based users utilise a Virtual Private Network (VPN) to access the business, then this will transfer the boundary of scope to the corporate firewall or virtual cloud firewall, from the users home.

Thin Clients

If your business uses Thin Client devices to access any business related information, then these devices are now in scope of the scheme. Although these devices technically don’t store any data, they do connect to the internet and access business data usually through a remote desktop session.

You will need to ensure that the Thin Client devices are kept up to date and any firmware is applied as per the Cyber Essentials controls.

Asset listing and support

When it comes to listing the devices which are in scope, you will also have to list the model and type of the device, along with the Operating System version. For example : We have 25 Dell VOSTRO 5515 running Windows 10 Pro Version 20H2. If you don’t list all this information you will have this answer pushed back for further information.

Under Cyber Essentials you will have to ensure that you have supported devices by the manufacturer, this means that if you are running hardware that is no longer supported (as in no further BIOS updates, support etc.), then these devices will cause a failure of the assessment. Cyber Essentials requires that not only do you run supported Operating Systems and Applications, that you also run supported Hardware.

Servers

All servers which access or provide any type of data or service to the business are now in scope, unless the servers are segmented away from the other areas of the business. This can be performed though the use of VLANs or firewall control.

Under the change this is called a sub-set, which can be used to define what is in scope and what is out of scope.  The use of firewall rules per device will no longer be accepted.

Mobile phones and tablets

I’ve added this one into the mix as it’s a question that always pops up, but all mobile devices and tablets are within scope if they access or process business related data.  Whether its on the business network or via a mobile network. If you access or process business related data or services, this device will be in scope.

For example, accessing your business email, will bring your device into scope, even if it is a personal device, you will need to ensure that any personal mobile devices adhere to the Cyber Essentials controls.

Device locking

When you lock your devices, you must ensure that you have a minimum password or pin length of 6 characters to unlock your devices.

Account separation

Within the Cyber Essentials Scheme, you must not use an administrative account for your day-to-day activities. By default Microsoft Windows creates a user account with local administrative access, you must ensure that you create or use another account which has low level privilege and only use the administrative account to perform actions such as configuration changes or installation of software.

For MacOS and Linux, you must also ensure that you are not running a user account that had root access. If you are, you need to be using a separate account for your day-to-day activities.

For any administrative accounts which are used within the business, you must ensure that these accounts are not configured with email accounts and are not used for general web browsing.

If you use a managed service provider or outsourced IT company who have access to your systems remotely, they must also have dedicated administrator /user accounts to your systems.

Cyber Essentials Plus

For businesses which are going to go for Cyber Essentials Plus, there will be two new tests, these are:

  • Test to confirm account separation between user and administrative accounts
  • Test to confirm multi-factor authentication (MFA)is used for cloud services

Currently there will be a grace period of one year to allow businesses to make changes for the new tests.

MFA for cloud services

The requirement for MFA will apply to administrative accounts from January 2022, however for normal users, this will apply from January 2023.

Another new update for Cyber Essentials, is that malware protection, must be installed and configured for all devices which are in scope, this also includes cloud based systems that are under your control.